notes from AWS meeting

sphinx/aws/aws_authentication.rst

@@ -0,0 +1,50 @@
+AWS Authentication
+###########################
+
+
+Notes to be Organized and Completed
+---------------------------------------
+
+Authentication
+.........................
+
+* Give EC2 instance a role, access to S3, etc, NOT an AWS key, pass instance profile
+  (contains role, role contains privileges. Role must have permission to read secret)
+* Role, create
+
+  * What kind of thing, service, i.e. EC2, lambda, SAML assertion?
+  * What permissions?  Can use or edit AWS managed permissions policy, What can it do,
+    JSON defines,
+  * Trust relationship, AssumeRole
+  * User can get roles through Group or permission/policy document directly
+  * Access Advisor - see what has been used or not, and pare down the permissions
+
+* Security group (ports, inbound, outbound)
+
+  * Can include all traffic from another SG, need to do that for both SGs
+
+* Parameter store (cheaper) stores less secret info, define config for a project,
+  need read parameter policy on the role using it, no additional charge for standard
+  parameters, up to 10k, less than 4k,
+
+  * Secure parameters , will encrypt them, can use KMS key, need to add to your policy doc
+  * Can make public parameters
+
+* Secrets - 0.40/mo per secret 0.05/10,000 accesses
+* Temporary credentials with IAM Roles?  Vs Access keys for long-term access?
+* Identities = AWS resources (EC2 instance, lambda functions)
+* Secrets for roles/identities for initiating contact/processes
+
+  * https://docs.aws.amazon.com/secretsmanager/latest/userguide/hardcoded.html
+  * APIkey/secret, user/password, private key, token, certificate …
+  * Create a role to manage the secrets
+  * Create a role to retrieve secrets - grant the role permission to access only select
+    secrets, give that role to the code/process of interest
+
+Questions remaining
+---------------------------------------
+* Roles for “workload”
+* Travis: How to assign broad privileges to a process, run it, then identify the minimum
+  privileges it needs?
+* Temporary access roles vs static
+* Access Control ???

sphinx/aws/aws_automation.rst

@@ -6,4 +6,26 @@ TODO:
 
 * triggering processes in Redshift, Glue, instantiating EC2 instances, etc
 * Logging of multi-resource workflows to debug problems - may be simple, but any tips
-  would be appreciated
+  would be appreciated
+
+
+Notes to be Organized and Completed
+---------------------------------------
+
+Automation
+.....................
+
+* Initiate a stored procedure in Redshift and pass it a parameters
+* Billing and Cost management - Cost Explorer
+
+  * Need permissions for that
+
+Logging
+................
+
+* Cloudtrail monitoring - can do your work, then it will tell you what permissions
+  you’ve been using, control - log in , log out, authentication, administrative, action,
+  role that allowed action
+* Cloudwatch - app logs and performance , can install cloudwatch agent, have it write
+  logs to a log
+* https://docs.aws.amazon.com/secretsmanager/latest/userguide/monitoring-cloudtrail.html

sphinx/security/aws_security.rst

@@ -4,18 +4,6 @@ AWS Security
 TODO:
 ========
 
-Research
--------------------
-
-Security best practices, including:
-
-* role overview
-* how to determine smallest workable permissions for manual/console and automated processes
-* best way to include authentication in scripts and automated processes (secrets vs
-  manually configuring things)
-* how to handle names of less secret information in order to retrieve authentication
-  and access resources, so how best to deal with account numbers, usernames,
-  role names, secret names, domain names, bucket names, etc
 
 Root user
 ------------------
@@ -26,6 +14,8 @@ Root user
 * Disable programmatic access
 * Disallow creating of access keys for root account
 
+
+
 References
 ==================