IAM Permission Boundaries

A while ago AWS introduced Permission Boundaries. You may have seen them when creating an IAM user or role through the console, and ignored them. That’s OK, since permission boundaries have no effect if they’re not configured. You may also have read about them and learned that your effective IAM permissions are the intersection between your permission boundaries and your IAM policies. So, if you don’t give too many permissions away in your IAM policies, permission boundaries don’t really add any value. Right? Right. If you are creating IAM users that are used as functional users, meaning that the AK/SK of that user is used in some sort of external… Read More

Continue Reading

i am here

As an AWS consultant/trainer I travel a lot for my work. When at customers locations, I occasionally want to log in into our sandbox environment. In previous postings, I have shown how we increase security by switching on and off the bastion host with a single (or double) key-press of the AWS IoT button. In another post you can find how I setup my ssh configuration to use the bastion host without ever logging in to it and yet get access to our ec2 instances. In this post, let me share iamhere with you. It is a little script that I use to modify the security group that protects inbound… Read More

Continue Reading

SSH config for AWS bastion

As a roaming AWS trainer, I work on my AWS infrastructure from many different locations to give demos to the course attendees and prepare stuff in EC2 instances when necessary. When I launch instances, I usually do so in private subnets, not opening the instances to the Internet when not absolutely necessary. To access the instances I use what is called a stepping stone, jump server or bastion host. The idea of a bastion host is that it is the single point of entrance into your (cloud) infrastructure. Therefor, you should harden and secure that host to the best extent possible. Read my blog about switching on and off the bastion host… Read More

Continue Reading

Adopt IPv6 in the blink of an eye

We all know we’d have to adopt IPV6 one day. So why not today? I thought about this today, when I noticed my provider was so good to give my laptop an IPv6 address. So it starts making sense to get our¬†website on IPv6 too. When even private individuals get IPv6 access, it’s just a matter of time before the corporates do ūüėČ There is enough documentation out there about what IPv6 is and why we ‘need’ it, so I won’t replicate any of that here. Now, the question is, how to get your site on IPv6? At easytocloud, we¬†use AWS CloudFront as a CDN (Content Delivery Network) for our… Read More

Continue Reading

AWS cloudfront

We¬†just moved¬†this site to S3 and cloud front. We have told our customers so often to move their sites to AWS cloudfront and S3 that we deemed it necessary to move our own site as well. In this blogpost we’ll tell you a bit about the journey. Basic architecture principles. At easytocloud we like to make as much use of managed services as possible. More often than not, we create server-less solutions as we aim to get rid of operating system responsibility were possible. However, as this site is a¬†Wordpress site,¬†we need to run at least one instance for the PHP code that makes WordPress. In addition to an instances,… Read More

Continue Reading