Provides infrastructure layer compute capabilities, including both bare metal and virtual servers with various optimizations includins compute, memory, IO, and disk. Also supports accelerations options such as GPUs, FPGAs, Inferentia and Trainium.
Provides image recognition capability for images (in batch or real-time) and video that provides a analysis of the content such as real-world objects, faces, celebrities, and path mapping.
Provides a publish/subscribe notification service with multiple subscription types including Amazon Simple Queue Service (SQS), Amazon Kinesis Data Firehose, AWS Lambda, generic HTTPS endpoints, SMS and email.
A serverless, fully-managed, message queue service that supports producing, store, and consuming messages and enables loose coupling between applications.
Provides private networking capability spanning multiple availability zones and supporting subnets, routing, network access control groups, security groups and gateways.
Provides tracing of service invocations in distributed applications for observability, allowing users to diagnose issues or optimize their service interactions.
All about Cloud, mostly about Amazon Web Services (AWS)
Secure AWS Access using Bastion Accounts
2018-05-13 / 912 words / 5 minutes
While the concept of a bastion host is generally well known, the concept of a bastion account is only mentioned in a few places. The idea of bastion accounts occurred to me while studying for the AWS Certified Security Specialist exam, but then I found a few others had also used the term. This post describes my initial thought and perhaps expands on the definitions of a bastion account as others have used it.
Bastion Hosts
For those who are unfamiliar with the concept of a bastion host, Wikipedia defines it as:
a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of a firewall or in a demilitarized zone (DMZ) and usually involves access from untrusted networks or computers.
This definition specifically calls out that bastion hosts are unique to network level security. The idea of bastion accounts does not in any way invalidate the notion of bastion hosts.
Bastion accounts do for the management layer what bastion hosts do for the network layer. Where a bastion host “is a special purpose computer on a network specifically designed and configured to withstand attacks,” a bastion account is a special purpose account on AWS specifically designed and configured to withstand attacks.
So, what types of attacks are we considering? Let’s take a look at a few ways to exploit AWS IAM. An easy and frequent method of exploitation is using bad password policies such as weak passwords, no password expiration, or too long of a password expiration interval. Another method of exploitation is using access keys and secret access keys to enable CLI or API access to AWS. Accidents or maliciousness lead to keys on github or other internet sites.
Federated Identity Limitations
Most large enterprises setup federated identity with AWS IAM. Some provide its users with AWS Security Token Service (STS) tokens that allows AWS Console, AWS CLI and AWS API access for as little as one hour. This method solves both those potential issues, so why do we need bastion accounts?
Unforeseen circumstances! Network problems can arise with the federation systems. Administrators may lock themselves out or misconfigure the AWS IAM. These sample situations fall into a category of problems known as “break glass” or emergency scenarios.
These situations require an AWS IAM user with access to the account for reconfiguration and usually that user will require PowerUser levels of access, but we still need to solve the risks associated with AWS IAM users with long-standing access.
The bastion account is the account which has these AWS IAM users with long-standing access. Using the bastion account allows the users to have a password for AWS Console access (always with MFA!) and access keys and secret access keys for CLI and API access.
The bastion account is secure because:
First, it contains nothing. No default VPCs or Subnets, no S3 buckets and no EC2 instances. The only thing configured is CloudTrail which pushes logs to an audit account.
Second, the policy assigned to the user only allows that user to AssumeRole to other accounts and get temporary security tokens.
Configuring Bastion Accounts
An example access policy for the bastion account user is:
This is a classic defense-in-depth approach because only multiple failures lead to a vulnerability. Creation of resources is the first failure. Opening the access policy to allow access to the resources is the second failure.
Non-bastion accounts are configured with federated identity, which is the preferred mechanism for authentication because it integrates with on-premises systems. In fact, in regulated environments, the on-premises systems may have provided the necessary controls to meet local laws and it may be very difficult to replace them. The non-bastion accounts also include an AWS IAM role. The AWS IAM role has a trust policy that allows users in the bastion account to assume it. Assuming that the ID for the bastion account was 987654321012 then the trust policy for the role in the non-bastion account would be:
All data and information provided on this site is for informational
purposes only. cloudninja.cloud makes no representations as to accuracy,
completeness, currentness, suitability, or validity of any information
on this site and will not be liable for any errors, omissions, or
delays in this information or any losses, injuries, or damages
arising from its display or use. All information is provided on an
as-is basis.
This is a personal weblog. The opinions expressed here represent my
own and not those of my employer. My opinions may change over time.
