amazon web services - AWS/IAM Policy for RDS snapshot management? -

-

I am working on a script to take an RDS snapshot every day and give it a name based on the appropriate pattern The script is very straightforward (like mydb-snapshot-20141031) but I ran into issues trying to shut down things so that if the key pair connected to the script was compromised, the attacker only damaged my snapshot. And database only O.

There is not much to help me by searching the web and looking at it (at least I am not able to reproduce it) so I'm hoping someone solved this before (Or it can be as good as I can manually). mydb-snapshot - *

  • Permission to match snapshots
  • >
  • Permission to delete snapshots mailing mydb-snapshot - *

Here I am trying to protect against:

  • I do not want this user to interact with any part of the AWS outside of the RDS
  • I do not want this user to actually convert any of my RDSs, for example "mydb" Including
  • I do not want this to change the user snapshot that no match mydb-snapshot - *

probably Can not be done (I can not get the documentation for "delete" companion for rds: CreateDBSnapshot policy). It would be nice if there really is a list of permissions required to use it.

I finally found DeleteDBSnapshot permission but later I realized that In fact, I wanted to limit the functions of a specific DB instance identifier, which I now agree with is possible because the AWS command actually works. In this way, you should create a policy that looks like this: 

  {"Statement": [{"Effect": "Allow", "Action" ":" [RDS: AddTagsToResource "," Rds: DeleteDBSnapshot "]," Condition ": {" streq ": {" rds: snapshot-tag / MY_TAG_KEY ": [" MY_TAG_VALUE "]}}," resource ":" arn : "Rds: us-west-2 ::", "espress": "allow", "action": ["RDS: listtorfor resource", "RDS: createDBnapshot"], "resource": "ARN: ASS: RDS: ("RDS: Description DBSNopshot"], "Resource": "*"}]}
P> Some notes / gestures:

  • For most command related to snapshots, the property of resource policy DBSnapshotIdentifier , but CreateDBS For napshot it refers to DBInstanceIdentifier (RDS database name).
  • Description DBSnapshots always works globally, so it should also be provided on all resource values. You can not limit it to the area too.
  • ListTagsForceSource throws a permission error if you try to limit it to the full snapshot resource path.
  • You do not need it, but I've included an example condition block for those people who want to ban tags further (or alternatively) by resource , ListTagsForResource and CreateDBSnapshot .

This resolves to solve my primary concern if the keys attached to this policy have been compromised - The attacker can only remove my rolling snapshot, manually created snapshots Or the database gives an example to itself Unfortunately, it still allows to create an unlimited snapshot in the specific area, but there is no way to restrict CreateDBSnapshot . The breakfast.


Comments

  1. ICS Cyber Security30 December 2017 at 08:17

    Very nice information... Thanks for sharing details on AWS RDS snapshot. Share more details on AWS RDS snapshot pricing.

    ReplyDelete

Post a Comment

Popular posts from this blog

java - Can't add JTree to JPanel of a JInternalFrame -

-
Image
There are two panels in my JInternalframe. I want to add TopPanel to Jtree to nominate another. But I can not add Jaitari to the top of the panel. Please help me in this piece of code: DefaultMutableTreeNode root = new DefaultMutableTreeNode ("deck"); DefaultMutableTreeNode Item Clubs = New DefaultMutableTreeNode ("Club"); AddAllCard (itemClubs); Root.add (itemClubs); DefaultMutableTreeNode item = New DefaultMutableTreeNode ("Diamonds"); AddAllCard (itemDiamonds); Root.add (itemDiamonds); DefaultMutableTreeNode Itemspads = New DefaultMutableTreeNode ("Spades"); AddAllCard (itemSpades); Root.add (itemSpades); DefaultMutableTreeNode item increases = new DefaultMutableTreeNode ("heart"); AddAllCard (itemHearts); Root.add (itemHearts); Default Trimodel Tree Model = New DefaultTreeModel (Route); Tree = new jetty (tree modal); ScrollPane = new JScrollPane (tree); // scrollPane.setViewportView (tree); . ScrollPane.getViewport () add (tr...
Read more

asp.net mvc - How to attach sql database to a javascript graph -

-
I am creating a website using asp mvc5 and I need to show some data on a view using the graph I have implemented a graph using javascript. & lt; Head & gt; & Lt; Script src = "../../ js / jquery-1.11.1.min.js" & gt; & Lt; / Script & gt; & Lt; Script src = "../../JS/chart.cript.js" & gt; & Lt; / Script & gt; @ * & Lt; Link rel = "stylesheet" href = "../../ css / last stylesheet css" & gt; * @ & Lt; / Head & gt; & Lt; Body & gt; & Lt; Div class = "col-md-12" & gt; & Lt; Div class = "panel-panel-default" & gt; & Lt; Div class = "panel-title" & gt; Daily booking & lt; / Div & gt; @ * & Lt; Div class = "panel-body" & gt; * @ @ * & Lt; Div class = "col-lg-2" & gt; & Lt; / Div & gt; & Lt; Div class = "col-lg-8" style = "background-color: # 4876FF;" & G...
Read more

c# - How to know the number of Threads created and limit the Tasks accordingly -

-
It is very clear that with task as async / await Instead of calling the asynchronous call threads , my question is: Is there a way to monitor threads while completing these tasks? This is because I can decide an optimal number of times for the thread that the thread does not eat too many CPU cycles at the same time (the CPU is intensive to handle the work). We take an example below (output is also mentioned) Although the program is completed in 5 seconds, but it has two threads (id = 1,4 ) if I increase the number of 6 instead of 2, then it creates 4 threads I know that this is the CLR thread OS thread (which is 4 in my machine Are), but I would like to know how they are mapped O (with actions) and use the same CPU. Is there any way to get it? Test code Fixed zero main (string [] args) {RunTasksWithDelays (). ); } Static async Task Run Task with Dislay () {Stopwatch S = Stopwatch. Startup (); Console.light line ("thread id =" + thread.content.trade.manag...
Read more