Monday, November 24, 2014

Managing MFA tokens for AWS console logins

As per security best practices recommendations, it would be best to turn on multi-factor authentication for console logins for all the IAM users. However, there are some operational overheads when IAM users upgrade their virtual MFA devices (iPhone, Android etc). The recommended option is for root user to follow the below steps:-

****************

  • Deactivate MFA from the user(s) account.  If the user did not deactivate MFA prior to getting a new phone the root AWS account can do this: http://docs.aws.amazon.com/IAM/latest/UserGuide/DeactivateMFA.html
  • Remove the previous MFA token from the virtual MFA application.
  • Re-activate MFA on a user(s) account: http://docs.aws.amazon.com/IAM/latest/UserGuide/GenerateMFAConfigAccount.html


****************

Though not recommended, there is a way to share the token across old and new devices. In iPhone for example, we can backup the entire contents of the old iPhone to iTunes or iCloud and then perform a restore from backup on the new phone. This will also save the MFA tokens for apps like Google authenticator (till the date that backup was made).


Monday, November 17, 2014

Turning of php execution in certain Apache httpd directories to prevent remote execution

In cases where you have a php site hosted on Apache httpd, then you can disable php execution by setting the below directive in your httpd.conf and restarting httpd.

***********
<Directory "/var/www/upload">
php_flag engine off
</Directory>
***********

Saturday, November 15, 2014

Additional new services announced on second day of AWS re:Invent 2014 keynote by Werner Vogels


  • Amazon EC2 Container Service
    Amazon EC2 Container Service is a highly scalable, high performance container management service that supports Docker containers and allows you to easily run distributed applications on a managed cluster of Amazon EC2 instances. Amazon EC2 Container Service lets you launch and stop container-enabled applications with simple API calls, allows you to query the state of your cluster from a centralized service, and gives you access to many familiar Amazon EC2 features like security groups, EBS volumes and IAM roles. 
    Learn more about Amazon EC2 Container Service » 
  • AWS Lambda 
    AWS Lambda is a compute service that runs your code in response to events and automatically manages the compute resources for you, making it easy to build applications that respond quickly to new information. You can also use AWS Lambda to create new back-end services where compute resources are automatically triggered based on custom requests. AWS Lambda starts running your code within milliseconds of an event and scales automatically from a few requests per day to thousands per second. 
    Learn more about AWS Lambda » 
  • Coming Soon: C4 instances 
    C4 instances represent the next generation of Amazon EC2 Compute-optimized instances. C4 instances are based on Intel Xeon E5-2666 v3 (Haswell) processors that run at a high clock speed of 2.9 GHz, and are designed to deliver the highest level of processor performance on EC2. C4 instances are ideal for running applications, gaming and web servers, transcoding, and high performance computing workloads. 
    Read the C4 instances blog post » 
  • Coming Soon: Larger, Faster EBS Volumes 
    We will be increasing the performance and maximum size of General Purpose (SSD) and Provisioned IOPS (SSD) volumes. You will be able to create volumes of up to 16 TB and 10,000 IOPS for Amazon EBS General Purpose (SSD) volumes and up to 16 TB and 20,000 IOPS for Amazon EBS Provisioned IOPS (SSD) volumes. General Purpose (SSD) volumes will deliver a maximum throughput of 160 MBps and Provisioned IOPS (SSD) volumes will deliver 320 MBps, when attached to EBS optimized instances. 
    Read the Amazon EBS blog post »
  • Amazon S3 event notification 
    Amazon S3 can now send event notifications when objects are uploaded to Amazon S3. Notification messages can be sent through either Amazon SNS or Amazon SQS, or trigger AWS Lambda functions. 
    Learn more about Amazon S3 event notifications » 
  • Amazon DynamoDB Streams 
    Amazon DynamoDB Streams provides a time ordered sequence of item level changes in any DynamoDB table. The changes are de-duplicated and stored for 24 hours. This capability enables you to extend the power of DynamoDB with cross-region replication, continuous analytics with Redshift integration, trigger AWS Lambda functions, and many other scenarios. 
    Learn more about Amazon DynamoDB Streams » 

Wednesday, November 12, 2014

New Services announced by Amazon in today's keynote at re:Invent 2014


  • Amazon RDS for Aurora
    Amazon Aurora is a MySQL-compatible, relational database engine that combines the speed and availability of high-end commercial databases with the simplicity and cost-effectiveness of open source databases. Amazon Aurora provides up to five times better performance than MySQL at a price point one tenth that of a commercial database while delivering similar performance and availability.
    Learn more about Amazon RDS for Aurora » 
  • AWS CodeDeploy 
    AWS CodeDeploy is a service that automates code deployments to Amazon EC2 instances. AWS CodeDeploy makes it easier for you to rapidly release new features, helps you avoid downtime during deployment, and handles the complexity of updating your applications. You can use AWS CodeDeploy to automate deployments, eliminating the need for error-prone manual operations, and the service scales with your infrastructure so you can easily deploy to one EC2 instance or thousands. 
    Learn more about AWS CodeDeploy » 
  • AWS Key Management Service 
    AWS Key Management Service (KMS) is a managed service that makes it easy to create and control the keys used to encrypt data. KMS is integrated with other AWS services including Amazon EBS, Amazon S3, and Amazon Redshift, making it simple to encrypt your data with encryption keys that you manage and providing you an audit trail through AWS CloudTrail. 
    Learn more about AWS Key Management Service » 
  • AWS Config 
    AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. With AWS Config you can discover existing AWS resources, export a complete inventory of your AWS resources with all configuration details, and determine how a resource was configured at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting. 
    Learn more about AWS Config »
  • AWS CodeCommit 
    AWS CodeCommit is a secure, highly scalable, managed source control service that hosts private Git repositories. CodeCommit eliminates the need for you to operate your own source control system or worry about scaling its infrastructure. You can use CodeCommit to store anything from code to binaries, and it supports the standard functionality of Git allowing it to work seamlessly with your existing Git-based tools. Your team can also use CodeCommit’s online code tools to browse, edit, and collaborate on projects. 
    Learn more about AWS CodeCommit » 
  • AWS CodePipeline 
    AWS CodePipeline is a continuous delivery and release automation service that aids smooth deployments. You can design your development workflow for checking in code, building the code, deploying your application into staging, testing it, and releasing it to production. You can integrate 3rd party tools into any step of your release process or you can use CodePipeline as an end-to-end solution. CodePipeline enables you to rapidly deliver features and updates with high quality through the automation of your build, test, and release process.
    Learn more about AWS CodePipeline »