ActoKids / AD440_W19_CloudPracticum

3 stars 1 forks source link

Cloudwatch and Security #44

Open mrvirus9898 opened 5 years ago

mrvirus9898 commented 5 years ago

Our crawler code will predominantly sit in a lambda function, which will be triggered at some point in time. Because we will need to trigger both on timer and on demand, we will need a way to secure our crawler from being triggered by a rogue actor.

Please indicate the time spent on this, any issues that you are having, any good references you found for this subject, and credit anyone helped you out.

TyReed12 commented 5 years ago

When it comes to securing who can access, create, and trigger our lambda triggers, we will be able to use IAM roles to assign access and permissions to the appropriate people. If we are concerned about rogue actors gaining access despite not having these permissions, we are able to setup alarms in Cloudwatch that would notify us whenever a change in the security configuration (Access and Permissions) is made as well as when any lambda function is triggered. This is all done in the CloudWatch console.

I've also attached a couple of articles that talk about best security practices when creating and using lambda functions. It's very important that none of our lambda functions are exposed, which means they can be used by anonymous users that have not been given IAM role access.

Time spent so far: 3 hours

https://www.cloudconformity.com/conformity-rules/Lambda/function-exposed.html https://www.protego.io/aws-lambda-security-best-practices/ https://www.cloudconformity.com/conformity-rules/CloudWatchLogs/securitygroup-changes-alarm.html

TyReed12 commented 5 years ago

Deliverable: Create Lambda function that can only be triggered by CloudWatch.

TyReed12 commented 5 years ago

After digging through AWS the docs, it appears that there are two ways to setup up CloudWatch Event triggers for lambda function. One is in the Lambda console and one is in the CloudFront console. Both ways give you a way to assign or create an IAM role to the function that restricts it's permissions to different actions or resources. You grant permissions to your Lambda function to access other resources using an IAM role. AWS Lambda assumes the role while executing your Lambda function.

Best practice would indicate that you want to assign only the permissions the function absolutely needs to function. We most likely will need to creating custom IAM roles for our functions in order to do this.

Estimated time: 4 hours Time Actually Spent: ~4 Hours

Wiki: https://github.com/ActoKids/AD440_W19_CloudPracticum/wiki/Creating-Lambda-Trigger-in-CloudFront

TyReed12 commented 5 years ago

lambda1 lambda2 lambda3 lambda4 lambda5 lambda6

toddysm commented 5 years ago

Who tested this and what is the feedback? What did you test and what is your feedback?