A series about server hardening… This series is probably going to evolve as we progress through it, with modern methods of serving applications (containers), a series on how to secure an Apache host doesn't really seem fitting at this stage. For this chapter of the series we'll start with SSH, and how we can secure our infrastructure. SSH does an OK job at being secure out-of-the-box, but there are a number of things we can tweak - and it's strongly advised to do so - to increase the overall security posture of your environment.
Quick Links: Installation Of AWS CloudWatch Agent - Manual Installation Of AWS CloudWatch Agent - Systems Manager Monitoring; It's that all-important component of a SysOps engineer's core competencies. Monitoring assists in troubleshooting multi-component failures and assist in the effort to ensure uptime and reliability of your platform. When running your platform in the cloud, the out-of-box monitoring options will only get you that far… Ok, let's fill that last sentence in with some more specific variables.
Getting your head around any new technology stack requires a lot of research and with that, you're introduced to all the acronyms, terminology and how all its pieces fit together. The exact same happened to me when I started learning Kubernetes. One of the first questions I had, was “what's the difference between a DaemonSet and a ReplicaSet?". A ReplicaSet is probably one of the first concepts that you'll learn, cause it's such an important part of what you can achieve with Kubernetes, but shouldn't be confused with a DaemonSet; also a critical feature.
It would seem that customers of public cloud providers are just loving life right now. And I would classify myself in the same group. We’re like kids in a candy store with the flexibility that goes along with “anything-as-a-service”. We’re spinning up resources, building clusters, decoupling application functionality by adding load-balancers in-between - and all of this without the lengthy and expensive procurement process. With public clouds’ billing on a pay-as-you-go basis, reserved instances aside, this of course means that there are no upfront expenses to worry about, and companies (especially enterprises) are jumping for joy to convert their operational IT costs that the public cloud brings.
Ever needed to give a user or a group of users permission to only control the EC2 instances that you want them to control? Of course, you have! Access control is a critical aspect of managing any environment. But, if managing IAM policies in your company's AWS environment falls within your realm of responsibilities, this is something that should not be taken lightly. OK, so let's say that your company has recently hired a bunch of interns to perform some application testing for you.
Post Updated: 2019-10-08 Description: Notification via SNS Topic We recently completed an audit of a customer's AWS environment. I tend to either dive into the customer's IAM policies as the first item on the list or I leave it for last. I find that the reason behind this, for me, is it depends on the complexity of the environment. At a high-level, it's a fairly simple component (/service) to audit, so getting this out of the way first clears the ‘to-do’ list for the more complex stuff… And as for this recent audit, I worked through the customer's IAM policies as the first item on the ever-growing to-do list.
I'm a massive believer in anything automated. I look back on my career, and I'm starting to think it is ingrained in me. I've been tinkering with Excel macros, when I was writing reports in my early career, then getting into SysAdmin I wrote simple monitoring scripts to check the output of commands on remote systems and send me an email with the results. Script patching updates, and automate the roll-out of applications.