I'm asking these question on the AWS forum, but now I am wondering what other people do....
We have an EC2 environment, our developers have access to the console and API, and start and stop instances etc... as part of their work. Most of them work from their laptop. I am starting to look at the security aspect, right now, specifically the case where a laptop gets stolen:
- access to the web console is protected by a password and we are adding Multi Factor Auth, the cookies on the browser expires within 20 hours or so, which restrain the window of a possible attack (we might look at shortening the cookies lifetime, that's another question). I'm fairly happy here.
- we try to use automation as much as possible, via ansible and some of our own scripts. These have to use a key pair provided by AWS (one pair per user via IAM). But, contrary to the web cookies, that key pair never expires, and is not easy to use like a password, so I expect people to just add it to their bash profile or some configuration file.
Once the key pair is written to a file, it makes it very easy to be compromised: physical access to a laptop, network hack to any place where that file is (the laptop, backups, possibly a USB key)... This looks like a huge exposure that is difficult to close. Anybody run into a similar situation? How do you make it more secure?
Thanks. -- Yves. _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
