external/og-aws
1
0
Fork 0
mirror of https://github.com/nickpoida/og-aws.git synced 2025-03-09 15:40:06 +00:00
Code Issues Releases Wiki Activity

IAM Gotcha Nits (#240)

Browse source
This commit is contained in:
Thanos Baskous 2016-10-19 22:20:21 -07:00 committed by GitHub
parent 5e07c98ceb
commit 690a735f3e
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -585,7 +585,7 @@ We cover security basics first, since configuring user accounts is something you
- But be careful not to cache credentials for too long, as [they expire](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials). (Note the other [dynamic metadata](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#dynamic-data-categories) also changes over time and should not be cached a long time, either.) - But be careful not to cache credentials for too long, as [they expire](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials). (Note the other [dynamic metadata](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#dynamic-data-categories) also changes over time and should not be cached a long time, either.)
- 🔸Some IAM operations are slower than other API calls (many seconds), since AWS needs to propagate these globally across regions. - 🔸Some IAM operations are slower than other API calls (many seconds), since AWS needs to propagate these globally across regions.
- ❗The uptime of IAMs API has historically been lower than that of the instance metadata API. Be wary of incorporating a dependency on IAMs API into critical paths or subsystems — for example, if you validate a users IAM group membership when they log into an instance and arent careful about precaching group membership or maintaining a back door, you might end up locking users out altogether when the API isnt available. - ❗The uptime of IAMs API has historically been lower than that of the instance metadata API. Be wary of incorporating a dependency on IAMs API into critical paths or subsystems — for example, if you validate a users IAM group membership when they log into an instance and arent careful about precaching group membership or maintaining a back door, you might end up locking users out altogether when the API isnt available.
- ❗**Don't check in AWS credentials or secrets to a git repository.** There are bots that scan GitHub looking for credentials. Use scripts or tools, such as [git-secrets](https://github.com/awslabs/git-secrets) to prevent anyone on your team from checking in sensitive information to your git repos. - ❗**Don't check in AWS credentials or secrets to a git repository.** There are bots that scan GitHub looking for credentials. Use scripts or tools, such as [git-secrets](https://github.com/awslabs/git-secrets) to prevent anyone on your team from checking in sensitive information to your git repositories.
S3 S3
-- --