avatar張皓正

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

5791

Abstract

7156">I covered user-specific secrets here:</p><div id="744d" class="link-block"> <a href="https://readmedium.com/create-a-per-user-secret-in-secrets-manager-part-1-bb97b66e2a2d"> <div> <div> <h2>User-Specific Secrets on AWS: IAM Policies</h2> <div><h3>ACM.82 IAM Policies to allow users to describe their own secrets</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*PcniDpBJq2db0jbdryc_Nw.png)"></div> </div> </div> </a> </div><h2 id="aada">Create the user-specific Secret to store the automation credentials</h2><p id="a515">Next I create <b>SandboxDevAutomationSecret</b> in Secrets Manager, encrypted with my <b>Sandbox KMS key</b>.</p><figure id="e15e"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*DQonCyF8UzPnZZoiGOKD9w.png"><figcaption></figcaption></figure><figure id="f7b3"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*zITxEtD__wFDwpPrBpqv4w.png"><figcaption></figcaption></figure><h2 id="2e63">Create a user-specific EC2 instance role for the SandboxDev user</h2><p id="3417">Next I create an EC2 instance role that the developer is allowed to pass to EC2 instances named <b>SandboxDevEC2Role</b>.</p><figure id="44ef"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*__fohZeTWjwdYrS__B4imQ.png"><figcaption></figcaption></figure><p id="eee9">The role will have a prefix with the username:</p><figure id="7afa"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*7dKW5KiQMivtKqjgzA_1Gw.png"><figcaption></figcaption></figure><p id="a338">This role is granted access to:</p><ul><li>Read the<b> SandboxDevSecret.</b></li><li>Pull containers from the <b>sandbox Elastic Container Repository.</b></li><li>Use the <b>sandbox KMS key </b>to access decrypt the secret and the container in the repository</li></ul><h2 id="df90">Create the Automation user</h2><p id="b752">Create the <b>SandboxDevAutomation</b> user. Do not give this user console access.</p><figure id="ddeb"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*QWVvQMA9aDCtmiVxSR61iw.png"><figcaption></figcaption></figure><p id="c19e">Remember that I already have a role (<b>CloneGitHubtoCodeCommitRole</b>) used by my batch job from prior posts. Create a policy that allows the SandboxDevAutomation user to use STS to assume that role.</p><p id="559f">The <b>SandboxDev</b> user needs permission to change the <b>credentials</b> <b>and</b> MFA device of the <b>SandboxDevAutomation</b> user.</p><h2 id="0f53">Edit the batch job role trust policy to allow the SandboxDevAutomation role to assume it</h2><p id="7f1d">We need to modify the trust policy to allow the <b>SandboxDevAutomation</b> <b>user</b> to assume the <b>CloneGitHubtoCodeCommitRole</b> role with MFA.</p><figure id="6ad1"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*xAHGslW3SSbv6c5NO8mhzg.png"><figcaption></figcaption></figure><p id="7ad0">Edit the trust policy:</p><figure id="cfaf"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*Vna71G_F2e-8Vdtw4yBwFw.png"><figcaption></figcaption></figure><p id="6a5a">Change the user to SandboxDev:</p><figure id="f788"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*vpSqEqjFa_qg59v_dnPCzQ.png"><figcaption></figcaption></figure><h2 id="49b3">Add permissions to KMS Key Resource Policy</h2><p id="8cf1">Next I need to allow the <b>SandboxDev</b> user to encrypt and decrypt and the <b>SanboxDevEC2Role</b> to decrypt with the <b>sandbox KMS Key.</b> I edit my automation to add those two roles to the encrypt and decrypt users.</p><figure id="380f"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*UkzCt10p0iqCR4OpMs6uhQ.png"><figcaption></figcaption></figure><h2 id="d015">Login as SandboxDev</h2><p id="725d">Log into the AWS Console with the SandboxDev user. If you’ve been following along, you have an account with a prefix specific to your organization and -Dev at the end if you used my deployment scripts.</p><figure id="13d5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*5L-3C9ORVXOWv6KRdCkBLg.png"><figcaption></figcaption></figure><h2 id="d260">Add MFA devices</h2><p id="5cca">Add a Hardware MFA device to the SandboxDev User.</p><figure id="21f0"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*8s8rTuyWOsLAQUEqfwTtOQ.png"><figcaption></figcaption></figure><p id="c0e6">Add a Virtual MFA device to the SandboxDevAutomation User.</p><p id="5cec">I explain why I do not use a Yubikey to generate MFA codes here:</p><div id="1308" class="link-block"> <a href="https://readmedium.com/the-yubikey-cli-and-aws-mfa-50e6be0698a7"> <div> <div> <h2>The Yubikey CLI and AWS MFA</h2> <div><h3>ACM.11 Considering the attack surface and MFA choices for our Security Batch Jobs</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*SFAKbcK__GlbJbJJJVXK9w.png)"></div> </div> </div> </a> </div><figure id="5893"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*iFl4DTQNuplt-SGONHpNYw.png"><figcaption></figcaption></figure><h2 id="d7df">Create automation credentials</h2><p id="b9e4">Create an <b>Access key</b> for the <b>SandboxDevAutomation</b> user.</p><figure id="7f1e"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*KoVfxp-aJvzBiacPyFeMlA.png"><figcaption></figcap

Options

tion></figure><p id="217e">I have explained before that I disagree with the verbiage on this page. The CLI in the browser has a much larger attack surface and it depends how you are using the keys.</p><figure id="0423"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*_CCe4xu8AcNLloUHgvF5Aw.png"><figcaption></figcaption></figure><h2 id="8caa">Store the credentials in the SandboxDevAutomationSecret</h2><p id="24aa">Head to the Secrets Manager dashboard.</p><p id="432d">Click on the SandboxDevAutomationSecret.</p><figure id="6893"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*cz9jnYSnBsGXf9Y8VZjGPQ.png"><figcaption></figcaption></figure><p id="f616">Store the secret key id and secret access key.</p><figure id="4b95"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*-G9eR929nKSsGWrsOuzucg.png"><figcaption></figcaption></figure><h2 id="5496">Test Launching an EC2 Instance with the SandboxDev role</h2><p id="8907">Head over the EC2 dashboard and test launching an EC2 Instance. Recall that the Instance name needs to match what we specified in the policy above.</p><figure id="a1c7"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*FqCLLp7V854JJZa88TIdvA.png"><figcaption></figcaption></figure><p id="2bc8">If you need to decode any error messages I explained how to do that here:</p><div id="bb13" class="link-block"> <a href="https://readmedium.com/decoding-aws-error-messages-db0e0cbecf0d"> <div> <div> <h2>Decoding AWS Error Messages</h2> <div><h3>Free Content on Jobs in Cybersecurity | Sign up for the Email List</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*4oxP4LXk8l8c3mpRvO7ejg.png)"></div> </div> </div> </a> </div><p id="bd85">Choose the existing networking created for EC2 instances from prior posts.</p><div id="a149" class="link-block"> <a href="https://readmedium.com/automating-cybersecurity-metrics-890dfabb6198"> <div> <div> <h2>Automating Cybersecurity Metrics (ACM)</h2> <div><h3>A series of blog posts on cybersecurity metrics and security automation</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*L9lEIsaWt6xm2Op2ww-G5w.png)"></div> </div> </div> </a> </div><p id="2937">Choose the role we created under Advanced details.</p><figure id="8870"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*oHJior3Ueea6woDB1zqqKQ.png"><figcaption></figcaption></figure><p id="a822">One note that took me a bit to resolve. The message when your user does not have permission to pass the IAM role to the EC2 instance is a bit ambiguous.</p><div id="a0fb" class="link-block"> <a href="https://readmedium.com/ambiguous-error-message-when-a-user-doesnt-have-permission-to-pass-a-specific-iam-role-to-an-ec2-b005f338b6df"> <div> <div> <h2>Ambiguous Error Message When a User Doesn’t Have Permission to Pass a Specific IAM Role to an EC2…</h2> <div><h3>This error message needs to be more specific and doesn’t show up in CloudTrail for the User Name</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*4oxP4LXk8l8c3mpRvO7ejg.png)"></div> </div> </div> </a> </div><p id="51b2">Getting the resources setup took some time because I realized I had to revise my approach. I didn’t automate any of this but I will in the future. For now I just want to make sure it works. I can also figure out what permissions each policy requires.</p><p id="1fb5">I will test the initialization script in the next post.</p><p id="2c31">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2023</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="530b"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="eecf"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

英國買樓深度詳解 6 部曲|第 3 步:房屋選擇

其實看房這一步驟與接下來的房屋貸款和買樓律師這兩步是同時進行的,你不能等你看完物業後再去了解貸款,或談妥貸款後再開始看物業也不完全合適,所以這幾件事應該同時進行,同時了解。

在哪裡看房這個不用多說了,英國地產資源主要是被兩個寡頭壟斷,一個是最大的地產中介網站 rightmove.co.uk 另一個是僅次於它的 zoopla.co.uk

在你選定了理想居住地後,比如你用 illustreetsrealmy 排了 10 個最理想的地區,那接下來就是只瀏覽這 10 個地區的物業,看 Rightmove 和 Zoopla上這些地區的物業(直接按地圖看),按照你的預算來篩選出來,此時因為地區你已經確定了,這些地區的交通狀況犯罪率等情況你都掌握了,所以此時你的所有精力在於看物業本身的情況。 Rightmove 和 Zoopla 都有地區保存功能,先挨個看看這些地區當前是否有理想的房屋,如果沒有的話將這些地區存下來(需要註冊 Rightmove 和 Zoopla 賬戶),每天都瀏覽這幾個地區新出現的物業,對於物業本身,我的建議是別太在意房屋的裝修情況,因為裝修看似越好,則溢價其實越高,到時候預約看的人越多,你付出的最終溢價也就越多,網頁上看到的那些美美的裝修照片都是 Marketing 的一部分,裝修再不錯的房屋因為不是你自己的設計看法,住一段時間後你都會想重裝一下。

所以我覺得在你去預約實際看房前,主要了解建議以以下幾點為主:

  • 格局結構
  • 主臥和客廳朝向
  • 物業是不是 Council House
  • 如果是物業樓,那最底層是否有商業店鋪,又是哪類商業店鋪。
  • 物業是不是 Chain free
  • Lease 還有多久
  • Service Charges 每月是多少
  • 是不是 Cash buyer only
  • 是不是老人院 Retirement homes
  • 是不是 Shared Ownership

以上問題都會影響房屋價格,比如房屋格局不合理很難後期搞裝修,房間不朝陽,屬於Council House,樓下有飯店,不是 Chain free 不知何時成交,Lease 所剩無幾需要自己續,Service charge高的離譜等等問題,而最後一條需要了解自己是否有達到購買條件,這些在實際去看之前最好都先了解一下。

當各個因素都較符合預期後就可以預約看房了,通常中介認為這個物業比較搶手的話,或者這個物業剛剛放在市場上,則中介會安排專門一天所有人一起看房,當天去看時我的建議就是要保持理性,因為人越多氣氛越容易樂觀,很多人都會開始竊竊私語,此時中介也會不斷烘托氣氛希望買家能互相競價,比如中介會說今天有好幾十人來看,大家都很有興趣之類的話,此時對於買房人來說切勿以為拿到寶了一定要趕快買,還是要理性客觀的觀察這所房子。

這裡需要注意的是:

  • 查看此樓的 Boiler 位置,以及 Boiler 型號和使用時間長度,一個過老的Boiler在你搬進去後用不了太久,所以你需要把所需新 Boiler 的費用也要算進房價裡。
  • 窗戶情況,Double Glazing 是標配,要不還需要自己換窗戶。
  • 觀察屋子各個角落,看看有沒有淡淡的水漬,摸一下牆面,看看溫度是不是很冷,這種冷是低於室內溫度的冷,這類現象會說明房屋的潮濕狀況。 感受屋內通風情況,看全部窗戶打開後是不是會有微風,一個不通風的房屋很容易很潮。
  • 和中介攀談,主要幾個問題是房主的情況,在這裡的居住了多久,為什麼要賣房,鄰居大概情況等。
  • 白天附近吵不吵,屋內隔音如何等。

如果不滿意則等待下個機會,別擔心,機會總是有的,但如果很滿意,那接下來就是報價給中介,這個價格是你的第一次出價,通常中介會給2次左右的出價機會,中介此時會把你的價格連同其他人的一起報給賣家,當然包括你們的個人條件信息,比如是哪里人,有多少錢是現金,有多少是貸款,在不在chain上,賣家會評估這些信息做出決定,所以,如果你的第一次出價過低,比如比Asking price低很多,而此時別人出的高,其他條件又好,則可能你就沒有再出價的機會了。所以如果對此房十分滿意,位置也好,內部結構也好,則我的建議是不要太糾結當前價格是不是高於此地區平均價格,如果房屋滿意,則溢價10%也不是太大問題,好地區的房子漲幅要超過平均水平,而且好區的房子通常都很有限,換手率很低(這些數據在hometrack.comrealmy 上查),當然了,溢價太高比如動不動就比 Asking price 高個 50% 那就不划算了,不過還是具體情況具體分析。當然價格也不是唯一因素,上面提到的其他因素包括需要貸款的比例,在不在chain上等信息賣家一樣會考慮,所以如果因為其他因素賣家沒有給你offer也別氣餒,屬於你的好房子總在前面等著你呢。

房屋價格估算

過去第一次買房時在房屋估價上花了大量時間,現在來看其實這是不必要的,我知道現在很多人一樣會不停的算一個房子的價格應該是多少,這個房屋出這個價合理嗎?我是該砍價還是出高價?其實之所以說你不用太糾結這個問題是因為:

首先,之前講了,地區是最重要的而不是這棟房子,你買的是土地使用權,房子可以裝修甚至重建,但是地區你無法改變。價格已由地區決定,緊記「當前價格已經反應一切」。

其次,中介在給某個房子定價時首先考慮此地區的平均價格,然後考慮這個物業的 Marketing 價值,也就是能吸引多少人來競價出價,爭的人越多最後價格就越高。如果中介預期很多人會來看房,通常他都會把價格定低,吸引的人越多最後炒的就越高。另外一種情況是房主自己給建議希望賣多少,房主一般會給一個高估自己房子的價格。

房子是具有投資屬性和生活屬性的雙重商品,你要是只考慮投資屬性那你可以好好估值一番,比如我喜歡裝修差勁沒人要但是在排名和評級靠前的好區的爛房,但這不是我們居住的家,真正居住的家是房屋的居住屬性,此時如果你遇到特別喜歡的房子在很適合你的地區,這個時候不用太猶豫直接拿下就好,多付的那點溢價真的有時候不算什麼,好區的話房價漲幅本來就高於平均水平,生活在適合你情況的好區也更幸福,最終你不會吃虧的!

多說一句,肯定有人會問,那如果很多人都去看房互相飚價我也要去蹭熱鬧嗎?其實這裡有個你出價的好機會可以給大家分享一下,那就是我上面說的第二種情況,如果房主自己出價,你會發現這個價格高於此地區平均價格水平,此時會導致的情況是去看房的人寥寥無幾,因為大家覺得貴,如果此房又在你最理想的地區,那此時你只要出一點點溢價甚至低於要價就能把這枚珍珠拿下。

《英國買樓深度詳解 6 部曲全系列》

回顧系列過往文章:

房屋買賣
英國
海外物業投資
移民
買樓
Recommended from ReadMedium