avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

1154

Abstract

no matter how late or how drunk I was, to welcome me back with open arms. You gave me water and let me rest at your place.</p><p id="9d99">And then it happened. I went and fell in love. You’ve never said it but I know it broke your heart when we up and married in Hawaii. You let us live with you, but I knew you were hurt. I knew it when we had our reception for friends and family months later and you weren’t there. Part of me knew you wouldn’t cross the bridge to come celebrate, but another part of me really wished you would show up.</p><p id="4987">The kid came and we seemed to grow further apart though I know you love her as much as you loved me. Maybe more. But you know she’s not your kid. She was born in The Big City. And I’m sure that stung too.</p><p id="7190">So here we are. I have never been away from you for longer than a month. And I have loved you always — even when everyone made you the butt of jokes. They still do, but I don’t care. I cherish every moment around you. And I will definitely be back to visit, if you’ll have me. You are home to me.</p><p id="b8ce">But I think it best if we spent some time apart. I have to give

Options

you some space so you can flourish on your own. I won’t be far, just far enough.</p><p id="4162">You will always have my heart. This new place will be better for all of us, my kiddo and the wife. And me too, I’m hoping.</p><p id="dfec">I won’t say goodbye because this is not that. I will say what I will feel though. Even now. You may not want to hear this yet, but I need you to know it will always be the truth.</p><p id="92d6">Simply stated: I love you, New Jersey.</p><p id="984e" type="7">I’m yours,</p><p id="dfd9" type="7">Ernio</p><h1 id="3fca">💚</h1><div id="72a2" class="link-block"> <a href="https://readmedium.com/want-to-read-more-by-me-c99b8a626236"> <div> <div> <h2>Read more by Ernio:</h2> <div><h3>Here is a quick guide to all his writing on Medium.</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*eohqAsqyg4V2j6TfrREylQ.jpeg)"></div> </div> </div> </a> </div></article></body>

AWS EC2 KeyPair creation with CloudFormation does not have a decent way to restrict a user to seeing their own SSH key

Keys are created in SSM Parameter store with random names that cannot easily be used in policies

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Bugs | AWS Security | Secure Code

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Just wrote about this in a more detailed explanation of using CloudFormation to deploy an SSH key here:

AWS CloudFormation adds the EC2 key pair to SSM Parameter store with a random name which cannot easily be used in policies to restrict users to seeing their own SSH keys.

I’ve shown in prior posts how to create policies with ${aws::username} and that doesn’t work the way these parameters are named. Anyone with read access to the parameters can see the SSH keys in them.

Typically when you perform a security audit you ask for read only access to an account to perform the audit. Also, does the AWS security audit role have access to these keys? Administrators using the full access policy will also have access to these keys. It’s like giving administrators everyone’s passwords. Yes they may be able to reset them but the user will know when they cannot access the system. With an SSH key the user has no idea anyone else is using the key.

Even if these parameters did have an appropriate name, the problem with SSM Parameter store is that you cannot apply resource policies to SSM Parameters to limit who can access the resource. It’s much more challenging to do this across all of IAM or try to manage this in a Service Control Policy when users are adding and removing SSH Keys frequently (which is generally what happens in larger organizations if they use SSH keys).

A better solution would be to let the customer specify a Secret in Secrets Manager where they wish to store the key at the time of creation, and allow the customer to configure the secret at that time. The customer could also specify a Parameter encrypted with a customer managed key that limits access to a particular user, but the key also has an administrator and the key solution seems like it would be more expensive. Alternatively, let the customer specify a KMS key and change parameter store to allow creation of resource policies (Not the policies currently applied to SSM Parameters which do not serve the same purpose).

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Cloudformation
Ec2
Keypair
Ssm
Parameter
Recommended from ReadMedium