avatarVidya Sury, Collecting Smiles

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

5791

Abstract

7156">I covered user-specific secrets here:</p><div id="744d" class="link-block"> <a href="https://readmedium.com/create-a-per-user-secret-in-secrets-manager-part-1-bb97b66e2a2d"> <div> <div> <h2>User-Specific Secrets on AWS: IAM Policies</h2> <div><h3>ACM.82 IAM Policies to allow users to describe their own secrets</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*PcniDpBJq2db0jbdryc_Nw.png)"></div> </div> </div> </a> </div><h2 id="aada">Create the user-specific Secret to store the automation credentials</h2><p id="a515">Next I create <b>SandboxDevAutomationSecret</b> in Secrets Manager, encrypted with my <b>Sandbox KMS key</b>.</p><figure id="e15e"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*DQonCyF8UzPnZZoiGOKD9w.png"><figcaption></figcaption></figure><figure id="f7b3"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*zITxEtD__wFDwpPrBpqv4w.png"><figcaption></figcaption></figure><h2 id="2e63">Create a user-specific EC2 instance role for the SandboxDev user</h2><p id="3417">Next I create an EC2 instance role that the developer is allowed to pass to EC2 instances named <b>SandboxDevEC2Role</b>.</p><figure id="44ef"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*__fohZeTWjwdYrS__B4imQ.png"><figcaption></figcaption></figure><p id="eee9">The role will have a prefix with the username:</p><figure id="7afa"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*7dKW5KiQMivtKqjgzA_1Gw.png"><figcaption></figcaption></figure><p id="a338">This role is granted access to:</p><ul><li>Read the<b> SandboxDevSecret.</b></li><li>Pull containers from the <b>sandbox Elastic Container Repository.</b></li><li>Use the <b>sandbox KMS key </b>to access decrypt the secret and the container in the repository</li></ul><h2 id="df90">Create the Automation user</h2><p id="b752">Create the <b>SandboxDevAutomation</b> user. Do not give this user console access.</p><figure id="ddeb"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*QWVvQMA9aDCtmiVxSR61iw.png"><figcaption></figcaption></figure><p id="c19e">Remember that I already have a role (<b>CloneGitHubtoCodeCommitRole</b>) used by my batch job from prior posts. Create a policy that allows the SandboxDevAutomation user to use STS to assume that role.</p><p id="559f">The <b>SandboxDev</b> user needs permission to change the <b>credentials</b> <b>and</b> MFA device of the <b>SandboxDevAutomation</b> user.</p><h2 id="0f53">Edit the batch job role trust policy to allow the SandboxDevAutomation role to assume it</h2><p id="7f1d">We need to modify the trust policy to allow the <b>SandboxDevAutomation</b> <b>user</b> to assume the <b>CloneGitHubtoCodeCommitRole</b> role with MFA.</p><figure id="6ad1"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*xAHGslW3SSbv6c5NO8mhzg.png"><figcaption></figcaption></figure><p id="7ad0">Edit the trust policy:</p><figure id="cfaf"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*Vna71G_F2e-8Vdtw4yBwFw.png"><figcaption></figcaption></figure><p id="6a5a">Change the user to SandboxDev:</p><figure id="f788"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*vpSqEqjFa_qg59v_dnPCzQ.png"><figcaption></figcaption></figure><h2 id="49b3">Add permissions to KMS Key Resource Policy</h2><p id="8cf1">Next I need to allow the <b>SandboxDev</b> user to encrypt and decrypt and the <b>SanboxDevEC2Role</b> to decrypt with the <b>sandbox KMS Key.</b> I edit my automation to add those two roles to the encrypt and decrypt users.</p><figure id="380f"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*UkzCt10p0iqCR4OpMs6uhQ.png"><figcaption></figcaption></figure><h2 id="d015">Login as SandboxDev</h2><p id="725d">Log into the AWS Console with the SandboxDev user. If you’ve been following along, you have an account with a prefix specific to your organization and -Dev at the end if you used my deployment scripts.</p><figure id="13d5"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*5L-3C9ORVXOWv6KRdCkBLg.png"><figcaption></figcaption></figure><h2 id="d260">Add MFA devices</h2><p id="5cca">Add a Hardware MFA device to the SandboxDev User.</p><figure id="21f0"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*8s8rTuyWOsLAQUEqfwTtOQ.png"><figcaption></figcaption></figure><p id="c0e6">Add a Virtual MFA device to the SandboxDevAutomation User.</p><p id="5cec">I explain why I do not use a Yubikey to generate MFA codes here:</p><div id="1308" class="link-block"> <a href="https://readmedium.com/the-yubikey-cli-and-aws-mfa-50e6be0698a7"> <div> <div> <h2>The Yubikey CLI and AWS MFA</h2> <div><h3>ACM.11 Considering the attack surface and MFA choices for our Security Batch Jobs</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*SFAKbcK__GlbJbJJJVXK9w.png)"></div> </div> </div> </a> </div><figure id="5893"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*iFl4DTQNuplt-SGONHpNYw.png"><figcaption></figcaption></figure><h2 id="d7df">Create automation credentials</h2><p id="b9e4">Create an <b>Access key</b> for the <b>SandboxDevAutomation</b> user.</p><figure id="7f1e"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*KoVfxp-aJvzBiacPyFeMlA.png"><figcaption></figcap

Options

tion></figure><p id="217e">I have explained before that I disagree with the verbiage on this page. The CLI in the browser has a much larger attack surface and it depends how you are using the keys.</p><figure id="0423"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*_CCe4xu8AcNLloUHgvF5Aw.png"><figcaption></figcaption></figure><h2 id="8caa">Store the credentials in the SandboxDevAutomationSecret</h2><p id="24aa">Head to the Secrets Manager dashboard.</p><p id="432d">Click on the SandboxDevAutomationSecret.</p><figure id="6893"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*cz9jnYSnBsGXf9Y8VZjGPQ.png"><figcaption></figcaption></figure><p id="f616">Store the secret key id and secret access key.</p><figure id="4b95"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*-G9eR929nKSsGWrsOuzucg.png"><figcaption></figcaption></figure><h2 id="5496">Test Launching an EC2 Instance with the SandboxDev role</h2><p id="8907">Head over the EC2 dashboard and test launching an EC2 Instance. Recall that the Instance name needs to match what we specified in the policy above.</p><figure id="a1c7"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*FqCLLp7V854JJZa88TIdvA.png"><figcaption></figcaption></figure><p id="2bc8">If you need to decode any error messages I explained how to do that here:</p><div id="bb13" class="link-block"> <a href="https://readmedium.com/decoding-aws-error-messages-db0e0cbecf0d"> <div> <div> <h2>Decoding AWS Error Messages</h2> <div><h3>Free Content on Jobs in Cybersecurity | Sign up for the Email List</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*4oxP4LXk8l8c3mpRvO7ejg.png)"></div> </div> </div> </a> </div><p id="bd85">Choose the existing networking created for EC2 instances from prior posts.</p><div id="a149" class="link-block"> <a href="https://readmedium.com/automating-cybersecurity-metrics-890dfabb6198"> <div> <div> <h2>Automating Cybersecurity Metrics (ACM)</h2> <div><h3>A series of blog posts on cybersecurity metrics and security automation</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*L9lEIsaWt6xm2Op2ww-G5w.png)"></div> </div> </div> </a> </div><p id="2937">Choose the role we created under Advanced details.</p><figure id="8870"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/1*oHJior3Ueea6woDB1zqqKQ.png"><figcaption></figcaption></figure><p id="a822">One note that took me a bit to resolve. The message when your user does not have permission to pass the IAM role to the EC2 instance is a bit ambiguous.</p><div id="a0fb" class="link-block"> <a href="https://readmedium.com/ambiguous-error-message-when-a-user-doesnt-have-permission-to-pass-a-specific-iam-role-to-an-ec2-b005f338b6df"> <div> <div> <h2>Ambiguous Error Message When a User Doesn’t Have Permission to Pass a Specific IAM Role to an EC2…</h2> <div><h3>This error message needs to be more specific and doesn’t show up in CloudTrail for the User Name</h3></div> <div><p>medium.com</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/1*4oxP4LXk8l8c3mpRvO7ejg.png)"></div> </div> </div> </a> </div><p id="51b2">Getting the resources setup took some time because I realized I had to revise my approach. I didn’t automate any of this but I will in the future. For now I just want to make sure it works. I can also figure out what permissions each policy requires.</p><p id="1fb5">I will test the initialization script in the next post.</p><p id="2c31">Follow for updates.</p><p id="4a3a">Teri Radichel | <i>© <a href="https://2ndsightlab.com/?source=post_page---------------------------">2nd Sight Lab</a> 2023</i></p><div id="8b5f"><pre><span class="hljs-section">About Teri Radichel:

⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab</pre></div><div id="caae"><pre><span class="hljs-section">Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</span>
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation</pre></div><div id="530b"><pre>Follow <span class="hljs-keyword">for</span> more stories like <span class="hljs-keyword">this</span>:

❤️ Sign Up my Medium Email List ❤️ Twitter: <span class="hljs-meta">@teriradichel</span> ❤️ LinkedIn: https:<span class="hljs-comment">//www.linkedin.com/in/teriradichel</span> ❤️ Mastodon: <span class="hljs-meta">@teriradichel</span><span class="hljs-meta">@infosec</span>.exchange ❤️ Facebook: 2nd Sight Lab ❤️ YouTube: @2ndsightlab</pre></div><figure id="eecf"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*H9Ew1KCl-29nZiPR.jpeg"><figcaption></figcaption></figure></article></body>

WEEKLY ROUNDUP OF FEATURED POSTS

Coffee Times Weekly Roundup — 18

This week’s featured stories from Coffee Times and across Medium

mage by sdoyon from Pixabay

Y’all know this was published on Substack first, right?

Hej! my dear Coffee Times Community! (Hej is hey in Swedish — learned it from IKEA after wondering why they kept calling me Hej 😏

What have you been up to the past week? Busy writing? Reading? Doing other things? Tell me in the comments!

CC3 Winners announced!

Winners of the CC3 contest have been announced! Let’s congratulate Zaha Hyatt, Tamil and Drashti Shroff for winning this rather tough competition.

What’s happening with CC4?

I am looking at you sternly, my dear Coffee Times Writers (yes, capital W). WHY ARE YOU NOT RESPONDING TO the CC4 CHALLENGE? (Ah, that felt so good — typing in all caps!)

Do you not like music? Are you against entertainment? Come on! Tell us your favorite music, movie, or musical and stand a chance to become a Coffee Times editor.

Well, with a busy week and loads to do, hunger struck and I made these super-quick mini pizzas with pita pockets. I mean, I had intended to stuff them with veggies, but didn’t have the time — so I just pretended they were pizza bases and upgraded them to this cheesy, olive-y, jalapeno-y, saucy goodness.

Vidya Sury’s mini pizzas ©

Now let’s enjoy this week’s featured picks from Coffee Times and elsewhere on Medium, as you listen to one of my all-time favorite artists — Freddy Mercury (Queen) singing Crazy little thing called love.

From Coffee Times

Fabio Diolosa introduces a book titled The Last Lecture and the life lessons learned therein. I have added it to my reading list. I loved how he has explored the book in detail and expressed his thoughts.

Drashti Shroff’s post about her experience with participating in the CC3 challenge is a heartwarming read. It pretty much sums up the whole challenge. Please do read it. I thought this is exactly how every participant should feel in a contest.

If you tend to get into arguments often, Monika Malan offers you six tools to help you remain calm. They’re great tips that will help you in all aspects of life — not just when you are in a conflict situation.

Kindness is something everyone understands. J.D Rehbein-Wrightstein, in his post, talks about how to be the change you wish to see in this world by improving your life and the lives of others, one simple act at a time.

And now, let’s travel. Jayven Knight has some great tips for when you visit Disney World that should definitely make for a better experience. Enjoy!

Do you agree that feminism is about equality and fairness? D’uh. The answer should be yes. Edward Robson, PhD, MFA’s post Why isn’t every man a feminist asks what part of fairness is too radical for you. Excellent read!

Right now, India is in the throes of the hijab issue. Schools and colleges are closed because of this. Mahein Kazi’s post hits the spot as she talks about how the hijab does not imply oppression — and the bikini does not imply freedom.

I loved this post by Wendy Snyder where she describes her trip backpacking to Australia and her scuba dive on the Great Barrier Reef. What can I say? I miss my travel and gleefully read her delightfully expressive post. She met a shark. 😲 and I am in awe.

Honorable Mentions — fabulous reads

E.S. Yates 3 Inspiring Lessons From Austin Kleon’s “Steal Like An Artist”

AKHIL KUMAR An underappreciated and underrated Hercules Poirot novel

Barbara Mac The Magic Typewriter

Melissa Marietta I Refuse to Fat Shame My Daughters

Michael Andrean 10 Small Things You Missed That You Should Be Grateful Today

Atheeb Azeem Four Ways To Make Your Article Go Viral In 2022

Niall Leah A Guide to Self-Care for Those Who Flirt With Burnout.

Jackie O'Quinn I’ve Never Felt Comfortable or Confident in My Body

Across Medium

How wonderful it is to read about an act of kindness, that too from the President of a country! This story by Mukundarajan V N is about how the Kind President of a Country Intervened To Stop the Bullying of a Girl With Down Syndrome will warm your heart.

Sandi Parsons’ story reminded me of my own mom — who did things like this all the time. Not only is Sandi an excellent photographer, but also a fabulous writer. This story is about empowering a child — tissue alert!

Keeping your inner child alive and well is something we hear all the time. Sorina Raluca Băbău asks what you enjoyed doing as a child — and thinks it might be the answer to unlocking the next level of your life.

If you ever scoffed at eating fruits, this one is for you. Khyati Jain shares how eating two bananas a day transformed her life. Of course, it goes without saying that if you have any pre-existing health issues, talk to your doctor first before adopting any new routine/diet.

Did you know you can jazz up your About page on Medium? Medium announced it in this post. And when you rework your About page, tag me and let me know so I can go see it. ❤

Prompts from our Coffee Times columnists

Yana Bostongirl — Life — Besides the February prompt about self-care, Yana also has a mini prompt in this post.

Sharing Randomly — Travel — wants to know where you would go with your partner or friend.

Marrisa W. — Books — wants to know all about your favourite magic/fantasy book/book series

Vincent Van Patten — Inspiration — wants you to try writing about subjective reality, what imbues life with meaning.

Ashley — Entertainment — invites you to be her guest — read her post for details.

Featured comments From last week’s roundup

NONE! 😭Nobody responded to my question about how you celebrated Valentine’s Day.

Still, I am grateful to Lane Henry, Sharing Randomly, Libby Shively McAvoy, Dr. Preeti Singh, Eko BP, Kristen Stark, Christine Vann, MSc., bionicWoman and Ashley for taking the time to comment.

Got suggestions?

Comment and let us know! We’re listening.

Do visit the featured posts, engage, comment, clap, and show you care ❤ Thank you!

With love from the Coffee Times Team

Winston, Dr. Preeti Singh, Yana Bostongirl, Drashti Shroff, Marrisa W., Sharing Randomly, Vincent Van Patten, Ashley and yours truly, Vidya Sury, Collecting Smiles

Be part of a supportive community of writers!

Join us as a writer on Coffee Times

Support Coffee Times

As you know, Coffee Times publication is not funded by Medium. We exist for the pure joy of supporting fellow writers and growing together. If you would like to support Coffee Times, do consider buying us a coffee here.

Follow Coffee Times on Medium, Twitter, Facebook, LinkedIn, Substack, and buymeacoffee.

Vidya Sury, Collecting Smiles ❤ Did you smile today?

Help me support underprivileged children. Buy me a cup of coffee ☕ You can also use Ko-Fi. Thank you so much! Subscribe to my daily motivational tip posts on Substack

Reading
Writing
Inspiration
Ideas
Mental Health
Recommended from ReadMedium