Showing posts from March, 2018

Restrict launching certain EC2 Instances

Administrators will need range of permissions to perform routine tasks. Usually, IAM policies assigned to administrators are more relaxed as compared to other IAM users. For example, one of policies assigned to administrators may allow them to perform all actions on ec2 instances. In such a scenario, programmatic keys of administrators can be misused (intentionally or unintentionally) to create ec2 instances which are very expensive to run. Such a mistake can end up costing hundreds and thousands of dollars to organization. If your AWS Account only needs small or medium ec2-instances then it might be a good idea to restrict administrators from creating any other instance type. Following IAM policy restrict administrators to launch certain instance types. { "Version" : "2012-10-17" , "Statement" : [ { "Sid" : "DenyLargeInstanceCreation" , "Effect" : "Deny" , "

AWS Console Sign in Failure Alarms

It might be a good idea to be aware of sign-in failures for you AWS Production Accounts. With help of cloud trail and cloud watch, Administrators can be alarmed (via email or sms) in timely manner in case of repeated sign-in failures within short duration. Administrators can then access the situation and take action if required. Setting up MFA is also highly recommended, especially for Production AWS Accounts. Following are steps to create alarm using cloud trail, cloud watch, filters and SNS. Log into AWS Management console and goto 'Cloud Trails' Dashboard. Enter trail name, select to apply for all regions, and then enter name of bucket where logs will be stored. Click 'Create Trail' and trail should be created.  Navigate to Trails Dashboard and click the newly created trail. Look for heading 'CloudWatch Logs' and enter name of the cloud watch log group where cloud trail will send the logs. If cloud watch log group does not exist yet, then you can crea