A blog about doing things with computers

Blog | Archive | Twitter | Github | Rss

AWS Big Brother - What's it for?

12 Mar 2017 | aws, accounts, environments, python, security, IAM

This post details a command line tool I’ve written called awsbigbrother. It can be used to audit AWS accounts and check that you are not exposed in certain areas. The mentality behind it is continuous checking and monitoring for security issues.

What is it then?

Using AWS introduces a number of new security challenges. For a start logging in to manage your infrastructure is now something that can be done anywhere on the public internet. Therefore, without proper management you could become a target for someone looking to break into your account to dump your databases, deface your website or simply mine bitcoins at your expense. Most people with operations experience will already have some ideas for mitigation. One essential thing for me is multi factor auth, this can be configured with a Force MFA policy. However, sometimes people with too much power can take themselves out of the force MFA group. Then of course there’s the question, who watches the watcher? A lot of these kind of questions led to AWS Big Brother:

The basic idea is you have a simple awsbb cli that performs the checks - for example:

Show me all users who do not have MFA set:

awsbb --mfa

Show me all users who don’t have MFA set and also show me users who have not changed their password in 30 days:

awsbb --mfa --password_max_age 30


AWS Big Brother is:

AWS Big Brother is not:

So I see awsbb helping for some examples:

User a who has accidentally been given too much privilege removes MFA on their account and removes themself from the force MFA group. A monitoring tool runs which spits out some errors and user a is asked to re-enable MFA.

So please get involved, contributors are always welcome :)

Older · View Archive (11)

AWS Account structure - An Opinionated Post

I tend to work on a lot greenfield projects where we create AWS stuff from scratch. When I roll down somewhere the very first thing I need to think about is account structure. There are pros and cons to various account structures. There’s no ‘right’ way to do this but I’m going to cover why I generally prefer multiple accounts.


Comments fixed

Some folks got in touch and said they were having trouble commenting. It should now be fixed so comment away :)