AWS IAM Policy to give to salt-cloud user - amazon-ec2

When creating a IAM user for salt-cloud, what are the minimum rights to give it so that it can do its job following the principle of least privilege?
I just need to create EC2 instances, using a map file: however I don't know enough salt-cloud to be sure of the actual operations it performs.
I would prefer to use a predefined policy, if it exists.

I was curious about this myself so took a look in the salt-cloud source (salt/cloud/clouds/ec2.py). Interestingly they don't use the boto library to make calls to AWS, opting instead to carve the requests themselves and the way they've done it makes it really easy to extract the actions that you'd need to have permissions for.
This one-liner pulls out all the actions
grep "'Action':" cloud/clouds/ec2.py | awk '{print $4;}' | sed "s/[},']//g" | sort | uniq
As you can see it's a fairly substantial subset of all the available EC2 permissions.
AllocateAddress
AssociateAddress
AttachVolume
CancelSpotInstanceRequests
CopySnapshot
CreateKeyPair
CreateSnapshot
CreateTags
CreateVolume
DeleteKeyPair
DeleteSnapshot
DeleteTags
DeleteVolume
DescribeAvailabilityZones
DescribeImages
DescribeInstanceAttribute
DescribeInstanceTypes
DescribeInstances
DescribeKeyPairs
DescribeRegions
DescribeSnapshots
DescribeSpotInstanceRequests
DescribeSubnets
DescribeTags
DescribeVolumes
DescribeZones
DetachVolume
GetConsoleOutput
GetPasswordData
ImportKeyPair
ModifyInstanceAttribute
ModifyNetworkInterfaceAttribute
RebootInstance
RebootInstances
RegisterImage
RequestSpotInstances
RunInstances
StartInstance
StartInstances
StopInstances
TerminateInstances
Naturally you could use salt to create an IAM profile for you with these ;)

Related

Disconnecting and reconnecting nvme

Is there capacity within amazon/centos/linux to switch the ordering round of nitro disks?
I have an ami which consistently has devices in the incorrect order, by this I mean nvme1n1 and nvme2n1 should be switched round. If I run nvme id-ctrl -v /dev/nvme1n1 | grep sn I get a different serial number back following a reboot. I know they're "wrong" as the serial numbers are not reflective of their capacity... Hope that makes sense (I appreciate it's a bit confusing). This only ever occurs on servers with two or more disks; upon a reboot the disks are "correct"
My question is, is there a method of forcing the nvme device to disconnect and reconnect (in the hope that the mapping works as expected in the correct order).
Thanks guys
Amazon Linux version 2017.09.01 and later contains scripts and a udev rule that automatically maps NVMe devices to /dev/xvd?. It is very briefly mentioned in the documentation, but there is not much information there.
You can obtain a copy by launching the Amazon Linux AMI, but there are also other places on the web where they have been posted. For example, I found this gist.
Very simple in the end:
echo 1 > /sys/bus/pci/devices/$(readlink -f /sys/class/nvme/nvme1 | awk -F "/" '{print $5}')/remove
echo 1 > /sys/bus/pci/devices/$(readlink -f /sys/class/nvme/nvme2 | awk -F "/" '{print $5}')/remove
echo 1 > /sys/bus/pci/rescan

How to decrypt the password of ion_auth library in codeigniter? [duplicate]

The developer who created a platform my company uses is no longer working for us and I don't know how I can retrieve the passwords from a custom PHP application
When I look in the PHPmyAdmin the passwords are ecrypted (eg *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19)
How can I change or retrieve these?
If a proper encryption method was used, it's not going to be possible to easily retrieve them.
Just reset them with new passwords.
Edit: The string looks like it is using PASSWORD():
UPDATE user SET password = PASSWORD("newpassword");
How can I decrypt MySQL passwords
You can't really because they are hashed and not encrypted.
Here's the essence of the PASSWORD function that current MySQL uses. You can execute it from the sql terminal:
mysql> SELECT SHA1(UNHEX(SHA1("password")));
+------------------------------------------+
| SHA1(UNHEX(SHA1("password"))) |
+------------------------------------------+
| 2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 |
+------------------------------------------+
1 row in set (0.00 sec)
How can I change or retrieve these?
If you are having trouble logging in on a debian or ubuntu system, first try this (thanks to tohuwawohu at https://askubuntu.com/questions/120718/cant-log-to-mysql):
$ sudo cat /etc/mysql/debian.conf | grep -i password
...
password: QWERTY12345...
Then, log in with the debian maintenance user:
$ mysql -u debian-sys-maint -p
password:
Finally, change the user's password:
mysql> UPDATE mysql.user SET Password=PASSWORD('new password') WHERE User='root';
mysql> FLUSH PRIVILEGES;
mysql> quit;
When I look in the PHPmyAdmin the passwords are encrypted
Related, if you need to dump the user database for the relevant information, try:
mysql> SELECT User,Host,Password FROM mysql.user;
+------------------+-----------+----------------------+
| User | Host | Password |
+------------------+-----------+----------------------+
| root | localhost | *0123456789ABCDEF... |
| root | 127.0.0.1 | *0123456789ABCDEF... |
| root | ::1 | *0123456789ABCDEF... |
| debian-sys-maint | localhost | *ABCDEF0123456789... |
+------------------+-----------+----------------------+
And yes, those passwords are NOT salted. So an attacker can prebuild the tables and apply them to all MySQL installations. In addition, the adversary can learn which users have the same passwords.
Needles to say, the folks at mySQL are not following best practices. John Steven did an excellent paper on Password Storage Best Practice at OWASP's Password Storage Cheat Sheet. In fairness to the MySQL folks, they may be doing it because of pain points in the architecture, design or implementation (I simply don't know).
If you use the PASSWORD and UPDATE commands and the change does not work, then see http://dev.mysql.com/doc/refman/5.0/en/resetting-permissions.html. Even though the page is named "resetting permissions", its really about how to change a password. (Its befuddling the MySQL password change procedure is so broken that you have to jump through the hoops, but it is what it is).
Hashing is a one-way process but using a password-list you can regenerate the hashes and compare to the stored hash to 'crack' the password.
This site https://crackstation.net/ attempts to do this for you - run through passwords lists and tell you the cleartext password based on your hash.
With luck, if the original developer was any good, you will not be able to get the plain text out. I say "luck" otherwise you probably have an insecure system.
For the admin passwords, as you have the code, you should be able to create hashed passwords from a known plain text such that you can take control of the application. Follow the algorithm used by the original developer.
If they were not salted and hashed, then make sure you do apply this as 'best practice'
just change them to password('yourpassword')
You can't decrypt MySQL passwords, because the are hashed by using MD5 hash algorithm, which is not an encryption algorithm.
Simply best way from linux server
sudo mysql --defaults-file=/etc/mysql/debian.cnf -e 'use mysql;UPDATE user SET password=PASSWORD("snippetbucket-technologies") WHERE user="root";FLUSH PRIVILEGES;'
This way work for any linux server, I had 100% sure on Debian and Ubuntu you win.

Disable scheduling on second instance of same project on AWS

I have 2 instances of the same deployment/project on AWS Elastic Beanstalk.
Both contain a Laravel project which contains scheduling code which runs various commands which can be found in the schedule method/function of the Kernel.php class within 'app/Console' - the problem I have is that if a command runs from one instance then it will also run the command from the second instance which is not what I want to happen.
What I would like to happen is that the commands get run from only one instance and not the other. How do I achieve this in the easiest way possible?
Is there a Laravel package which could help me achieve this?
From Laravel 5.6:
Laravel provides a onOneServer method which you can use if your applications share a single cache server. You could use something like ElastiCache to host Redis or Memcached and use it as your cache server for both of your application instances. Then you would be able to use the onOneServer method like this:
$schedule->command('report:generate')
->fridays()
->at('17:00')
->onOneServer();
For older versions of Laravel:
You could use the jdavidbakr/multi-server-event package. Once you have it set up you should be able to use it like:
$schedule->command('inspire')
->daily()
->withoutOverlappingMultiServer();
I had the same issue to run some cronjobs (nothing related to Laravel) and I found a nice solution (don't remember where I found it)
What I do is check if the instance running the code is the first instance on the Auto Scaling Group, if it's the first then I execute the command otherwise just exit.
This is the way it's implemented:
#!/bin/bash
INSTANCE_ID=`curl http://169.254.169.254/latest/meta-data/instance-id 2>/dev/null`
REGION=`curl -s http://169.254.169.254/latest/dynamic/instance-identity/document 2>/dev/null | jq -r .region`
# Find the Auto Scaling Group name from the Elastic Beanstalk environment
ASG=`aws ec2 describe-tags --filters "Name=resource-id,Values=$INSTANCE_ID" \
--region $REGION --output json | jq -r '.[][] | select(.Key=="aws:autoscaling:groupName") | .Value'`
# Find the first instance in the Auto Scaling Group
FIRST=`aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names $ASG \
--region $REGION --output json | \
jq -r '.AutoScalingGroups[].Instances[] | select(.LifecycleState=="InService") | .InstanceId' | sort | head -1`
# If the instance ids are the same exit 0
[ "$FIRST" = "$INSTANCE_ID" ]
Try implementing those calls using PHP and it should work.

Trying to make a list in the following format using linux bash commands (awk,cut, or any solution)

I've been trying to make one list of my local servers containing the credentials to automate process on my side. Here's the file I have right now:
head hosts-only.txt
192.168.2.101
192.168.2.102
192.168.2.103
192.168.2.105
192.168.2.107
head user-only.txt
admin
tomcat
oracle
head pass-only.txt
123456
secret
secure
ofc, password are not real below, just using them as an example. Now, what I am trying to accomplish is getting one 'list.txt' containing the information in the following format:
192.168.2.101:admin:123456
192.168.2.102:tomcat:secret
192.168.2.103:oracle:secure
Any help would be very appreciated,
Thanks !
Look at
paste -d: hosts-only.txt user-only.txt pass-only.txt

Can't access s3 buckets after creating instance using IAM profile

I am trying to access some s3 buckets from an instance created applying the IAM profile that allows full access to those s3 buckets. I am able to carry out the required operations using aws cli. However, my application is written in Ruby and makes use of fog gem. Using fog, I am unable to access those buckets. All I get is Access Denied. Additionally, I grabbed the required keys:
aws_access_key_id=`curl http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} | grep AccessKeyId | cut -d':' -f2 | sed 's/[^0-9A-Z]*//g'`
aws_secret_access_key=`curl http://169.254.169.254/latest/meta-data/iam/security-credentials/${instance_profile} | grep SecretAccessKey | cut -d':' -f2 | sed 's/[^0-9A-Za-z/+=]*//g'`
and tried to access the buckets. Again, access denied.
Is there anything I should have missed?
As well as an access key and a secret access key, temporary credentials such as the ones provided by instance metadata also have a session token - without the token the credentials are invalid.
Current versions of fog / fog-aws support fetching instance credentials for you, eg
storage = Fog::Storage::AWS.new(region: "eu-west-1", use_iam_profile:true)
This will also refetch credentials before they expire

Resources