I completely forgot to bring this up at the meeting yesterday. Are there
any thoughts on this? Do the powers-that-be understand the argument for
having multiple accounts?
On Tue, Aug 31, 2010 at 7:56 PM, Brian LaMere <brian(a)cukerinteractive.com>wrote:
Regardless how MirrorManager is made to work, the content itself will
to come from S3; I think that's in agreement, right?
When I talked to Ben and Nathan at Amazon about it, Ben mentioned that it
is best to have an S3 account per region for large sites; I agreed, and have
already experienced why this is the case. I can go over the reasons more
extensively if the group would like, but they can be summed with a single
word: "security." I'll give two short examples, both based on what could
happen between Matt and I working on getting MirrorManager in AWS.
While working on the code to get MirrorManager to have an S3 back-end, say
I accidentally send the keypair in an email, or worse - in an email to a
list. Immediately failing over to the second keypair (accounts can only
have two keypairs, and only one should be used at a time except for when
you're changing the keys; the second allows for seamless switches to a new
keypair, as you leave both active until the process is complete, then
deactivate the old one). Having the keys be per-region minimizes the impact
of this problem; there was a temporary exposure, but it wasn't a /global/
exposure, which means we can safely treat the contents of all the other
regions as clean/untainted still, and either sync from one region to another
to make sure nothing happened during the exposure, or at the very worst only
have one repo to rebuild.
As another example, to help Matt with getting S3 as a backend for
MirrorManager, I would have my productivity greatly increased by having
access to the keypair. Is the only thing on the official fedora account the
S3-backed repositories? I wouldn't think so. However, that keypair allows
access to *everything* at AWS. There is nothing sacred from that keypair; I
can use it to put a pubkey in the authorized_keys file of root on all the
ec2 instances then do things on the servers as root on the servers - as an
example. That keypair is godmode for *all* of the AWS services. Making
distinct per-region accounts that are used just to do S3 buckets protects
you from this. Matt could give me a normal login account on an ec2 server
so I could help test things, and I could use a keypair to work on S3 as a
backend, without worrying that doing so meant I needed access to the
A key per role, per need, more or less. Ben started our convo by trying to
sell me on multi-account setups, but didn't need to; I already work on a
team that needs to insulate itself from mistakes, and from workers who may
not be here next week (and who should therefore not have godmode keys).
There are a number of other reasons for it, if I need to go on ;)
Does that all make sense?