S3 accounts for repos

Brian LaMere brian at cukerinteractive.com
Fri Sep 10 17:57:39 UTC 2010 

I completely forgot to bring this up at the meeting yesterday.  Are there
any thoughts on this?  Do the powers-that-be understand the argument for
having multiple accounts?

Brian

On Tue, Aug 31, 2010 at 7:56 PM, Brian LaMere <brian at cukerinteractive.com>wrote:

> Regardless how MirrorManager is made to work, the content itself will need
> to come from S3; I think that's in agreement, right?
>
> When I talked to Ben and Nathan at Amazon about it, Ben mentioned that it
> is best to have an S3 account per region for large sites; I agreed, and have
> already experienced why this is the case.  I can go over the reasons more
> extensively if the group would like, but they can be summed with a single
> word: "security."  I'll give two short examples, both based on what could
> happen between Matt and I working on getting MirrorManager in AWS.
>
> While working on the code to get MirrorManager to have an S3 back-end, say
> I accidentally send the keypair in an email, or worse - in an email to a
> list.  Immediately failing over to the second keypair (accounts can only
> have two keypairs, and only one should be used at a time except for when
> you're changing the keys; the second allows for seamless switches to a new
> keypair, as you leave both active until the process is complete, then
> deactivate the old one).  Having the keys be per-region minimizes the impact
> of this problem; there was a temporary exposure, but it wasn't a /global/
> exposure, which means we can safely treat the contents of all the other
> regions as clean/untainted still, and either sync from one region to another
> to make sure nothing happened during the exposure, or at the very worst only
> have one repo to rebuild.
>
> As another example, to help Matt with getting S3 as a backend for
> MirrorManager, I would have my productivity greatly increased by having
> access to the keypair.  Is the only thing on the official fedora account the
> S3-backed repositories?  I wouldn't think so.  However, that keypair allows
> access to *everything* at AWS.  There is nothing sacred from that keypair; I
> can use it to put a pubkey in the authorized_keys file of root on all the
> ec2 instances then do things on the servers as root on the servers - as an
> example.  That keypair is godmode for *all* of the AWS services.  Making
> distinct per-region accounts that are used just to do S3 buckets protects
> you from this.  Matt could give me a normal login account on an ec2 server
> so I could help test things, and I could use a keypair to work on S3 as a
> backend, without worrying that doing so meant I needed access to the
> god-mode keys.
>
> A key per role, per need, more or less.  Ben started our convo by trying to
> sell me on multi-account setups, but didn't need to; I already work on a
> team that needs to insulate itself from mistakes, and from workers who may
> not be here next week (and who should therefore not have godmode keys).
>  There are a number of other reasons for it, if I need to go on ;)
>
> Does that all make sense?
>
> Brian LaMere
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/cloud/attachments/20100910/cb711f04/attachment.html>

More information about the cloud mailing list