[ubuntu-cloud] [ec2ubuntu] Call for ideas for Ubuntu cloud / [UEC|EC2] images / cloud-init

Scott Moser smoser at ubuntu.com
Fri Oct 1 15:45:54 BST 2010 

On Fri, 1 Oct 2010, Liraz Siri wrote:

> Mark Russell wrote:
>
> > Being able to automatically assign an Elastic IP on instance start up
> > would be very cool. Here's one solution I found:
> > http://www.krzywanski.net/archives/592.  But it requires putting your
> > private key and cert on the image.  Seems like you could do something
> > similar but more securely from your workstation though, maybe an option
> > to cloud-utils "uec-run-instances"?
>
> Putting your private key and cert on an image is a bad idea. If one
> machine gets compromised the attacker now has access to your entire EC2
> infrastructure.

Well, thanks to IAM, the above is not nearly as true as it used to be.

I wrote two blog entries when I just started playing with IAM [1,2] on
ubuntu.

You could easily create a set of IAM credentials that is only able to the
AssociateAddress api call [3], and stuff those credentials into the image.
The point is still valid, though, that those credentials could then be
used to make other 'AssociateAddress' calls.

If you had credentials limited to only that call, the possibility for
exploitation  is somewhat low.  Worst case, a hacker got those credentials
and assigned an address to another of *your* instances (the target of the
instance has to be owned by that account... you can't assign your IP to my
instance-id).

Additional, safeguards:
a.) do not provide acl to 'DescribeAddresses', the exploiter then would
have to guess at what IPs might be.
b.) limit the acl to being used from inside the instance's IP address via
a policy.

All in all, not that bad.  The IAM is a *huge* win for doing things like
this, and I definitely expect for people to be experimenting with using
it inside instances.

One thing that you cannot do right now for EC2, is explicitly limit inputs
to the 'AssociateAddress'. Ideally, you could create a ACL that could only
call 'AssociateAddress' with 'PublicIp' == 'your-desired-ip' and
'InstanceId' == 'your-instance-id'.  Of course, knowing the instance-id
would prevent you from being able to do this before launching the
instance, but you get the picture.

--
[1] http://ubuntu-smoser.blogspot.com/2010/09/playing-with-aws-access-identity.html
[2] http://ubuntu-smoser.blogspot.com/2010/09/using-policies-in-aws-identity-and.html
[3] http://docs.amazonwebservices.com/AWSEC2/latest/APIReference/

More information about the Ubuntu-cloud mailing list