Hacker News new | ask | show | jobs
by rwitoff 3025 days ago
In practice, cramming all this into the same account doesn't work. Segment is following best practice here.

For example, IAM doesn't provide the granularity in resources and conditions that you'd want to effectively isolate the blast radius of developer keys. ec2:TerminateInstances didn't (doesn't?) support VPC level conditions, so being able to terminate one instance meant you could terminate all instances.

Similarly, you might want your engineering team to iam:PutUserPolicy in development, but have a much more restricted group in production which isn't possible with IAM today.

I've taken this pretty far in the past to attempt segmenting within one account, but always run into limits: https://github.com/witoff/self-service-iam
2 comments
dastbe 3025 days ago
The other bit would be blast radius. What if someone does get access to your single account? How confident are you that your policies were airtight? By using many accounts, you create clear isolation boundaries that require opt-in sharing.
link
user5994461 3025 days ago
>>> By using many accounts, you create clear isolation boundaries that require opt-in sharing.

In theory yes. In practice, you will achieve the opposite of that.

Developers and ops will have to juggle between 10 keys and accounts to get anything. The keys will end up saved and written all over the systems. It will be impossible to have audit between all the accounts and access.

link
ejcx 3025 days ago
Op here. I don't think you read the blog post! Our entire engineering org has a grand total of 0 AWS keys!

Per-account isolation is great for security and especially reliability, if you run in to constant ratelimit issues like we do.

link
brazzledazzle 3025 days ago
ec2:TerminateInstances still doesn’t support the vpc as a condition but it does allow you to use tags. You can also limit a role to tagging only the instances they create (as long as they include the tags when they call ec2:RunInstances). You can even require that specific tags are present. Combine all of that with some kind of “owner” tag and it’s a pretty decent solution to the problem. Add automatic tagging on the backend and it’s even better.

That said, it’s not perfect and there’s probably plenty of resources it wouldn’t work for. It’s also comparatively fragile.

link