securing different enviroments about chamber HOT 3 CLOSED

Hi Fernando,

Our practice at Segment is to grant access to Parameter Store keys on a need-to-know basis. Since our infrastructure runs almost entirely on AWS, we accomplish this through IAM policies and roles.

For example, if your service runs alone on an EC2 instance, you can associate that EC2 instance with a service role that has an IAM policy permitting access to the Parameter Store keys the service needs access to.

If, on the other hand, your service runs as an ECS task (i.e. container), you can assign an IAM role to the task comprising your service. Then, as with the EC2 example, that role would have an IAM policy attached permitting access to the Parameter Store keys used by your service.

Finally, at Segment, each environment (development, stage, production, etc.) is associated with a separate AWS Account. By default, no environment has access to the resources of any other environment, so there's no chance of cross-environment pollution unless we explicitly permit it (which is very rare).

References:

• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
• https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html

from chamber.

I see how you secure it.
I was thinking of the separation of services.
while coding this into terraform, i ended up with something like this to limited based on attached policies

statement {
    sid = "SSMGetParameters"

    actions = [
      "ssm:GetParameters",
    ]

    resources = [
      "arn:aws:ssm:${var.region}:${var.AccountID}:parameter/prod.app1.*",
      "arn:aws:ssm:${var.region}:${var.AccountID}:parameter/general.license-code",
    ]
  }

from chamber.

a bigger sample here
https://aws.amazon.com/blogs/compute/managing-secrets-for-amazon-ecs-applications-using-parameter-store-and-iam-roles-for-tasks/

from chamber.