AWS IAM at ZipRecruiter

## AWS IAM at ZipRecruiter

---

## IAM Nouns

* Policy
* Role
* User
* Group

---

## IAM Policy

```
{ "Version": "2012-10-17",
"Statement": [{
  "Sid": "S3FooBucketOperations",
  "Effect": "Allow",
  "Action": [
      "s3:Get*", "s3:ListBucket"
  ],
  "Resource": [
    "arn:aws:s3:::foo.*.bar.com"
  ]
}, {
  "Sid": "S3FooObjectOperations",
  "Effect": "Allow",
  "Action": [
      "s3:DeleteObject",
      "s3:GetObject"
  ],
  "Resource": [
    "arn:aws:s3:::foo.bar.com/*"
  ] }]}
```

* Conditions

---

## IAM Roles

* In HyperVisor
 * How the code should run

```
$ curl 169.254.169.254/latest/meta-data\
       /iam/security-credentials/zr-foo
{
  "Code" : "Success",
  "LastUpdated" : "2017-04-27T21:42:27Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "ASIAJP2V5J4IOG4ECNEA",
  "SecretAccessKey" : "QSCv8CFpTLQz95AAdpBOlGA2gC7fGiuuSElFlwYo",
  "Token" : "FQoD...JyAU=",
  "Expiration" : "2017-04-28T03:46:48Z"
}
```

---

# At Zip

---

## Library Work

* Easy
 * Medium
 * Hard

---

## Library Work Code

[won't fit on a
slide](https://gist.github.com/frioux/ef8c2051263c70e31ab4b7ba39153aff#file-v4-pl)

---

## Library Work ++

* We made Paws and Net::Amazon::Signature::V4 faster, woo
---

## Policies and how they are wrote

* Creds
 * SkeletonKey
 * Tier
 * ServerClass
 * Iterate ❌ 1 billion, break everything
 * Remove SkeletonKey
 * Reduce Creds
 * Remove Creds

---

# Threat Modelling

---

## Risk

* Who? (Engineers, Hackers, The Government)
 * What? (Data Exfiltration, Deletion, outages)
 * Cost? ($10,000; $100,000; $1,000,000?)

---

## Risk Avoidance

* Engineering time to build
 * Cost to support
 * Engineer time wasted
 * All add up to $$$ and it should be less than Risk

---

## Recovery

* Backups
 * Automation
 * You need these anyway
 * Hone and exercise them to make Risk Avoidance pointless

---

## The End