4340 links
  • Arnaud's links
  • Home
  • Login
  • RSS Feed
  • ATOM Feed
  • Tag cloud
  • Picture wall
  • Daily
Links per page: 20 50 100
page 1 / 1
12 results tagged policy x
  • Predefined SSL security policies for Classic Load Balancers - Elastic Load Balancing
    2024年2月7日 GMT+1 上午11:34:41 - permalink - archive.org - https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html
    aws policy ssl
  • Note: psp

    Hello,

    • What is changing?
      PodSecurityPolicy (PSP) was deprecated [1] in Kubernetes version 1.21 and has been removed in Kubernetes version 1.25 [2]. If you are using PSPs in your cluster, then you must migrate from PSP to the built-in Kubernetes Pod Security Standards (PSS) or to a policy as code solution before upgrading your cluster to version 1.25 to avoid interruption to your workloads.

    • What actions can customers take?
      PSP resources were used to specify a set of requirements that pods had to meet before they could be created. Since PSPs have been removed in Kubernetes version 1.25, you must replace those security controls. Two solutions can fill this need:

    1) Kubernetes Pod Security Standards (PSS)
    2) Policy-as-code solutions from the Kubernetes ecosystem

    In response to the PSP deprecation and the ongoing need to control pod security out-of-the-box, the Kubernetes community created a built-in solution with PSS [3] and Pod Security Admission (PSA) [4]. The PSA webhook implements the controls defined in the PSS. To review best practices for migrating PSPs to the built-in Pod Security Standards, see references [5] and [6].

    Policy-as-code solutions provide guardrails to guide cluster users, and prevent unwanted behaviors, through prescribed and automated controls. Policy-as-code solutions typically use Kubernetes Dynamic Admission Controllers to intercept the Kubernetes API server request flow, via a webhook call, and mutate and validate request payloads, based on policies written and stored as code. There are several open source policy-as-code solutions available for Kubernetes. To review best practices for migrating PSPs to a policy-as-code solution, see reference [7].

    You can run the following command to view the PSPs in your cluster: kubectl get psp. If you see the eks.privileged PSP in your cluster, it will be automatically migrated to PSS by Amazon EKS. No action is needed on your part.

    To summarize, if you are using PSP in your cluster, then you must migrate from PSP to the built-in Kubernetes PSS or to a policy as code solution before upgrading your cluster to version 1.25 to avoid interruptions to your workloads. EKS offers best practices for pod security and guidance for implementing pod security standards [8]. You can find details on PSP Migration in EKS documentation [1].

    If you have any questions or concerns, please reach out to AWS Support [9].

    [1] https://docs.aws.amazon.com/eks/latest/userguide/pod-security-policy-removal-faq.html
    [2] https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html#kubernetes-release-calendar
    [3] https://kubernetes.io/docs/concepts/security/pod-security-standards/
    [4] https://kubernetes.io/docs/concepts/security/pod-security-admission/
    [5] https://aws.github.io/aws-eks-best-practices/security/docs/pods/#pod-security-standards-pss-and-pod-security-admission-psa
    [6] https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/
    [7] https://aws.github.io/aws-eks-best-practices/security/docs/pods/#policy-as-code-pac
    [8] https://aws.amazon.com/blogs/containers/implementing-pod-security-standards-in-amazon-eks/
    [9] https://aws.amazon.com/support

    2023年2月17日 GMT+1 下午1:47:31 - permalink - archive.org - https://links.infomee.fr/?KhDwSg
    k8s migration psp
  • thumbnail
    Amazon CloudFront Announces Cache and Origin Request Policies | Networking & Content Delivery
    2022年1月4日 GMT+1 下午4:18:00 - permalink - archive.org - https://aws.amazon.com/blogs/networking-and-content-delivery/amazon-cloudfront-announces-cache-and-origin-request-policies/
    cloudfront policy
  • thumbnail
    jtblin/kube2iam: kube2iam provides different AWS IAM roles for pods running on Kubernetes
    2019年3月6日 GMT+1 上午9:54:26 - permalink - archive.org - https://github.com/jtblin/kube2iam
    eks iam k8s policy role
  • How Do I Create a Lifecycle Policy for an S3 Bucket? - Amazon Simple Storage Service

    To apply this lifecycle rule to all objects in the bucket, choose Next.

    That's why wildcard was not working :D

    2017年9月22日 GMT+2 上午10:14:20 - permalink - archive.org - http://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-lifecycle.html
    aws policy s3
  • Example 2: Bucket Owner Granting Cross-Account Bucket Permissions - Amazon Simple Storage Service
    Donc pour autoriser un compte externe, on va créer une bucket policy sur notre bucket pour autoriser "arn:aws:iam::account_id:root" ou plus précis sur l'user arn:aws:iam::account_id:user/foobar ou le role

    C'est le compte en face qui va décider qui a le droit de venir sur notre bucket avec des user policy standard (quand on est dans le contexte du compte en face, c'est comme si le bucket nous appartenait)

    Exemple bucket policy à mettre sur le BUCKET de l'account A pour autoriser l'account xxx en RW


    {
        "Version": "2012-10-17",
        "Statement": [





            {
                "Sid": "Allow account_xx on aws account xxx RW",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::OTHER_ACCOUNT_ID:root"
                },
                "Action": ["s3:GetBucketLocation", "s3:ListBucket"],
                "Resource": "arn:aws:s3:::BUCKET"
            },
            {
                "Sid": "Allow account_xx on aws account xxx RW",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::OTHER_ACCOUNT_ID:root"
                },
                "Action": [
                    "s3:*"
                ],
                "Resource": "arn:aws:s3:::BUCKET/*"
            }




        ]
    }

    Pour Read only, remplacer action du deuxieme bloc par "Action": ["s3:Get*","s3:List*"],
    2017年6月12日 GMT+2 上午8:48:42 * - permalink - archive.org - http://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html
    aws cross iam policy s3
  • thumbnail
    IAM Policies and Bucket Policies and ACLs! Oh, My! (Controlling Access to S3 Resources) | AWS Security Blog

    Easy one?
    Not even close

    2017年3月24日 GMT+1 下午12:24:51 - permalink - archive.org - https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/
    iam policy s3
  • thumbnail
    Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket | AWS Security Blog

    Don't give s3 full access policy to your app user
    Prefer to allow access only for specific bucket

    I wonder what's the best choice : create managed policy or simply use inline policy. I got a 1 to 1 relationship between my app-users and bucket so... inline policy looks good here

    2017年3月15日 GMT+1 上午11:00:52 - permalink - archive.org - https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/
    aws policy s3
  • GitHub - capitalone/cloud-custodian: Rules engine for AWS management, DSL in yaml for query, filter, and actions on resources
    2017年3月7日 GMT+1 下午10:30:37 - permalink - archive.org - https://github.com/capitalone/cloud-custodian
    aws policy
  • Note: How to know which policy contains a specific action?
    Warning : this loop does a lot of call to aws api, use it with caution

    To know that I needed to list all policies and associated statements (for the default policy version)

    ```
    #!/bin/bash
    IFS=$'\n'
    for line in $(aws iam list-policies|jq '.Policies|.[]|[ .PolicyName, .Arn, .DefaultVersionId ]| @csv' -r|sed 's/","/ /g'|sed 's/"//g'); do
        name=$(echo $line|cut -d' ' -f1);
        arn=$(echo $line|cut -d' ' -f2);
        version=$(echo $line|cut -d' ' -f3);
        echo "$name"
        aws iam get-policy-version --policy-arn $arn --version-id $version
    done
    ```

    Put this in a script, redirect output to a file and go get grep!
    2017年2月22日 GMT+1 下午4:16:06 * - permalink - archive.org - https://links.infomee.fr/?bERNcg
    aws bash for foreach iam policy separator
  • Note sur les Policy IAM

    Une policy IAM est constituée de statement, ce sont des règles (des blocs de codes)

    {
    "Statement":[{
    "Effect":"effect",
    "Action":"action",
    "Resource":"arn",
    "Condition":{
    "condition":{
    "key":"value"
    }
    }
    }
    ]
    }

    Chaque règle dans sa forme la plus simple est composée de 3 choses :

    Effect : allow ou deny

    Action : quelle action concerne la règle

    Resource : la resource concernée

    Chaque service Amazon (EC2, ECR, etc...) expose une liste d'action, on peut trouver cette liste dans la doc (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Action)

    Et chaque resource peut être identifiée par un arn (une manière simple de retrouver un ARN est d'afficher la resources dans l'interface web AWS, il y a souvent l'arn)

    2016年12月12日 GMT+1 下午12:59:10 - permalink - archive.org - https://links.infomee.fr/?3KOHAQ
    aws iam policy
  • Managed Policies and Inline Policies - AWS Identity and Access Management

    AWS Managed VS Customer Manageg VS Inline

    2016年9月22日 GMT+2 上午11:08:16 - permalink - archive.org - http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html
    iam policy
Links per page: 20 50 100
page 1 / 1
Shaarli - The personal, minimalist, super-fast, database free, bookmarking service by the Shaarli community - Help/documentation