adam's notes

Securing the Management Plane

  • Cloud services provide a management console or service that allows organizations to use their service
    • each is different but has similar features
  • following is typical IaaS management plane features
    • SaaS and PaaS also have security capabilities in their management planes

AWS Management Console

  • AWS management console has a web interface
  • root or privileged account access to the console or CLI provides control of the AWS account
    • needs to be secured against compromise

3 Critical Elements of a Management Plane

  • Scheduling
    • ability to start and stop resources
    • in AWS, done via instance Scheduler or Lambda Functions
    • key element for cost control
  • Orchestration
    • automating processes and workloads
    • used to manage resources, workloads, and services
    • in AWS, often uses a number of services to accomplish desired tasks:
      • CloudFormation
        • used to manage and model infrastructure as code to control deployments
      • ServiceCatalog
        • used to control and manage what service and third-party software are in use
      • OpsWorks
        • used to automate operations using tools like Puppet and Chef
      • AWS management tools like Control Tower, Organizations, and others play a role in governance and management
  • Maintenance
    • different in cloud infra environments than on-prem
    • cloud native designs emphasize ephemeral, code-defined machines deployed in pools and destroyed rather than upgraded
    • upgrade and patching works differently
      • may destroy and deploy new instance rather than patch/upgrade

Management Plane Security Best Practices

  • MFA for all accounts
  • Secrets management training and best practices for keys and other secrets used to access management plane or devices
    • exposed secrets is a major cloud threat
  • Provisioning practices
    • ensure users, groups, services receive appropriate rights through centralized management
  • Rights and role management that supports provisioning with least privilege
  • Monitoring and alerting
    • configured to identify issues quickly and allow adequate insight and action
    • billing and consumption alerts
  • Limitation on root account usage
  • Security groups and other controls to limit scope and access within the cloud

Graph View

Backlinks