I know I am being a pest about some of my suggestions, but……
Since security is paramount with cloud providers I would suggest that ACG setup a VPN tunnel to VPC’s used in demos, or use the "My IP Address". Using the worst possible option, 0.0.0.0/0, is as you know a terrible idea. Ryan mentions every time he uses it that it’s a bad idea and never do it — "but this is for demo purposes". To me, this is not a great way to demo anything in the cloud. Lead by example…:-) Please follow best practices throughout your demos. Doing so would reinforce the security model with your students!!
2 Answers
Hi,
I agree with you, and I know others have stated the same. I understand that Ryan is doing it for convenience and that he terminates instances immediately after recording lectures. However, after going through VPC Flow Log demonstrations and playing around with them more I was amazed at just how quickly there were probes looking for vulnerabilities and how many of them there were. There’s no such thing as security by obscurity any longer, and I wish that the lectures would incorporate best practices for things like this. Students who are following labs may not know any better, and are more apt to leave instances running for a period of time while trying to learn the material.
Tom.
Thanks for the feedback – we’ll take it on board
Yeah Guard Duty will log SSH probes within seconds — generally coming from China.
SSH probes is one – what surprised me also was looking at top referrers in my CloudFront logs for a S3 static web site that only has plain vanilla html files, and seeing requests that are probing for WordPress vulnerabilities and other common entry points. I haven’t tried Guard Duty yet – will give it a looksie.