Pa Julayi 19, 2019, Capital One idalandira uthenga womwe kampani iliyonse yamakono ikuwopa - kuphwanya kwa data kunachitika. Zinakhudza anthu oposa 106 miliyoni. Nambala 140 zachitetezo cha chikhalidwe cha anthu aku US, ziwerengero miliyoni zachitetezo cha anthu aku Canada. 000 maakaunti aku banki. Zosasangalatsa, simukuvomereza?
Tsoka ilo, kuthyolako sikunachitike pa Julayi 19th. Zotsatira zake, Paige Thompson, aka. Zolakwika, adachita izi pakati pa Marichi 22 ndi Marichi 23, 2019. Ndiko kuti pafupifupi miyezi inayi yapitayo. Ndipotu, mothandizidwa ndi alangizi akunja kuti Capital One inatha kuzindikira kuti chinachake chachitika.
Wantchito wakale wa Amazon adamangidwa ndipo akukumana ndi chindapusa cha $ 250 komanso zaka zisanu mndende ... Chifukwa chiyani? Chifukwa makampani ambiri omwe avutika ndi ma hacks akuyesera kuchotseratu udindo wawo wolimbitsa zida zawo ndikugwiritsa ntchito kwawo pakukula kwa umbava wa pa intaneti.
Komabe, mutha google nkhaniyi mosavuta. Sitilowa mu sewero, koma kukambirana luso mbali ya nkhaniyi.
Choyamba, nβchiyani chinachitika?
Capital One inali ndi zidebe pafupifupi 700 za S3, zomwe Paige Thompson adakopera ndikuzichotsa.
Kachiwiri, kodi iyi ndi vuto lina la ndondomeko ya ndowa ya S3 yolakwika?
Ayi, osati nthawi ino. Apa adapeza mwayi wopeza seva yokhala ndi chowotchera chosasinthika molakwika ndipo adagwira ntchito yonse pamenepo.
Dikirani, zingatheke bwanji?
Chabwino, tiyeni tiyambe ndikulowa mu seva, ngakhale tilibe zambiri. Tidangouzidwa kuti zidachitika kudzera mu "firewall yolakwika." Chifukwa chake, chinthu chosavuta monga makonda olakwika a gulu lachitetezo kapena kasinthidwe ka firewall ya intaneti (Imperva), kapena network firewall (iptables, ufw, shorewall, etc.). Capital One idangovomereza kulakwa kwake ndikuti yatseka dzenjelo.
Stone adati Capital One sinazindikire kuwonongeka kwa firewall koma idachitapo kanthu mwachangu itangodziwa. Izi zidathandizidwadi chifukwa woberayo akuti adasiya zidziwitso zazikulu pagulu, adatero Stone.
Ngati mukudabwa kuti chifukwa chiyani sitikuzama mu gawoli, chonde mvetsetsani kuti chifukwa chazidziwitso zochepa titha kungolingalira. Izi sizomveka chifukwa kuthyolako kumadalira dzenje losiyidwa ndi Capital One. Ndipo pokhapokha atatiuza zambiri, tingolemba njira zonse zomwe Capital One idasiya seva yawo yotseguka kuphatikiza njira zonse zomwe wina angagwiritsire ntchito imodzi mwazosankha izi. Zolakwika ndi njira izi zitha kukhala kuchokera kuzinthu zopusa kwambiri mpaka pamachitidwe ovuta kwambiri. Poganizira kuchuluka kwa zotheka, iyi ikhala saga yayitali yopanda tanthauzo lenileni. Choncho, tiyeni tiganizire kwambiri za kusanthula mbali imene tili ndi mfundo.
Chifukwa chake chotengera choyamba ndi: dziwani zomwe ma firewall anu amalola.
Khazikitsani ndondomeko kapena ndondomeko yoyenera kuti muwonetsetse kuti zomwe ziyenera kutsegulidwa zimatsegulidwa. Ngati mukugwiritsa ntchito zinthu za AWS monga Security Groups kapena Network ACLs, mwachiwonekere mndandanda wowunika ukhoza kukhala wautali... Kaya ndi script yodzipangira yokha yomwe imayang'ana zinthu zatsopano za zolakwika, kapena chinachake monga kufufuza kwa chitetezo mu ndondomeko ya CI / CD ... pali njira zambiri zosavuta kuti mupewe izi.
Gawo "loseketsa" la nkhaniyi ndikuti Capital One ikadatseka dzenjelo ... palibe chomwe chikadachitika. Ndipo kotero, kunena zoona, zimakhala zododometsa nthawi zonse kuwona momwe china chake chilili zophweka kwambiri zimakhala chifukwa chokhacho kuti kampani ikhale yobedwa. Makamaka imodzi yayikulu ngati Capital One.
Ndiye, wowononga mkati - chinachitika ndi chiyani?
Chabwino, mutalowa mu chitsanzo cha EC2 ... zambiri zikhoza kulakwika. Mukuyenda m'mphepete mwa mpeni ngati mutalola munthu kupita kutali. Koma zidalowa bwanji mu ndowa za S3? Kuti timvetse izi, tiyeni tikambirane Maudindo a IAM.
Chifukwa chake, njira imodzi yopezera ntchito za AWS ndikukhala Wogwiritsa. Chabwino, izi ndizowonekeratu. Koma bwanji ngati mukufuna kupatsa ntchito zina za AWS, monga ma seva anu ogwiritsira ntchito, kupeza zidebe zanu za S3? Ndizomwe maudindo a IAM amapangira. Amakhala ndi zigawo ziwiri:
- Trust Policy - ndi ntchito ziti kapena anthu angagwiritse ntchito ntchitoyi?
- Ndondomeko ya Zilolezo - kodi udindowu umalola chiyani?
Mwachitsanzo, mukufuna kupanga gawo la IAM lomwe lidzaloleza zochitika za EC2 kuti zilowe mu chidebe cha S3: Choyamba, udindo wakhazikitsidwa kuti ukhale ndi Trust Policy yomwe EC2 (utumiki wonse) kapena zochitika zinazake zingathe "kutenga" udindo. Kulandira gawo kumatanthauza kuti atha kugwiritsa ntchito zilolezo za gawolo kuti achitepo kanthu. Kachiwiri, Ndondomeko ya Zilolezo imalola kuti ntchito / munthu / zothandizira zomwe "zatengapo gawo" kuti zichite chilichonse pa S3, kaya ndikupeza chidebe chimodzi ... kapena kuposa 700, monga momwe zilili ndi Capital One.
Mukakhala pachiwonetsero cha EC2 ndi gawo la IAM, mutha kupeza zidziwitso m'njira zingapo:
- Mutha kupempha metadata yachitsanzo pa
http://169.254.169.254/latest/meta-dataMwa zina, mutha kupeza gawo la IAM ndi makiyi aliwonse ofikira pa adilesi iyi. Inde, kokha ngati muli mu chitsanzo.
- Gwiritsani ntchito AWS CLI...
Ngati AWS CLI yayikidwa, imadzazidwa ndi zidziwitso kuchokera ku maudindo a IAM, ngati alipo. Zomwe zatsala ndikugwira ntchito KUPYOLERA chitsanzo. Inde, ngati Trust Policy yawo inali yotseguka, Paige akhoza kuchita zonse mwachindunji.
Chifukwa chake kufunikira kwa maudindo a IAM ndikuti amalola zinthu zina kuchita M'malo mwanu pa ZINA.
Tsopano popeza mwamvetsetsa maudindo a IAM, titha kulankhula zomwe Paige Thompson adachita:
- Adapeza mwayi wofikira pa seva (mwachitsanzo EC2) kudzera pabowo la firewall
Kaya anali magulu achitetezo / ma ACL kapena ma firewall awo a pa intaneti, dzenjelo mwina linali losavuta kuyimitsa, monga momwe zafotokozedwera m'mawu ovomerezeka.
- Kamodzi pa seva, adatha kuchita "ngati" anali seva yekha
- Popeza ntchito ya seva ya IAM idalola S3 kupeza zidebe za 700+ izi, idakwanitsa kuzipeza
Kuyambira nthawi imeneyo, zomwe ankayenera kuchita ndi kuyendetsa lamulo List Bucketsndiyeno lamulo Sync kuchokera ku AWS CLI...
. Kupewa kuwonongeka koteroko ndichifukwa chake makampani amaika ndalama zambiri pachitetezo chamtambo, DevOps, ndi akatswiri achitetezo. Ndipo ndi mtengo wotani komanso wotsika mtengo womwe ukusunthira kumtambo? Moti ngakhale tikukumana ndi zovuta zambiri zachitetezo cha pa intaneti !
Makhalidwe a nkhaniyi: fufuzani chitetezo chanu; Kuchita kafukufuku wokhazikika; Lemekezani mfundo yochepetsera mwayi wachitetezo.
( Mutha kuwona lipoti lonse lazamalamulo).
Source: www.habr.com