Ngomhla ziyi-19 kuJulayi 2019, i-Capital One yathola umlayezo wokuthi inkampani yesimanje iyawesaba—kwephulwa kwedatha. Kuthinte abantu abangaphezu kwezigidi eziyi-106. Izinombolo zokuphepha zomphakathi zase-US eziyi-140, izinombolo zokuphepha zomphakathi zaseCanada eziyisigidi. 000 ama-akhawunti asebhange. Akujabulisi, awuvumi?
Ngeshwa, ukugebenga akuzange kwenzeke ngoJulayi 19. Njengoba kuvela, uPaige Thompson, aka. Kuyiphutha, ikwenze phakathi kuka-March 22 no-March 23, 2019. Leyo cishe ezinyangeni ezine ezedlule. Eqinisweni, kwaba ngosizo lochwepheshe bangaphandle kuphela lapho iCapital One yakwazi khona ukuthola ukuthi kukhona okwenzekile.
Owayeyisisebenzi sase-Amazon waboshwa futhi ubhekene nenhlawulo engu-$250 neminyaka emihlanu ejele... kodwa kusekuningi okubi okusele. Kungani? Ngenxa yokuthi izinkampani eziningi ezike zahlushwa ukugebenga zizama ukuhoxisa umthwalo wemfanelo wokuqinisa ingqalasizinda yazo kanye nezicelo phakathi nokwanda kobugebengu bamakhompuyutha.
Noma kunjalo, ungakwazi kalula i-google le ndaba. Ngeke singene emdlalweni, kodwa sikhulume ngawo ezobuchwepheshe uhlangothi lwendaba.
Okokuqala, kwenzekani?
I-Capital One inamabhakede angu-700 e-S3 asebenzayo, uPaige Thompson awakopisha futhi wawakhipha.
Okwesibili, ingabe lesi esinye isimo sokungalungiswanga kahle kwenqubomgomo yebhakede le-S3?
Cha, hhayi kulokhu. Lapha uthole ukufinyelela kuseva nge-firewall elungiselelwe ngokungalungile futhi wenza wonke umsebenzi kusukela lapho.
Linda, kungenzeka kanjani lokho?
Nokho, ake siqale ngokungena kuseva, nakuba singenayo imininingwane eminingi. Satshelwa kuphela ukuthi kwenzeke “nge-firewall engalungiselelwe kahle.” Ngakho-ke, into elula njengezilungiselelo zeqembu lezokuphepha ezingalungile noma ukucushwa kwe-firewall yesicelo sewebhu (Imperva), noma i-firewall yenethiwekhi (iptables, ufw, shorewall, njll.). ICapital One ivume icala layo yathi ivale imbobo.
UStone uthe iCapital One ayizange ibone ukuthi sengozini ye-firewall kodwa yathatha isinyathelo ngokushesha lapho isikwazi lokho. Lokhu kusiziwe ukuthi isigebengu kusolwa ukuthi sishiye imininingwane ebalulekile esizindeni somphakathi, kusho uStone.
Uma uzibuza ukuthi kungani singangeni sijule kule ngxenye, sicela uqonde ukuthi ngenxa yolwazi olulinganiselwe singaqagela kuphela. Lokhu akunangqondo uma kubhekwa ukuthi ukugebenga kuncike emgodini oshiywe yiCapital One. Futhi ngaphandle uma besitshela okwengeziwe, sizovele sibhale zonke izindlela okungenzeka ukuthi i-Capital One ishiye iseva yabo ivuliwe zihlangene nazo zonke izindlela okungenzeka ukuthi othile angasebenzisa ngazo enye yalezi zinketho ezihlukene. Lawa maphutha namasu angasukela ekubhekeni okuyiziphukuphuku kuya kumaphethini ayinkimbinkimbi ngendlela emangalisayo. Uma kubhekwa uhla lwamathuba, lokhu kuzoba isango elide elingenaso isiphetho sangempela. Ngakho-ke, ake sigxile ekuhlaziyeni ingxenye lapho sinamaqiniso khona.
Ngakho-ke into yokuqala oyithathayo ukuthi: yazi ukuthi yini i-firewalls yakho ivumela.
Sungula inqubomgomo noma inqubo efanele yokuqinisekisa ukuthi KUPHELA okudingeka kuvulwe kuvulwa. Uma usebenzisa izinsiza ze-AWS ezifana namaQembu Okuvikela noma ama-Network ACL, ngokusobala uhlu lokuhlola okufanele luhlolwe lungaba lude... kodwa njengezinsizakusebenza eziningi ezidaleka ngokuzenzakalelayo (okungukuthi, CloudFormation), kuyenzeka futhi ukwenza ukuhlola kwazo ngokuzenzakalelayo. Noma ngabe iskripthi esenziwe ekhaya esiskena izinto ezintsha ukuze sithole amaphutha, noma into efana nokuhlolwa kwezokuphepha kunqubo ye-CI/CD... kunezinketho eziningi ezilula zokugwema lokhu.
Ingxenye "ehlekisayo" yendaba ukuthi ukube i-Capital One yayivale imbobo kwasekuqaleni... bekungeke kwenzeke lutho. Futhi ngakho, ngokusobala, kuhlale kushaqisa ukubona ukuthi into ethile ngempela pretty elula kuba ukuphela kwesizathu sokuthi inkampani igetshengwe. Ikakhulukazi eyodwa enkulu njenge-Capital One.
Ngakho-ke, i-hacker ngaphakathi - kwenzekani ngokulandelayo?
Nokho, ngemva kokugqekeza isibonelo se-EC2... kuningi okungahamba kahle. Usuke uhamba onqenqemeni lommese uma udedela othile ukuthi ahambe ibanga elide kangako. Kodwa ingene kanjani emabhakedeni e-S3? Ukuze sikuqonde lokhu, ake sixoxe ngezindima ze-IAM.
Ngakho-ke, enye indlela yokufinyelela izinsiza ze-AWS ukuba nguMsebenzisi. Kulungile, lokhu kusobala kakhulu. Kodwa kuthiwani uma ufuna ukunikeza ezinye izinsiza ze-AWS, njengeziphakeli zohlelo lwakho lokusebenza, ukufinyelela kumabhakede akho e-S3? Yilokho okushiwo izindima ze-IAM. Aqukethe izingxenye ezimbili:
- I-Trust Policy - yiziphi izinsizakalo noma abantu abangasebenzisa le ndima?
- Inqubomgomo Yezimvume - le ndima ivumela ini?
Isibonelo, ufuna ukwenza indima ye-IAM ezovumela izimo ze-EC2 ukuthi zifinyelele ibhakede le-S3: Okokuqala, indima isethwe ukuthi ibe neNqubomgomo Yokwethenjwa ukuthi i-EC2 (yonke insizakalo) noma izimo ezithile "zingathatha" indima. Ukwamukela indima kusho ukuthi bangasebenzisa izimvume zendima ukwenza izenzo. Okwesibili, Inqubomgomo Yezimvume ivumela isevisi/umuntu/insiza “eye yabamba indima” ukuthi yenze noma yini ku-S3, kungakhathaliseki ukuthi ifinyelela ibhakede elithile elithile... noma ngaphezulu kuka-700, njengasendabeni ye-Capital One.
Uma usesimweni se-EC2 ngendima ye-IAM, ungathola imininingwane ngezindlela ezimbalwa:
- Ungacela imethadatha yesibonelo ku
http://169.254.169.254/latest/meta-dataPhakathi kwezinye izinto, ungathola indima ye-IAM nganoma yibaphi okhiye bokufinyelela kuleli kheli. Yiqiniso, kuphela uma usesimweni.
- Sebenzisa i-AWS CLI...
Uma i-AWS CLI ifakiwe, ilayishwa ngemininingwane evela ezindimeni ze-IAM, uma ikhona. Okusele wukusebenza NGESI sibonelo. Yiqiniso, uma i-Trust Policy yabo ivuliwe, u-Paige angenza yonke into ngokuqondile.
Ngakho-ke ingqikithi yezindima ze-IAM ukuthi zivumela izinsiza ezithile ukuthi zisebenze EGAMENI LAKHO KWEZINYE IZINSIZA.
Manje njengoba usuqonda izindima ze-IAM, singakhuluma ngalokho okwenziwe nguPaige Thompson:
- Uthole ukufinyelela kuseva (isibonelo se-EC2) ngembobo ku-firewall
Noma ngabe bekumaqembu okuvikela/ama-ACL noma ama-firewall ezinhlelo zawo zewebhu, imbobo bekulula ukuyixhuma, njengoba kushiwo kumarekhodi asemthethweni.
- Lapho esekuseva, ukwazile ukwenza “njengokungathi” uyiseva uqobo
- Njengoba indima yeseva ye-IAM ivumele i-S3 ukufinyelela kulawa mabhakede angu-700+, ikwazile ukuwafinyelela
Kusukela ngalowo mzuzu kuqhubeke, okwakudingeka akwenze nje kwakuwukusebenzisa umyalo List Bucketsbese kulandela umyalo Sync kusuka ku-AWS CLI...
. Ukuvimbela umonakalo onjalo yingakho izinkampani zitshala imali engaka ekuvikelweni kwengqalasizinda yamafu, i-DevOps, nochwepheshe bezokuphepha. Futhi kubaluleke kangakanani futhi kubiza kangakanani ukuthuthela emafini? Kangangoba naphezu kwezinselelo eziningi zokuvikeleka ku-inthanethi !
Ukuziphatha kwendaba: hlola ukuphepha kwakho; Ukucwaningwa kwamabhuku njalo; Hlonipha umgomo wokuba yilungelo elincane lezinqubomgomo zokuphepha.
( Ungabuka umbiko ogcwele wezomthetho).
Source: www.habr.com