Weekly Journal 19 - IAM Access Analyzer, Fedora 34, ipset

Scott Banwart

2021-05-15

Weekly Journal

aws, fedora, iam, iam-access-analyzer, linux

Synopsis

My SSH issues with Fedora continue to be a problem, and IAM Access Analyzer is a game changer.

Fedora 34

It looks like my early success with SSH in Fedora 34 was just dumb luck. Over the past week I have continued to experience slowness and hangs with SSH in Fedora. It is most noticeable during a Zoom meeting, which makes pairing/knowledge sharing difficult in our world of remote work.

On the plus side, if I wait a few minutes, sometimes the SSH session recovers and I can use it. Unfortunately it can take two or three attempts to get a usable session, so it can waste a good 10-15 minutes which is frustrating. So I guess the situation has improved, but it is still far from ideal.

I still have my old laptop running Ubuntu 18.04 and it does not have these problems. I think I might rebuild that laptop with Fedora 34 and see if it exhibits the same problems. That way I can maybe nail down if this is truly a Fedora issue, or if it is a function of the hardware in my new laptop.

Last week I mentioned I was excited to try out Xfce 4.16. While there are a lot of improvements, it still isn’t great for my multi-monitor laptop dock setup. So I guess it is back to GNOME for the foreseeable future. GNOME 40 seems to be good so far, but the Dash to Panel extension is not compatible yet. It looks like work has been completed to update the extension, and hopefully it will be released soon.

IAM Access Analyzer

A few months ago AWS announced a new feature in IAM Access Analyzer that will generate a policy based on CloudTrail activity. Anybody who has manually built a least-privilege IAM policy will immediately understand the significance of this feature. Before this feature building a policy consisted of running the process, waiting for a permissions error, adding that permission to the policy, and then trying the process again. Depending on the complexity of the process, this loop could take anywhere from several hours to a couple of weeks in order to locate all the permissions needed.

With this new feature, you can run the process with elevated permissions, like in a developer sandbox account, and then IAM Access Analyzer will read the CloudTrail logs and generate a policy template based on the permissions used. We tried this last week and expect it to save us several days worth of work.

ipset

I have been looking at building an Ansible playbook to push out iptables rules to drop traffic from known bad IP addresses. As part of research, I have stumbled over a neat add-on that works with iptables called ipset. ipset allows you to reference a collection of IP addresses or network ranges from a single rule. In my case, instead of creating ~2000 individual rules to filter out bad traffic, I will be able to create an IP set with ~1000 IP addresses, and then reference that set from two rules.

I have not had a chance to try it out yet, but I think this will both save both development and maintenance time.

What’s Next?

Continuing my work on the iptables automation and improving our internal library of runbook and playbook documentation.