Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
2Fdev2Ftcsh1659302dAs long as everyone use common sense things will continue to be safe...
Boom... -
tosensei8478302dit's so often that i have to debug stuff on live because the customer screwed up their infrastructure in horrendous ways... without access to the secrets, i literally couldn't do it.
also: int/dev/stage/quality/howeverthefuckyouwannacallitbecauseyouareamicromanagingjerkwithnoclue can all live on the same device for all i care, but production must be separate. -
Grumpycat582302dI can barely keep my own machine working and you want me to control your entire fucked up infrastructure?
Fuck you is my gut response. -
Grumpycat582302d@2Fdev2Ftcsh lol, common sense is the first thing thrown out the window when a deadline is approaching.
-
C0D466777302d1) aws secrets
Yes and no?
This will greatly depend on who and why and if there's a team for devOps or if it's the devs doing the deployments too, someone needs access to those secrets to push them into somewhere accessible.
Also, if the secret can be read in runtime, the dev has access to the keys regardless of any processes you put in place.
2) seperate vpc for test/prod!
Absolutely, the two environments should be isolated from each other, if I can access a test server, and jump
To a prod server, prod is not secure. -
Grumpycat582302dIs the AWS_ACCESS_CONFIG best stored as an aws secret?
Retarded minds want to know. -
Grumpycat582302d@jestdotty Yes, mushroom management. I am familiar with this. Middle management feeds c level bullshit and c level blithely ignores all the bs.
-
Grumpycat582302d@SidTheITGuy Thats the damn problem. No one thought anything through.
They shouted YOLO, started writing shit and now I have to un fuck it up. -
lungdart3465302dDifferent environments should be on isolated aws accounts, in isolated vpc (not the default) with private access only using VPNs, and only use public access to things that actually need it (no, not the fucking database)
Link everything with a transient gateway and setup strict security policies.
As for secrets, I prefer to generate temporary ones on demand when possible. Only applications should have access to the real secrets and they need to be audited and revocable. Devs can access dev secrets.
All debugging info should be collected and available through a single pane of glass so devs never need access to live remote systems -
Berkmann181235301dDev, test/UAT and prod should totally be in separate VPCs (or even separate EKS/ECS clusters depending on the architecture of the solution or the enterprise).
As for the secrets, it depends on whether the team has DevOps staff (the better option IMO) or if the (Sec)DevOps staff are in a centralised team.
What are opinions out there on security theatre?
Should developers have access to aws secrets?
Should dev test and prod be on separate vpcs or all in one vpc.
I have worked at banks where this was strictly not allowed.
Can’t wait to hear responses on this one….
rant