#security (2020-08)

Archive: https://archive.sweetops.com/security/

2020-08-24

2020-08-21

loren avatar
loren
10:43:45 PM

sharing here, per recommendation in original thread…

i don’t think there is a networking or zero-trust channel, so just dropping this here. really fantastic explainer on nat traversal, simultaneously technical, understandable, and hilarious… https://tailscale.com/blog/how-nat-traversal-works/

2020-08-17

2020-08-13

Pierre Humberdroz avatar
Pierre Humberdroz

Does someone here know a tool to manage employee database access easily ?

I currently have a terraform snippet ready that might work well enough but I find it hard to review it

Pierre Humberdroz avatar
Pierre Humberdroz

I may or not be able to use AWS IAM but I am not sure yet.

jafow avatar
jafow

I am adding here so that I can follow this thread. Solution we use for this is via AWS opsworks acting as a bastion or jumpbox to dbs

jafow avatar
jafow

employees needing access tunnel via the bastion — opsworks stores their public keys. can use iam roles there too

jafow avatar
jafow

this is not my favorite solution and I don’t think I’d carry it again in the future but it is what we are doing

2020-08-07

2020-08-05

2020-08-04

Zach avatar

@Erik Osterman (Cloud Posse) What’s the integration with RDS that’s planned? Does this happen to cover RDS IAM users?
Which Services can I use Teleport with?
You can use Teleport for all the services that you would SSH into. This guide is focused on EC2. We have a short blog post on using Teleport with EKS. We plan to expand the guide based on feedback but will plan to add instructions for the below.
RDS
Detailed EKS
Lightsail
Fargate
AWS ECS

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We’ve only used it with Kubernetes and SSH

Zach avatar

Ah may have misunderstood, thought you were involved in the project

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Oh no - teleport is just part of our standard package in our consulting engagements

Alex Siegman avatar
Alex Siegman

Teleport with RDS? I am intrigued

Zach avatar

Its mentioned in the docs with no explanation

Zach avatar

I’m asking their live chat

cool-doge1
Zach avatar


You should be able to use port forwarding to get audit logs for RDS access, but no session recordings.

Zach avatar


it is an existing feature but have not built out the documentation.

2020-08-03

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

attention all teleport users!

it’s the last week to provide input on Teleport. Gravitational is conducting a survey to get a better understanding for what’s working well and how we could improve for Teleport.

They would especially like to hear from Teleport Community / OSS users, and have a specific Question, 19. for feedback on what you think is missing from the community version. The Survey should take around 13min to complete. We’ve a range of swag for people who complete it.

bit.ly/teleport-survey-2020

Zach avatar

Hm this might scratch an itch we have. What’s the pricing based on?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Number of nodes

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

and level of support

loren avatar
loren

i recently discovered their release milestones on github… very interested in the “application access proxy” targeted for v5.0… https://github.com/gravitational/teleport/milestones?direction=asc&sort=due_date

:--1:1
1
Zach avatar

I had a chat and demo with them this week, it’s a cool product. Unfortunately we already implemented a ‘close enough’ solution with AWS Session Manager. If we’d found this 6 months ago I could probably have justified the price

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Ah rock on! I knew that they had talked about it but didn’t know it was on the roadmap

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

We use teleport a lot

loren avatar
loren

With the application proxy, it goes from “useful for ssh remote access” to “rocking centralized ingress gateway for zero-trust and multi-account architectures”. Been researching solutions in this space for a couple weeks now and there is very little that is fully self-hosted

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

yea, agree - this is much needed and very rad. We’ve been stringing together a bunch of tools like keycloak and gatekeeper for the web portion. would love to just use teleport.

loren avatar
loren

we’re using keycloak as an IdP, but gatekeeper has not yet come up… got a link for that one? my google-fu seems… lacking…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

its now called luketo as it has been spun out under its own org

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
louketo/louketo-proxy

A OpenID / Proxy service. Contribute to louketo/louketo-proxy development by creating an account on GitHub.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

sigh

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
08:27:03 PM
loren avatar
loren

open source life lol

loren avatar
loren

i did find this, it does look like the louketo readme is nearly identical, so assuming keycloak gatekeeper is pulling in louketo under the covers…? https://www.keycloak.org/docs/latest/securing_apps/#_keycloak_generic_adapter

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

gatekeeper rebranded and moved to luketo organization

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

then summarily deprecated (kind’a surprised they went through all that effort!)

    keyboard_arrow_up