准备应对个人开发AWS账户上的过度使用 [英] Prepare to respond to excessive usage on personal dev AWS account
问题描述
AWS没有提供限制使用成本的方法.人们经常指出,如果费用超过预算,而没有关于仅由企业本身拥有的适当响应的信息,则关闭商业网站将无济于事.但是,对于那些想要在家学习以进行学习的人来说,这种情况并不适用.
AWS does not provide a way to cap usage costs. It is often pointed out that it would not be useful to shut down a commercial website in case of charges exceeding a budget, without information about the appropriate response that's only possessed by the business itself. However, for those who want to experiment at home for learning purposes, this situation does not apply.
预防是一件好事,但不可能防止所有事故和袭击.这个问题是关于应对而非预防.
Prevention is a good thing, but it is impossible to prevent all accidents and attacks. This question is about response and not prevention.
一种标准建议是采用某种方法快速关闭账户中的所有AWS资源.
One standard suggestion is to have some means of rapidly shutting down all AWS resources in an account.
另一条标准建议是利用预算警报之类的功能.作为个人公民,对这种警报做出反应的时间可能是一天,或者如果是生病,可能是一周或更长时间,这可能会导致很高的费用.因此,自动化在这里可能会有用.
Another piece of standard advice is to make use of features like budget alerts. As an individual citizen, it's plausible that the time to react to such an alert could be one day, or perhaps a week or more in case of illness, which could cause a very high bill. So automation might be useful here.
我该如何以适合单个开发人员自己的时间和自己的费用进行试验的方式解决这些问题?特别是,我该如何:
- 准备进行快速,经过良好测试的可靠响应,以关闭AWS账户中的所有资源使用情况
- 自动触发该响应(例如,由AWS预算警报或某种其他形式的成本监控触发)
一些潜在的并发症:
A.如果是蓄意攻击而非纯粹的用户错误,则1.攻击者可能会利用EC2终止保护等功能来使其复杂化.
A. In the case of deliberate attack rather than pure user error, 1. may be complicated by the attacker making use of such features as EC2 termination protection.
B.攻击者还可能利用许多不同的AWS服务.因此,鉴于AWS产品范围不断扩大,尝试使用特定于特定资源类型的代码来维护删除每种类型的资源(EC2实例,RDS实例等)的库可能是不切实际的.
B. An attacker might also make use of many different AWS services. So, given the large and expanding AWS product range, attempting to maintain a library that deletes every type of resource (EC2 instances, RDS instances, etc.), using code that is specific to particular resource types, may be impractical.
C.这篇论坛帖子相当旧提示无法关闭AWS账户而不先取消所有选择加入的服务.
C. This rather old forum post suggests that AWS accounts can't be closed without first cancelling all opt-in services.
请注意,我无法使用免费套餐,因为我想利用该套餐中不可用的功能.
Note I can't use the free tier because I want to make use of features not available in that tier.
推荐答案
首先,正确的安全性和对根帐户凭据的管理至关重要.在所有帐户(包括root)上启用MFA.除非绝对必要,否则请勿使用root帐户.用广泛的权限限制帐户.启用CloudTrail,如果需要,在使用提升的权限时发出警报.这类行为肯定会针对几乎所有攻击者提供保护,并且由于这是个人帐户,因此能够逃避这些控制措施的攻击者类型可能对造成个人伤害没有兴趣,他们对大型组织更感兴趣
First off, proper security and management of root account credentials is critical. Enable MFA on all accounts, including root. Do not use the root account except for cases where absolutely necessary. Limit accounts with broad permissions. Enable CloudTrail and if desired, alert on use of elevated permissions. These sorts of actions will most certainly protect against nearly all attackers and since this is a personal account, the types of attackers who may be able to evade these controls would likely have no interest in causing an individual harm, they are more interested in large organizations.
对于事故,您认为可能发生什么类型的事故?您是否有大型计算作业根据队列深度等因素使用自动缩放?您在此处的最佳操作可能是设置ASG的最大大小,使用CloudWatch事件来监视和修复资源使用问题,甚至使用处理此类问题的第三方工具.
As for accidents, what types of accidents are you thinking might happen? Do you have large compute jobs that use auto-scaling based on factors such as a queue depth? Your best action here is likely to set ASG max sizes, use CloudWatch events to monitor and re-mediate resource usage issues, or even use third party tools that deal with this type of thing.
需要记住的一点是,AWS实施的账户限制会限制您一些账户,但对于个人账户,即使这些限制也可能过于宽容.我只有请求增加限额的经验,但是可能值得问一下AWS是否也执行限额减少.
Something to keep in mind is that AWS implements account limits that will constrain you some but for a personal account, even these limits are likely too permissive. I only have experience requesting limit increases but it might be worth asking AWS if they perform limit decreases as well.
这篇关于准备应对个人开发AWS账户上的过度使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
