The security and access for OptimalSpyglass is important. In order to make OptimalSpyglass as secure as we could we talked to Amazon Web Services (AWS) and tried to get as many other views on security models as we could.
We wanted to resolve the following issues the following would not enable access to your AWS resources:
- Loss of your physical computer
- Sending the entire app to someone
We also wanted to make it as close to impossible as we could for someone to access your AWS resources.
We decided on a key based approach as the most secure way to set up OptimalSpyglass.
Once you have OptimalSpyglass installed this is how you set it up to monitor your AWS resources.
Your AWS admin
The first thing you will need to do is contact your AWS admin. They are the person who has rights set up keys to your AWS account.
You will need to ask your AWS admin to set up some security keys for you.
As you can see there are three fields here to fill out.
The OptimalSpyglass account name does not need to be the same as the name that AWS have for this account. This is because the Access Key identifies the account from OptimalSpyglass to AWS in the first instance. However, it should follow some naming convention that makes sense for you so it is easy for people to identify which account it is.
The Access Key is a programmatic username. It’s the username that Java will use to identify your account. It is not a person’s username and it is not your AWS username.
If you think of the Access Key as a user name, the Secret Key is the password. In order to keep your Secret Key safe in the first instance follow standard password best practice.
What can go wrong
Your Access Key and Secret Key are both encrypted but don’t tempt fate by sending them to anybody or post them somewhere public on the Internet.
There are programs on the Internet, which are looking for Access and Secret Keys mathematically. This person committed their keys to GitHub, a stern cautionary tale.
AWS is also searching for Keys in clear text and will kill them if they find them to pre-empt unauthorised access to AWS resources.
If you feel for any reason that your key has been compromised kill it immediately. Every minute it stays up could cost you.
Accounts and Regions
The point of OptimalSpyglass is to see across accounts; therefore you will need Keys for each account you want to monitor through OptimalSpyglass.
If, however, you are monitoring the same account across different regions you will only need one set of Keys.
Your Keys and OptimalSpyglass
The best way to maintain the security of your Keys is to put them straight into OptimalSpyglass. This is because it will encrypt the keys locally adding another layer of security.
An additional layer of security is that AWS will encrypt all information between you and them, not Optimal.
OptimalSpyglass also does not create any Master Keys, we cannot access your instance.
We feel all this makes OptimalSpyglass as secure as we could make it.
Coffee to Code – Tim Gray