Personal and Professional blog
by Dan Pilch
I know the feeling all too well, trying to find the right balance of IAM permissions
without opening up your policy to ["ec2:*"]. Figuring out every permission your
application requires can be an arduous process but there is a better way.
CSM enables sending metrics via UDP connection to a CSM agent. The agent could be anything, in this example I will use nc.
You can enable CSM with your SDK of choice with:
export AWS_CSM_ENABLED=true
export AWS_CSM_PORT=31000
export AWS_CSM_HOST=127.0.0.1
Or by editing your ~/.aws/config file:
[default]
default_region = us-west-2
csm_enabled = true
You can use the awscli or with an SDK for example the go sdk
Once you’ve configured your sdk/cli, you can start nc listening on the default
host and port:
nc -kluvw 0 127.0.0.1 31000
Now you can invoke an aws api call, I’ll use the awscli:
aws ec2 describe-instances
If we look at the nc in terminal:
{
"Version": 1,
"ClientId": "",
"Type": "ApiCallAttempt",
"Service": "EC2",
"Api": "DescribeInstances",
"Timestamp": 1612776146962,
"AttemptLatency": 9206,
"Fqdn": "ec2.us-west-2.amazonaws.com",
"UserAgent": "aws-cli/1.18.155 Python/3.8.7 Darwin/19.6.0 botocore/1.18.14",
"AccessKey": "",
"Region": "us-west-2",
"HttpStatusCode": 200,
"XAmznRequestId": "08550f64-cd15-4dac-870e-3b5bd59a010b"
}
We’re interested in:
"Service": "EC2", "Api": "DescribeInstances"
From this we can surmise we require EC2:DescribeInstances.
I found a great application called iamlive which can build a policy in realtime from csm requests. Check it out!