Bonsai Hosted ElasticSearch Is Down (opens in new tab)

(status.bonsai.io)

53 pointssstarr11y ago19 comments

19 comments

ihsw11y ago

How were they 0wned? Lack of MFA, rogue API key, or something else? Are full-access accounts being handed out willy-nilly instead of IAM accounts?

AWS Multi-Factor Authentication (MFA):

http://aws.amazon.com/iam/details/mfa/

AWS Identity Access and Management (IAM):

http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPract...

Managing your AWS API Keys:

http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSG...

Go a step further with your AWS API keys and use AWS' API access logging (CloudTrail):

http://aws.amazon.com/cloudtrail/

Don't get burned. Check your stuff out.

nzadrozny11y ago

Hey all, Bonsai cofounder here.

It was an old API access key that got leaked, not our account credentials. We're still investigating how and where the key got leaked, but bottom line, it should have been revoked ages ago.

2FA is great, but it doesn't cover API keys. Rotate your API keys!

toomuchtodo11y ago

At this point, MFA for master AWS accounts should be mandatory.

earless111y ago

MFA for all console accounts is the only right answer. If machines require credentials to do specific task or perform API calls then roles should be used.

1 more reply

bdcravens11y ago

Full-blown AWS console compromise - this sounds similar to what happened to Code Spaces (https://news.ycombinator.com/item?id=7909791) Is there a new vulnerability?

nzadrozny11y ago

It wasn't a management console compromise, it was an old API key that got leaked.

dorfsmay11y ago

My concern exactly.

dorfsmay11y ago

Any word on how those accounts are getting compromised?

Have they been complacent (easy password to guess, keys easy to be compromised (maybe in a public github repo)), or could there be some whole in the AWS secutiy model?

count11y ago

If there were a hole in the AWS security model for this, I think it'd be pretty obvious pretty quickly, given what happens when US-East takes a dive...

This happens constantly, and it's almost always through lack of best practices (as mentioned in higher up comment - IAM, MFA, etc.).

huntermeyer11y ago

This brought my app down. http://jrdevjobs.com. Our shards were all missing from Bonsai. We looped through each model and saved it.

We're back up.

huslage11y ago

AWS needs to improve usability of IAM so that it gets broader adoption. The learning curve is non-trivial.

earless111y ago

What particular issues have you had with IAM? I find that the wizard is a good starting point for understanding the policies.

dorfsmay11y ago

So is creating policies.... They managed to make dealing with json worse than dealing with xml.

jayzalowitz11y ago

This sucks... I am happy we just put our search cluster on elasticbeanstalk atm, but I wish we had more services like this running.. good news is new security practices will hop up everywhere because of this.

grandalf11y ago

Not to focus on this when they are experiencing downtime, but Bonsai has been one of the least reliable service providers I've ever used.

vegardx11y ago

Good that it's pretty easy to change elastic search provider with little downtime. I'd recommend checking out found.no. We've been pleased with performance and stability. Heck - I can't recall any downtime at all.

donretag11y ago

qbox.io is another hosted Elasticsearch solution. I have never used them, but one of their developers is very knowledgeable and active on the mailing list.

kitwalker1211y ago

our site http://www.violetgrey.com went down because of this. Luckily we were able to reindex pretty fast before their backups kicked in. Any ideas on how to have fallbacks in such cases?

j / k navigate · click thread line to collapse

19 comments

ihsw11y ago

How were they 0wned? Lack of MFA, rogue API key, or something else? Are full-access accounts being handed out willy-nilly instead of IAM accounts?

AWS Multi-Factor Authentication (MFA):

http://aws.amazon.com/iam/details/mfa/

AWS Identity Access and Management (IAM):

http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPract...

Managing your AWS API Keys:

http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSG...

Go a step further with your AWS API keys and use AWS' API access logging (CloudTrail):

http://aws.amazon.com/cloudtrail/

Don't get burned. Check your stuff out.

nzadrozny11y ago

Hey all, Bonsai cofounder here.

It was an old API access key that got leaked, not our account credentials. We're still investigating how and where the key got leaked, but bottom line, it should have been revoked ages ago.

2FA is great, but it doesn't cover API keys. Rotate your API keys!

toomuchtodo11y ago

At this point, MFA for master AWS accounts should be mandatory.

earless111y ago

MFA for all console accounts is the only right answer. If machines require credentials to do specific task or perform API calls then roles should be used.

1 more reply

bdcravens11y ago

Full-blown AWS console compromise - this sounds similar to what happened to Code Spaces (https://news.ycombinator.com/item?id=7909791) Is there a new vulnerability?

nzadrozny11y ago

It wasn't a management console compromise, it was an old API key that got leaked.

dorfsmay11y ago

My concern exactly.

dorfsmay11y ago

Any word on how those accounts are getting compromised?

Have they been complacent (easy password to guess, keys easy to be compromised (maybe in a public github repo)), or could there be some whole in the AWS secutiy model?

count11y ago

If there were a hole in the AWS security model for this, I think it'd be pretty obvious pretty quickly, given what happens when US-East takes a dive...

This happens constantly, and it's almost always through lack of best practices (as mentioned in higher up comment - IAM, MFA, etc.).

huntermeyer11y ago

This brought my app down. http://jrdevjobs.com. Our shards were all missing from Bonsai. We looped through each model and saved it.

We're back up.

huslage11y ago

AWS needs to improve usability of IAM so that it gets broader adoption. The learning curve is non-trivial.

earless111y ago

What particular issues have you had with IAM? I find that the wizard is a good starting point for understanding the policies.

dorfsmay11y ago

So is creating policies.... They managed to make dealing with json worse than dealing with xml.

jayzalowitz11y ago

grandalf11y ago

Not to focus on this when they are experiencing downtime, but Bonsai has been one of the least reliable service providers I've ever used.

vegardx11y ago

donretag11y ago

qbox.io is another hosted Elasticsearch solution. I have never used them, but one of their developers is very knowledgeable and active on the mailing list.

kitwalker1211y ago

our site http://www.violetgrey.com went down because of this. Luckily we were able to reindex pretty fast before their backups kicked in. Any ideas on how to have fallbacks in such cases?

j / k navigate · click thread line to collapse