Discussion Forums

Home > Forums > Amazon Web Services > Amazon DevPay


Thread: Learning DevPay By Doing: Sim-OnDemand: Learing #1 - End User Key Safety

Welcome, Guest Help
Login Login

Reply to this Thread Reply to this Thread Search Forum Search Forum Back to Thread List Back to Thread List

Permlink Replies: 2 - Pages: 1 - Last Post: Jan 8, 2009 7:35 PM by: Justin@AWS Threads: [ Previous | Next ]
labsji

Posts: 23
Registered: 6/6/06
Learning DevPay By Doing: Sim-OnDemand: Learing #1 - End User Key Safety
Posted: Nov 3, 2008 12:12 PM PST
  Click to reply to this thread Reply

I'm excited about DevPay and believe it has immense potential to make the AWS platform really usable by a lot more people. I'm in the process of learning DevPay by actually doing a (DevPay based) application. I plan to share my learnings as I progress with the application and here is the first installment of the sharing.

Learning Prelims :
I created Sim-OnDemand http://simondemand.ec29.com/index.html - a ready to run packaging of OpenSim a rapidly evolving 3D virtual world server software as an premium AMI. It is a KISS attempt to add a thin layer of sugar-coat value-add on top of emerging opensource software. The application and its pre-requsites software are assembled and configured such that the application data is stored on to the Elastic Block Store(EBS) volume.  EBS integration makes it possible to persist application data across ec2 instance runs.

RoadBlock #1: Key Safety for Paid AMI User.
Problem: In order to integrate with EBS, the paid AMI based EC2 instance needs to make AWS API calls. That means passing the (User's) AWS access key and secret key to the instance somehow. Passing them via User Data is one possibility. Yet it increases the risks of key exposure considerably. Considering that the AMI could be repackaged and redistributed by third parties without being fully aware of key passage via user data and related safety measures, key safety for the ultimate end user is a big concern.

Solution: Eliminate Key Passage to the instance all together! . To avoid passing keys to the instance, my solution is to compliment the paid AMI with a launcher application. It is indeed the launcher application running on the AMI users's PC that does all the API calls on the Instance's behalf. If the instance needs to make the call, a pre-signed REST call url is computed by the launcher application and passed on to the instance rather than the keys.

The AMI details are at http://simondemand.ec29.com/index.html .  The product page has the launcher application download link. The launcher application code is opensourced and shared via Google Code: http://simond.googlecode.com Thanks for opensourcing ElasticFox(ec2ui), the code reuses ec2ui javascripts for AWS API calls. Feel free to reuse the launcher application.

What more would you like to learn? Feedback and questions welcome - the best way to learn together.

Bonus Tip : One simple way to disable root access to the paid AMI is disable the copying of the SSH keys on to /root/.ssh by script that gets called via /etc/rc.local Modifying the script to copy the keys to non-root user will ensure basic access to the machine. Sudo config can be set to allow root access just as much as  needed.




Stephanie Oprandi
RealName(TM)

Posts: 1
Registered: 1/7/09
Re: Learning DevPay By Doing: Sim-OnDemand: Learing #1 - End User Key Safety
Posted: Jan 8, 2009 5:40 AM PST   in response to: labsji
  Click to reply to this thread Reply

I can't shut down the API. I have no idea where to find it. I was billed for 577 hours even though I used maybe an hour total since I started the service. Now, I am being billed in January and I haven't even turned it on. It is up to 178 hours in January even though I canceled my account January 2. I have no clue where to go to turn off the api. None. I thought logging off the SimONDemand would shut down the instance, but it doesn't. It keeps running even though when I go to open up the program, it shows me logged off on my client. I want reimbursed the 81 dollars in change I was charged for December. I didn't even use 577 hours. That is ridiculous. Now it shows I am going to be billed 25 bucks for January and I cancelled Jan 2!!!! How is this cost effective? I want credit for that too. I am pretty upset. I have been trying to work with amazon about this for a week. Yet, they don't seem to understand what I am talking about. Amazon may very well be loosing a good customer too.


Justin@AWS

Posts: 913
Registered: 12/13/06
Re: Learning DevPay By Doing: Sim-OnDemand: Learing #1 - End User Key Safet
Posted: Jan 8, 2009 6:43 PM PST   in response to: Stephanie Oprandi
  Click to reply to this thread Reply

Hi Stephanie,

The easiest way to shut down an Amazon EC2 instance of a Paid AMI is to use Elasticfox (Firefox plugin):
http://developer.amazonwebservices.com/connect/entry.jspa?externalID=609&categoryID=85

Elasticfox Getting Started Guide:
http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1797&categoryID=174

Another option is to use the Amazon EC2 API command line tools:
http://developer.amazonwebservices.com/connect/entry.jspa?externalID=351&categoryID=88

Regarding your bill, I've checked with the team here and you should be receiving a response to your email shortly.  You should not be getting charged for usage past January 2nd.

Please let us know via this forum if you have any questions about Elasticfox or the command line tools.  For any additional Paid AMI billing related questions, please continue to email application-payments@amazon.com.

Regards,
Justin


Pages: 1
Back to Thread List Back to Thread List
Threads: [ Previous | Next ]

Point your RSS reader here for a feed of the latest messages in all forums




© 2009-2010 Amazon Web Services LLC or its affiliates. All rights reserved.