<div dir="ltr">Hello Colleen, <div><br></div><div>As an example, in the windows world, we had that great user Administrator. This was a user that you could not delete. So in the past the teams that I worked with renamed it to LAdministrator. Given the password or keypair was reset by some official and it was stored in a safe. </div><div><br></div><div>Same goes for the root account in linux / unix. </div><div><br></div><div><br></div><div>Once we build the environment with user X (ec2-user) with the keys that we generated. The keys can be swapped by anyone on the team and they can be deleted. That's up to the larger team. As I stated we do not use the ec2-user. </div><div><br></div><div>In an email that I sent, I asked Jet who if anyone should hold the keys once day two ops steps in? </div><div><br></div><div>If it is determined that nobody should have an ec2-user/root/Administrator keypair or password that's fine. We will need to switch into a pure immutable build. </div><div><br></div><div>In that case if we drop any communication with IDM LDAP and are unable to resolve the issue we will destroy the vpc and build a new clean one and the app teams can re run the code to deploy the apps. </div><div><br></div><div>Just trying to make sure were all on the same page. </div><div><br></div><div>Thanks, </div><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-weight:bold;margin:0px;padding:0px;font-size:14px;text-transform:capitalize"><span>KEVIN</span> <span>O'DONNELL </span></p><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-size:12px;margin:0px;text-transform:capitalize"><span>ARCHITECT MANAGER</span></p><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;margin:0px 0px 4px;font-size:12px"><a href="https://www.redhat.com/" style="color:rgb(0,136,206);margin:0px" target="_blank">Red Hat <span>Red Hat NA Public Sector Consulting</span></a></p><div style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-size:medium;margin-bottom:4px"></div><p style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;margin:0px;font-size:12px"><span style="margin:0px;padding:0px"><a href="mailto:kodonnell@redhat.com%20M:240-605-4654" style="color:rgb(0,0,0);margin:0px" target="_blank">kodonnell@redhat.com</a> M: 240-605-4654</span></p><div style="color:rgb(0,0,0);font-family:RedHatText,sans-serif;font-size:medium;margin-top:12px"><table border="0"><tbody><tr><td width="100px"><a href="https://red.ht/sig" target="_blank"><img src="https://static.redhat.com/libs/redhat/brand-assets/latest/corp/logo.png" width="90" height="auto"></a></td></tr></tbody></table></div><table border="0"><tbody><tr><td width="100px"></td></tr></tbody></table> </div></div></div></div></div></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Jan 5, 2020 at 3:42 PM Feiglstok, Colleen M [US] (MS) <<a href="mailto:Colleen.Feiglstok@ngc.com">Colleen.Feiglstok@ngc.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <div lang="EN-US"> <div class="gmail-m_6056420920299853014WordSection1"> <p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Kevin, <u></u><u></u></span></p> <p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p> <p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">You are incorrect - the issue is not the <b>name</b> of the account, it is the fact that it is a <b>non-attributable account</b>. ANY shared/non-attributable accounts, <b>no matter the name or privileges</b>, will be in violation. <u></u><u></u></span></p> <p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p> <p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Does that make more sense? We can’t have non-attributable group accounts. <u></u><u></u></span></p> <p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p> <p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Please refer to Eric’s email sent on 12/20/2019 (and below) in regards to attribution. Let us know if you need more clarification.<u></u><u></u></span></p> <p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p> <p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)">Colleen<u></u><u></u></span></p> <p class="MsoNormal"><span style="font-size:11pt;font-family:Calibri,sans-serif;color:rgb(31,73,125)"><u></u> <u></u></span></p> <p class="MsoNormal"><b><span style="font-size:11pt;font-family:Calibri,sans-serif">From:</span></b><span style="font-size:11pt;font-family:Calibri,sans-serif"> Kevin O'Donnell <<a href="mailto:kodonnel@redhat.com" target="_blank">kodonnel@redhat.com</a>> <br> <b>Sent:</b> Sunday, January 5, 2020 3:34 PM<br> <b>To:</b> Miller, Timothy J. <<a href="mailto:tmiller@mitre.org" target="_blank">tmiller@mitre.org</a>><br> <b>Cc:</b> Blade, Eric D [US] (MS) <<a href="mailto:Eric.Blade@ngc.com" target="_blank">Eric.Blade@ngc.com</a>>; Lastrilla, Jet <<a href="mailto:jlastrilla@mitre.org" target="_blank">jlastrilla@mitre.org</a>>; Feiglstok, Colleen M [US] (MS) <<a href="mailto:Colleen.Feiglstok@ngc.com" target="_blank">Colleen.Feiglstok@ngc.com</a>>; BRYAN, AUSTEN R Capt USAF AFMC AFLCMC/HNCP <<a href="mailto:austen.bryan.1@us.af.mil" target="_blank">austen.bryan.1@us.af.mil</a>>; DIROCCO, ROGER E GG-13 USAF AFMC ESC/AFLCMC/HNCP <<a href="mailto:roger.dirocco.4@us.af.mil" target="_blank">roger.dirocco.4@us.af.mil</a>>; <a href="mailto:platformONE@redhat.com" target="_blank">platformONE@redhat.com</a>; Tim Gast <<a href="mailto:tg@braingu.com" target="_blank">tg@braingu.com</a>>; Bubb, Mike <<a href="mailto:mbubb@mitre.org" target="_blank">mbubb@mitre.org</a>>; TRAMBLE, ELIJAH Q Capt USAF AFMC AFLCMC/HNC <<a href="mailto:elijah.tramble.1@us.af.mil" target="_blank">elijah.tramble.1@us.af.mil</a>>; <a href="mailto:tj.zimmerman@braingu.com" target="_blank">tj.zimmerman@braingu.com</a>; LOPEZDEURALDE, RICHARD A Lt Col USAF AFMC AFLCMC/HNCP <<a href="mailto:richard.lopezdeuralde@us.af.mil" target="_blank">richard.lopezdeuralde@us.af.mil</a>>; RAMIREZ, JOSE A CTR USAF AFMC AFLCMC/HNCP <<a href="mailto:jose.ramirez.50.ctr@us.af.mil" target="_blank">jose.ramirez.50.ctr@us.af.mil</a>>; Leonard, Michael C. <<a href="mailto:leonardm@mitre.org" target="_blank">leonardm@mitre.org</a>>; REINHARDT, MELISSA A GG-13 USAF AFMC AFLCMC/HNCP <<a href="mailto:melissa.reinhardt.2@us.af.mil" target="_blank">melissa.reinhardt.2@us.af.mil</a>>; Taylor Biggs <<a href="mailto:taylor@redhat.com" target="_blank">taylor@redhat.com</a>>; CRISP, JOSHUA M GS-09 USAF AFMC AFLCMC/HNCP <<a href="mailto:joshua.crisp.2@us.af.mil" target="_blank">joshua.crisp.2@us.af.mil</a>>; BOGUE, STEVEN E CTR USAF AFMC AFLCMC/HNCP <<a href="mailto:steven.bogue.1.ctr@us.af.mil" target="_blank">steven.bogue.1.ctr@us.af.mil</a>>; Wilcox, John R. (San Antonio, TX) [US] (MS) <<a href="mailto:John.R.Wilcox@ngc.com" target="_blank">John.R.Wilcox@ngc.com</a>><br> <b>Subject:</b> Re: EXT :Re: [EXT] Platform1 SAR<u></u><u></u></span></p> <p class="MsoNormal"><u></u> <u></u></p> <div> <p class="MsoNormal">Hello Tim, <u></u><u></u></p> <div> <p class="MsoNormal"><u></u> <u></u></p> </div> <div> <p class="MsoNormal">Welcome back. Happy New Year. <u></u><u></u></p> </div> <div> <p class="MsoNormal"><u></u> <u></u></p> </div> <div> <p class="MsoNormal">We have a plan in place to swap out the ec2-user for another user seeing as the major issue is the actual name of the user not its privs in prod. <u></u><u></u></p> </div> <div> <p class="MsoNormal"><u></u> <u></u></p> </div> <div> <p class="MsoNormal">Incorrect up-prod-a keys were switched out before Xmas. This process will need to be included in the Day Two OPS onboarding process. Jet, who should be the holder of this key on day two? We are also ensuring that anyone that authenticates to the nodes in the vpc use dedicated IDM accounts with per user dedicated keys and sudo privs. <u></u><u></u></p> </div> <div> <p class="MsoNormal"><u></u> <u></u></p> </div> <div> <p class="MsoNormal">Correct. Re-enforcing the Day Two requirements. And also supporting that the pipelines and CI process can support CI/CD to only dev/staging. For prod or any environment were the keys have been swapped and are not included as private Git variables we can not support CD into prod/appdev if so deemed. <u></u><u></u></p> </div> <div> <p class="MsoNormal"><u></u> <u></u></p> </div> <div> <p class="MsoNormal">We are fast approaching policy with this topic. We should have a further discussion this week. I will be in San Antonio on Wed and Thur. <u></u><u></u></p> </div> <div> <p class="MsoNormal"><u></u> <u></u></p> </div> <div> <p class="MsoNormal">Do you have any additional mitigation techniques Tim?<u></u><u></u></p> </div> <div> <p class="MsoNormal"><u></u> <u></u></p> </div> <div> <p class="MsoNormal">Thanks, <u></u><u></u></p> </div> <div> <p class="MsoNormal"><br clear="all"> <u></u><u></u></p> <div> <div> <div> <div> <div> <div> <div> <div> <div> <div> <div> <p style="margin:0in 0in 0.0001pt"><b><span style="font-size:10.5pt;font-family:Arial,sans-serif;color:black">KEVIN O'DONNELL <u></u><u></u></span></b></p> <p style="margin:0in 0in 0.0001pt;text-transform:capitalize"><span style="font-size:9pt;font-family:Arial,sans-serif;color:black">ARCHITECT MANAGER<u></u><u></u></span></p> <p style="margin:0in 0in 0.0001pt"><span style="font-size:9pt;font-family:Arial,sans-serif;color:black"><a href="https://www.redhat.com/" target="_blank"><span style="color:rgb(0,136,206)">Red Hat Red Hat NA Public Sector Consulting</span></a><u></u><u></u></span></p> <p style="margin:0in 0in 0.0001pt"><span style="font-size:9pt;font-family:Arial,sans-serif;color:black"><a href="mailto:kodonnell@redhat.com%20M:240-605-4654" target="_blank"><span style="color:black">kodonnell@redhat.com</span></a> M: 240-605-4654<u></u><u></u></span></p> <div style="margin-top:9pt"> <table border="0" cellpadding="0"> <tbody> <tr> <td style="padding:0.75pt"> <p class="MsoNormal"><a href="https://red.ht/sig" target="_blank"><span style="text-decoration:none"><img border="0" width="90" style="width: 0.9375in;" id="gmail-m_6056420920299853014_x0000_i1025" src="https://static.redhat.com/libs/redhat/brand-assets/latest/corp/logo.png"></span></a><u></u><u></u></p> </td> </tr> </tbody> </table> </div> <table border="0" cellpadding="0"> <tbody> <tr> <td style="padding:0.75pt"></td> </tr> </tbody> </table> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <p class="MsoNormal"><u></u> <u></u></p> </div> </div> <p class="MsoNormal"><u></u> <u></u></p> <div> <div> <p class="MsoNormal">On Sun, Jan 5, 2020 at 2:58 PM Miller, Timothy J. <<a href="mailto:tmiller@mitre.org" target="_blank">tmiller@mitre.org</a>> wrote:<u></u><u></u></p> </div> <blockquote style="border-top:none;border-right:none;border-bottom:none;border-left:1pt solid rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"> <p class="MsoNormal" style="margin-bottom:12pt">Some more points of interest--<br> <br> - The ec2-user account can't currently be avoided given the current design of the IaC.<br> <br> - This SSH key provisioned for this account is shared across up-prod-a, up-dev-a, and DSOP.<br> <br> - The ec2-user SSH privkey is available to anyone with Maintainer or higher access to the GitLab repo that holds the customer's environment definitions or the platform-infrastructure repo.<br> <br> -- T<br> <br> <span style="font-family:Tahoma,sans-serif"></span>On 12/20/19, 08:13, "Blade, Eric D [US] (MS)" <<a href="mailto:Eric.Blade@ngc.com" target="_blank">Eric.Blade@ngc.com</a>> wrote:<br> <br> I just want to clarify on the topic of the EC2-user. The key is attribution. We need to know who or what is configuring the systems.<br> <br> We are repeatedly seeing the ec2-user account used to manually configure systems. Ec2-user should only be used to perform programmatic tasks from committed and<br> reviewed code as part of initial provisioning. If the code to provision and configure systems is unavailable, then you must create attributable accounts to perform changes to the systems.<br> <br> Any use of ec2-user remote login or su to ec2-user will be flagged as a violation and the source IP or user account logged as the violating source. Any manual/command<br> line activities MUST be performed using an attributable user account.<br> <br> If that is not clear, please let me know and I will attempt to elaborate further.<br> <br> Thank you<br> <br> <br> Eric Blade, GXPN, GPEN<br> Unified Platform System Coordinator<br> Northrop Grumman Mission Systems<br> Work: 410.649.0706<br> Mobile: 240.258.8089<br> <br> <br> <br> From: Kevin O'Donnell <<a href="mailto:kodonnel@redhat.com" target="_blank">kodonnel@redhat.com</a>><br> <br> Sent: Thursday, December 19, 2019 6:22 PM<br> To: Lastrilla, Jet <<a href="mailto:jlastrilla@mitre.org" target="_blank">jlastrilla@mitre.org</a>><br> Cc: Feiglstok, Colleen M [US] (MS) <<a href="mailto:Colleen.Feiglstok@ngc.com" target="_blank">Colleen.Feiglstok@ngc.com</a>>; BRYAN, AUSTEN R Capt USAF AFMC AFLCMC/HNCP <<a href="mailto:austen.bryan.1@us.af.mil" target="_blank">austen.bryan.1@us.af.mil</a>>; DIROCCO, ROGER E GG-13 USAF AFMC ESC/AFLCMC/HNCP <<a href="mailto:roger.dirocco.4@us.af.mil" target="_blank">roger.dirocco.4@us.af.mil</a>>; <a href="mailto:platformONE@redhat.com" target="_blank">platformONE@redhat.com</a>; Tim Gast <<a href="mailto:tg@braingu.com" target="_blank">tg@braingu.com</a>>;<br> Bubb, Mike <<a href="mailto:mbubb@mitre.org" target="_blank">mbubb@mitre.org</a>>; TRAMBLE, ELIJAH Q Capt USAF AFMC AFLCMC/HNC <<a href="mailto:elijah.tramble.1@us.af.mil" target="_blank">elijah.tramble.1@us.af.mil</a>>; <a href="mailto:tj.zimmerman@braingu.com" target="_blank">tj.zimmerman@braingu.com</a>; LOPEZDEURALDE, RICHARD A Lt Col USAF AFMC AFLCMC/HNCP <<a href="mailto:richard.lopezdeuralde@us.af.mil" target="_blank">richard.lopezdeuralde@us.af.mil</a>>; Blade, Eric D [US] (MS) <<a href="mailto:Eric.Blade@ngc.com" target="_blank">Eric.Blade@ngc.com</a>>;<br> RAMIREZ, JOSE A CTR USAF AFMC AFLCMC/HNCP <<a href="mailto:jose.ramirez.50.ctr@us.af.mil" target="_blank">jose.ramirez.50.ctr@us.af.mil</a>>; Leonard, Michael C. <<a href="mailto:leonardm@mitre.org" target="_blank">leonardm@mitre.org</a>>; REINHARDT, MELISSA A GG-13 USAF AFMC AFLCMC/HNCP <<a href="mailto:melissa.reinhardt.2@us.af.mil" target="_blank">melissa.reinhardt.2@us.af.mil</a>>; Taylor Biggs <<a href="mailto:taylor@redhat.com" target="_blank">taylor@redhat.com</a>>; Miller, Timothy J. <<a href="mailto:tmiller@mitre.org" target="_blank">tmiller@mitre.org</a>>;<br> CRISP, JOSHUA M GS-09 USAF AFMC AFLCMC/HNCP <<a href="mailto:joshua.crisp.2@us.af.mil" target="_blank">joshua.crisp.2@us.af.mil</a>>; BOGUE, STEVEN E CTR USAF AFMC AFLCMC/HNCP <<a href="mailto:steven.bogue.1.ctr@us.af.mil" target="_blank">steven.bogue.1.ctr@us.af.mil</a>>; Wilcox, John R. (San Antonio, TX) [US] (MS) <<a href="mailto:John.R.Wilcox@ngc.com" target="_blank">John.R.Wilcox@ngc.com</a>><br> Subject: EXT :Re: [EXT] Platform1 SAR<br> <br> Colleen, <br> <br> <br> Thank you for the results and recommendations. We will get GIT issues crated for your findings and will prioritize the mitigation and implement them as code in our future IAC deployments. Many of the findings in the current VPC have been<br> mitigated in up-prod-b with our current code release. <br> <br> <br> <br> Please let us know when you have finished and we can power down the host that you have been using for scanning. <br> <br> <br> <br> Note for everyone: Once we power down the ec2 instance ssh or port 22 will not be externally accessible. Thus, mitigating many of the risks associated with the ec2-user and the keys. <br> <br> <br> <br> Thanks, <br> <br> <br> <br> KEVIN O'DONNELL <br> ARCHITECT MANAGER<br> Red Hat Red Hat NA Public Sector Consulting <<a href="https://www.redhat.com/" target="_blank">https://www.redhat.com/</a>><br> <a href="mailto:kodonnell@redhat.com" target="_blank">kodonnell@redhat.com</a> <mailto:<a href="mailto:kodonnell@redhat.com" target="_blank">kodonnell@redhat.com</a>%20M:240-605-4654> M: 240-605-4654<br> <<a href="https://red.ht/sig" target="_blank">https://red.ht/sig</a>><br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <br> On Thu, Dec 19, 2019 at 4:52 PM Lastrilla, Jet <<a href="mailto:jlastrilla@mitre.org" target="_blank">jlastrilla@mitre.org</a>> wrote:<br> <br> <br> Thanks Colleen. Sorry for the rushed feeling. If you want to take more time, please use tomorrow to do your testing. <br> <br> <br> Thank you for all you do!!!!<br> <br> Get Outlook for iOS <<a href="https://aka.ms/o0ukef" target="_blank">https://aka.ms/o0ukef</a>><br> <br> <br> <br> ________________________________________<br> <br> From: Feiglstok, Colleen M [US] (MS) <<a href="mailto:Colleen.Feiglstok@ngc.com" target="_blank">Colleen.Feiglstok@ngc.com</a>><br> Sent: Thursday, December 19, 2019 4:35:15 PM<br> To: Lastrilla, Jet <<a href="mailto:jlastrilla@mitre.org" target="_blank">jlastrilla@mitre.org</a>>; BRYAN, AUSTEN R Capt USAF AFMC AFLCMC/HNCP <<a href="mailto:austen.bryan.1@us.af.mil" target="_blank">austen.bryan.1@us.af.mil</a>>; DIROCCO, ROGER E<br> GG-13 USAF AFMC ESC/AFLCMC/HNCP <<a href="mailto:roger.dirocco.4@us.af.mil" target="_blank">roger.dirocco.4@us.af.mil</a>>; Kevin O'Donnell <<a href="mailto:kodonnel@redhat.com" target="_blank">kodonnel@redhat.com</a>>;<br> <a href="mailto:platformONE@redhat.com" target="_blank">platformONE@redhat.com</a> <<a href="mailto:platformONE@redhat.com" target="_blank">platformONE@redhat.com</a>>; Tim Gast <<a href="mailto:tg@braingu.com" target="_blank">tg@braingu.com</a>>; Bubb, Mike<br> <<a href="mailto:mbubb@mitre.org" target="_blank">mbubb@mitre.org</a>>; TRAMBLE, ELIJAH Q Capt USAF AFMC AFLCMC/HNC <<a href="mailto:elijah.tramble.1@us.af.mil" target="_blank">elijah.tramble.1@us.af.mil</a>>;<br> <a href="mailto:tj.zimmerman@braingu.com" target="_blank">tj.zimmerman@braingu.com</a> <<a href="mailto:tj.zimmerman@braingu.com" target="_blank">tj.zimmerman@braingu.com</a>>; LOPEZDEURALDE, RICHARD A Lt Col USAF AFMC AFLCMC/HNCP <<a href="mailto:richard.lopezdeuralde@us.af.mil" target="_blank">richard.lopezdeuralde@us.af.mil</a>>;<br> Blade, Eric D [US] (MS) <<a href="mailto:Eric.Blade@ngc.com" target="_blank">Eric.Blade@ngc.com</a>>; RAMIREZ, JOSE A CTR USAF AFMC AFLCMC/HNCP <<a href="mailto:jose.ramirez.50.ctr@us.af.mil" target="_blank">jose.ramirez.50.ctr@us.af.mil</a>>; Leonard, Michael<br> C. <<a href="mailto:leonardm@mitre.org" target="_blank">leonardm@mitre.org</a>>; REINHARDT, MELISSA A GG-13 USAF AFMC AFLCMC/HNCP <<a href="mailto:melissa.reinhardt.2@us.af.mil" target="_blank">melissa.reinhardt.2@us.af.mil</a>>; Taylor Biggs <<a href="mailto:taylor@redhat.com" target="_blank">taylor@redhat.com</a>>;<br> Miller, Timothy J. <<a href="mailto:tmiller@mitre.org" target="_blank">tmiller@mitre.org</a>>; CRISP, JOSHUA M GS-09 USAF AFMC AFLCMC/HNCP <<a href="mailto:joshua.crisp.2@us.af.mil" target="_blank">joshua.crisp.2@us.af.mil</a>>; BOGUE, STEVEN E CTR USAF AFMC<br> AFLCMC/HNCP <<a href="mailto:steven.bogue.1.ctr@us.af.mil" target="_blank">steven.bogue.1.ctr@us.af.mil</a>>; Wilcox, John R. (San Antonio, TX) [US] (MS) <<a href="mailto:John.R.Wilcox@ngc.com" target="_blank">John.R.Wilcox@ngc.com</a>><br> Subject: [EXT] Platform1 SAR <br> <br> <br> <br> All,<br> <br> The SAR and raw results from the new security testing will be sent through NGSafe in a few moments.<br> <br> As usual, I felt very rushed with the testing, and feel like I have not done as thorough of a job as required. I was unable to log into the Web UIs, as no one from the Platform1 team gave me the account information. I had issues with Nessus, so the CVE’s<br> were found through OSCAP this time.<br> <br> A lot is the same as the last report, but please read through it, because there is some new information. I had to test as ec2-user again, which is another big issue that needs to be resolved ASAP. The more I use it and find out<br> how it is being used, the more extremely concerned I am. It has multiple keys throughout the platform located in the .ssh directory, one of which is world readable. On some hosts, a real user is using the ec2-user account to create accounts, groups, and pull<br> docker files. The account is non-attributable, so we have no way of knowing who is doing this. Someone could do serious damage with no consequence. I understand that the ec2-user is needed for standing up an ec2-image, but<br> this account should only be used for implementing IAC, so that the changes implemented by ec2-user are codified. If manual admin is required, that IAC should provision the appropriate attributable accounts, and those accounts should<br> be used from then on. In my opinion, this is a critical finding and needs to be addressed ASAP.<br> <br> <br> I will be available during the day tomorrow for any questions.<br> <br> Thanks<br> Colleen<br> <br> <br> <br> <br> <br> <br> <br> <br> <br> <u></u><u></u></p> </blockquote> </div> </div> </div> </blockquote></div>