So a deployment takes ~10 minutes? The AWS creds for that deployment are scoped to 15 minutes. Where possible also provide time limited scoped tokens.
Far too many of these systems are not appropriately configured setup, or are exposed with far too many secrets as environment variables and the like. The CI/CD pipeline used for deployment shouldn't be the same one that runs tests for developers.Įspecially if that CI/CD pipeline allows for the docker socket to be mounted inside of the CI/CD pipeline so that it can spin up more docker containers (as an example). Splitting instances into different needs. There's no reason why a merge request on a small tool repository needs access to the AWS keys for production for example. Start by limiting access to secrets within various pipelines.
0 kommentar(er)
