2

I am working on a project with another person, call him Bob.

I would like to run a piece of proprietary software on an Amazon EC2 instance. This software will being send out network packets (HTTP requests) to an external server.

I do not want Bob to be able to get ahold of this software. However, I want Bob to be able to stop me from sending out network packets in such a way that I cannot ever prevent him from doing this in the future.

I'm not sure how. Maybe by somehow giving Bob the power to terminate the instance, maybe by somehow giving him the ability to stop the packets from going out, I don't know.

Would love to hear ideas on how this can be accomplished with minimal additional latency (routing my packets through a separate EC2 instance that Bob owns would be too slow for example). Thanks!

galpo
  • 27
  • 5
  • 2
    *"routing my packets through a separate EC2 instance that Bob owns would be too slow"* is probably a flawed premise, and this is likely the only reasonable approach. – Michael - sqlbot Jul 19 '19 at 16:37
  • The context is one of low latency trading systems, and the reason for the question is that Bob wants to have the irrevocable power of preventing me from ever intentionally causing him financial harm through the running of the proprietary software. – galpo Jul 19 '19 at 21:29
  • Is Bob the one accepting your packets? If not... what is to stop you from taking your source code and running it somewhere else? – jacobbaer Aug 12 '19 at 05:41
  • Bob is not accepting my packets, a third party is, but Bob has the power to ensure that the third party only accepts packets from an IP that Bob specifies – galpo Aug 13 '19 at 21:02

3 Answers3

3

Create Bob an IAM user with an attached policy that only gives them very limited rights, just enough to view instances and start / stop that one instance - not terminate it. The core of the policy is likely to be something like this, but you'll need to test / tweak it.

{
  "Version": "2012-10-17",
  "Statement": [
      {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "ec2:Describe*"
        ],
        "Resource": "*"
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": [
            "ec2:StartInstances",
            "ec2:StopInstances"
        ],
        "Resource": "arn:aws:ec2:::instance/i-012345"
    }
  ]
}

Bob is likely to need more permissions but you'll discover them when you try this. I'd probably put Bob into a group and assign the permissions to a group, rather than directly to the user.

Tim
  • 31,888
  • 7
  • 52
  • 78
  • 1
    Thanks! My question is: wouldn't I be able to delete this policy at a future date without Bob being able to stop me? Basically, I want to grant Bob irrevocable permission to prevent me from sending out network packets. Sorry if that was unclear in my original post – galpo Jul 19 '19 at 14:27
  • In another comment you said this is Bob's account and it's your software - you should put all the information in your question up front or you won't get replies as good as they could be. Even now you should edit your question to be complete and precise. But my comment is that in Bob's account, Bob can do anything he wants, he has full control. You'd be better off with your own account, the server for Bob in its own VPC, then use VPC peering to let them communicate. Give Bob a limited IAM user that lets him STOP not terminate instances in that VPC only. – Tim Jul 21 '19 at 01:46
2

As long as you are the owner of the account, you control what Bob can or can't do, but you can only restrict yourself voluntarily. If Bob is the owner of the account, you can't stop him from doing as he pleases. In your case, you want to place restrictions on both of you. One way to solve this is to have a trusted third party oen the account and set permissions for both of you.

Ron Trunk
  • 2,159
  • 1
  • 11
  • 19
  • Unfortunately I don't think finding a trusted third party is possible in our case. Is there some way where say Bob can create an EC2 instance, give me root, then I disable his root access in a way that he can never ever get back into the machine (or EBS volume for that matter) but he can still terminate the instance at will from his AWS dashboard? – galpo Jul 19 '19 at 19:50
  • Short answer, NO. Either you control it or he does. – Ron Trunk Jul 19 '19 at 20:08
  • Why would you need a trusted third party? It's your software, you own the account / instance and they have limited rights to start and stop it. You probably don't want him terminating the instance, then it's gone. If it's your account only you can edit policies, unless you give someone else IAM permissions. If you edit your question to include all your requirements you might get a better answer. – Tim Jul 19 '19 at 20:39
  • I want Bob to have unlimited rights to terminate the instance actually, hopefully my description is clear about that, and apologies if it isn't. I'm basically performing a service for Bob, and in performing that service, my proprietary software running on the EC2 instance can do financial harm to Bob. Thus, Bob wants the security of being able to end the running of that software without needing my permission, should he ever decide I am suddenly intentionally trying to cause him financial harm. – galpo Jul 19 '19 at 21:27
0

Here's another idea:

Write your software in such a way that it requires a "license key" to operate. The software can be encrypted or have some other similar characteristic such that it can't run unless the key is available. The key will be stored on a server that you control.

Bob has a server that he controls, but the software on it needs your key to run. Bob can terminate the server as he pleases, but he can't steal your software without your key -- which you control.

Software keys are not foolproof - it's possible to reverse engineer your software. but you should be able to make overly time consuming or expensive to do so.

This is the same idea that all the major software manufacturers use to control their software. MS Windows is a perfect example.

Ron Trunk
  • 2,159
  • 1
  • 11
  • 19