Comment by JuniperMesos

A lot of these problems seem pretty solveable, if you're the admin of the machine (or cloud system) and the user isn't.

If you don't want a user to log in as root, disable the root password (or change it to something only you know) and disable root ssh. If you want people to stop sharing the same login and password across all servers, there's several ways to do it but the most straightforward one seems like it would be to enforce the use of a hardware key (yubikey or similar) for login. If people aren't using configuration management software and are leaving machines in an inconsistent state, again there are several options but I'd look into this NixOS project: https://github.com/nix-community/impermanence + some policy of rebooting the machines regularly.

If you don't like how users are making use of AWS resources and secrets, then set up AWS permissions to force them to do so the correct way. In general if someone is using a system in a bad or insecure way, then after alerting them with some lead time, deliberately break their workflow and force them to come to you in order to make progress. If the thing you suggest is actually the correct course of action for your organization, then it will be worthwhile.

philipwhiuk 2 days ago

None of them are technically hard. All of them are bureaucracy-hard.

If you just do any of this list without the proper migration plan/time, someone senior in the org will complain and you will lose.

Reply View 1 reply

jakeydus 2 days ago

> If you just do any of this […], some senior in the org will complain and you will lose.
More accurate statement imo.

Reply View | 0 replies

skywhopper 2 days ago

It’s not as easy as “I can technically change this”. If you think it is, you don’t understand the job of a sysadmin.

Reply View 0 replies