TL;DR Just want to see a list of services and how their data can be shared across AWS accounts? Click here. Spreadsheet version here. Background There are many strategies for organizing AWS accounts. Some organizations use a separate account for each environment — one for development, another for staging, and a third…

Over the past several years, I’ve lost count of the number of candidates I’ve interviewed for cloud, security, and development roles. …

AWS Cognito is a popular managed authentication service that provides support for integrated SAML 2.0-compliant identity providers (IdPs) such as Azure Active Directory, Okta, Auth0, OneLogin, and others. One use case for Cognito is to serve as a middleware or proxy layer between an identity provider and a backend web…

The cloud is a constantly evolving, and oftentimes hostile, environment for security teams. Even the most well-designed security programs can fall victim to new attack vectors, complex multi-stage offensive activity, or even simple missed misconfigurations. Like disaster recovery plans, cloud security response processes are useless if they are not reviewed…

There has been a lot of dialogue concerning “supply chain attacks” recently, especially after the SolarWinds incident thrust it to the forefront. …

Cloud security best practices, as well as most compliance programs, require that logging be enabled for all in-scope services. However, that simple requirement — “enable logging” — comes with many followup questions. Is CloudTrail enough? How do I turn on logging for all these services? Aren’t logs collected by default…

Last week, I presented a talk at fwd:cloudsec titled “It’s Time to Rethink the Shared Security Responsibility Model.” I argued that the balance of responsibility for securing cloud infrastructure environments has shifted too far in the direction of cloud security and development teams who are overwhelmed with configuration options. …

Many engineers have found themselves in the unenviable position of being handed the keys to an AWS environment with absolutely no explanation of its contents, documentation, or training. Whether an employee leaves the company, teams are restructured, or your company acquires another, you will need to quickly audit the account…

After upgrading my Lambda functions from Node 10.x to 12.x, I saw the following error in my logs: Database error: SequelizeConnectionError: 139767860377472:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1929: Clearly my Lambda function was having trouble negotiating a TLS connection to an RDS instance. Because this is an older MySQL RDS instance (version 5.6), the newer TLS versions (1.1+) are not supported.