There are many strategies for organizing AWS accounts. Some organizations use a separate account for each environment — one for development, another for staging, and a third for production. Others prefer to put each team or project in its own AWS account, resulting in hundreds or even thousands of accounts across the company. …
Over the past several years, I’ve lost count of the number of candidates I’ve interviewed for cloud, security, and development roles. I’m always amazed when we get to the last 15–20 minutes of the interview, I turn it over to the candidate to ask any questions they might have, and they have none.
What many candidates don’t realize is that, besides being an amazing opportunity to learn about the role, the team, and the company at which they’d potentially be spending the next several years of their lives, this time is also part of the interview. …
AWS Cognito is a popular managed authentication service that provides support for integrated SAML 2.0-compliant identity providers (IdPs) such as Azure Active Directory, Okta, Auth0, OneLogin, and others.
One use case for Cognito is to serve as a middleware or proxy layer between an identity provider and a backend web application. Instead of implementing support for SAML directly into the application (and dealing with the proper security configuration and variety of standards), developers can use Cognito to do the heavy lifting.
Many IdPs also support using groups for user management. This allows a user to rely on their Active Directory…
The cloud is a constantly evolving, and oftentimes hostile, environment for security teams. Even the most well-designed security programs can fall victim to new attack vectors, complex multi-stage offensive activity, or even simple missed misconfigurations.
Like disaster recovery plans, cloud security response processes are useless if they are not reviewed, practiced, and updated on a regular basis. In an ideal world, this is done quarterly as a cross-team effort among the security, compliance, infrastructure, and operations teams.
Despite all best efforts, new situations may arise at any time that have not been practiced previously. It’s important for security teams to…
There has been a lot of dialogue concerning “supply chain attacks” recently, especially after the SolarWinds incident thrust it to the forefront. When “supply chains” are discussed, most analysis tends to focus on that of the software supply chain — build systems, dependencies, libraries, and other components of the software package that can lead to unintended code execution.
In fact, this is what is believed to have been part of what was at play for SolarWinds; an unexpected piece of code was added to the software early enough in the build process that the final binary was still signed by…
Cloud security best practices, as well as most compliance programs, require that logging be enabled for all in-scope services. However, that simple requirement — “enable logging” — comes with many followup questions. Is CloudTrail enough? How do I turn on logging for all these services? Aren’t logs collected by default? What. even. is. a. log?
In AWS, logging, like most tasks, isn’t as simple as it seems it could be, due to an inconsistent use of defaults, differing destination logging services, and a variety of configuration options, sometimes hidden in layers of submenus and API parameters. …
Last week, I presented a talk at fwd:cloudsec titled “It’s Time to Rethink the Shared Security Responsibility Model.” I argued that the balance of responsibility for securing cloud infrastructure environments has shifted too far in the direction of cloud security and development teams who are overwhelmed with configuration options. This imbalance, I posited, is a driving cause of many of the breaches we see in cloud environments today.
One theme that emerged is that cloud providers can do more to reduce the complexity of their environments and make small changes to their default settings across the services they offer. Integration…
Many engineers have found themselves in the unenviable position of being handed the keys to an AWS environment with absolutely no explanation of its contents, documentation, or training. Whether an employee leaves the company, teams are restructured, or your company acquires another, you will need to quickly audit the account and get up to speed on its operation. Even worse, many of these inherited accounts are running production infrastructure that must be kept running during the transition period. Now that you’re responsible for this account, you will also be responsible for keeping it secure.
There is a wealth of documentation…
After upgrading my Lambda functions from Node 10.x to 12.x, I saw the following error in my logs:
Database error: SequelizeConnectionError: 139767860377472:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1929:
Clearly my Lambda function was having trouble negotiating a TLS connection to an RDS instance. Because this is an older MySQL RDS instance (version 5.6), the newer TLS versions (1.1+) are not supported.
Some Googling suggested to add the following CLI flag when starting Node:
However, we don’t have control over the CLI flags in Lambda. Fortunately, Node has an environment variable we can use instead:
Add this as an environment variable and your TLS errors should go away.
Side note: upgrade that endpoint to use TLS 1.2+!
I recently saw a Twitter thread on AWS’s notorious public S3 bucket permissions issue. Some of the replies, especially from AWS folks defending AWS on the issue, got me thinking about whether there are additional improvements that can be made.
While it’s true that AWS has done a lot in the past year to improve S3 bucket security, for some reason we’re still seeing breaches occur with a regular cadence. Something more is needed.
So I fired up my AWS console and started taking some notes. I don’t expect AWS to implement all of these suggestions (I don’t claim to…
Founder of @CloudSploit , acquired by @AquaSecTeam . Former Infra / Security / Manager @Adobe , @Aviary & @Mozilla intern, @RITtigers grad, @NYC resident