See the full list here.

TL;DR

Just want to see a list of services and how their data can be shared across AWS accounts? Click here. Spreadsheet version here.

Background

There are many strategies for organizing AWS accounts. Some organizations use a separate account for each environment — one for development, another for staging, and a third…


Over the past several years, I’ve lost count of the number of candidates I’ve interviewed for cloud, security, and development roles. …


AWS Cognito is a popular managed authentication service that provides support for integrated SAML 2.0-compliant identity providers (IdPs) such as Azure Active Directory, Okta, Auth0, OneLogin, and others.

One use case for Cognito is to serve as a middleware or proxy layer between an identity provider and a backend web…


The cloud is a constantly evolving, and oftentimes hostile, environment for security teams. Even the most well-designed security programs can fall victim to new attack vectors, complex multi-stage offensive activity, or even simple missed misconfigurations.

Like disaster recovery plans, cloud security response processes are useless if they are not reviewed…


There has been a lot of dialogue concerning “supply chain attacks” recently, especially after the SolarWinds incident thrust it to the forefront. …


Cloud security best practices, as well as most compliance programs, require that logging be enabled for all in-scope services. However, that simple requirement — “enable logging” — comes with many followup questions. Is CloudTrail enough? How do I turn on logging for all these services? Aren’t logs collected by default…


Last week, I presented a talk at fwd:cloudsec titled “It’s Time to Rethink the Shared Security Responsibility Model.” I argued that the balance of responsibility for securing cloud infrastructure environments has shifted too far in the direction of cloud security and development teams who are overwhelmed with configuration options. …


Many engineers have found themselves in the unenviable position of being handed the keys to an AWS environment with absolutely no explanation of its contents, documentation, or training. Whether an employee leaves the company, teams are restructured, or your company acquires another, you will need to quickly audit the account…


After upgrading my Lambda functions from Node 10.x to 12.x, I saw the following error in my logs:

Database error: SequelizeConnectionError: 139767860377472:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../deps/openssl/openssl/ssl/statem/statem_lib.c:1929:

Clearly my Lambda function was having trouble negotiating a TLS connection to an RDS instance. Because this is an older MySQL RDS instance (version 5.6), the newer TLS versions (1.1+) are not supported.

Some Googling suggested to add the following CLI flag when starting Node:

--tls-min-v1.0

However, we don’t have control over the CLI flags in Lambda. Fortunately, Node has an environment variable we can use instead:

NODE_OPTIONS=--tls-min-v1.0

Add this as an environment variable and your TLS errors should go away.

Side note: upgrade that endpoint to use TLS 1.2+!


Image from www.bluecoat.com licensed under Creative Commons

I recently saw a Twitter thread on AWS’s notorious public S3 bucket permissions issue. Some of the replies, especially from AWS folks defending AWS on the issue, got me thinking about whether there are additional improvements that can be made.

While it’s true that AWS has done a lot in…

Matt Fuller

Founder of @CloudSploit , acquired by @AquaSecTeam . Former Infra / Security / Manager @Adobe , @Aviary & @Mozilla intern, @RITtigers grad, @NYC resident

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store