Amazon Web Services
AWS (Amazon Web Services) had their first security focused conference this year. It was basically an opportunity for AWS to release security related products and features but also create a gathering for security minded practitioners and those looking to consume security related information around AWS products.
If you have multiple AWS accounts, you more than likely are using AWS Organizations. A continually maturing feature of AWS Organizations is AWS Service Control Policies (SCP), which allows you to apply IAM like policies at the organizational level. This does require you to have your AWS Organizations, well, organized (excuse the pun) into OU's…
AWS Secrets Manager provides a way for you to store and retrieve secrets securely. They provide a really nice tutorial to help you get started. Looking to test and integrate this from the command line, I wanted to see how this extraction works and how it would look like if an application or wrapper was…
So you successfully ran Trusted Advisor, Scout2, Access Advisor, or hired an external firm to audit your AWS accounts? You found that the co-founder is still logging in using root keys and that you have security groups allowing 0.0.0.0/0 access from the internet. Not to mention the 20 developers offshore that are sharing the same IAM user and access keys. Oops!
Wait… Who Are You Again? A couple weeks ago, when logged into a website provider's admin panel, I found a strange user in my account with admin rights that I did not recognize! As you can imagine, this triggered all my alarms. I took a screenshot, removed their access, looked them up on LinkedIN, and…
Securing your application is not hard. Securing it in a completely new environment, without knowing the rules of the road, is. Take the time to learn the rules of the road and avoid cloud security speedbumps or accidents. Cloud Responsibly.
