AWS Morning Brief

Want to give your ears a break and read this as an article? You’re looking for this link.https://www.lastweekinaws.com/blog/google-cloud-alters-the-dealNever miss an episodeJoin the Last Week in AWS newsletterSubscribe wherever you get your podcastsHelp the showLeave a reviewShare your feedbackSubscribe wherever you get your podcastsWhat's Corey up to?Follow Corey on Twitter (@quinnypig)See our recent work at the Duckbill GroupApply to work with Corey and the Duckbill Group to help lower your AWS bill

AWS Morning Brief for the week of March 21, 2022 with Corey Quinn.

Links:Links Referenced:Couchbase Capella: https://couchbase.com/screaminginthecloudcouchbase.com/screaminginthecloud: https://couchbase.com/screaminginthecloudblog post: https://awsteele.com/blog/2022/02/03/aws-vpc-data-exfiltration-using-codebuild.htmlAutoWarp: https://orca.security/resources/blog/autowarp-microsoft-azure-automation-service-vulnerability/“Google Announces Intent to Acquire Mandiant”: https://www.googlecloudpresscorner.com/2022-03-08-mgcpassword table: https://www.hivesystems.io/blog/are-your-passwords-in-the-greenNew Relic: http://newrelic.comnewrelic.com/morningbrief: http://newrelic.com/morningbriefnewrelic.com/morningbrief: http://newrelic.com/morningbriefDirtyPipe: https://www.theregister.com/2022/03/08/in_brief_security/“Manage AWS resources in your Slack channels with AWS Chatbot”: https://aws.amazon.com/blogs/mt/manage-aws-resources-in-your-slack-channels-with-aws-chatbot/“How to set up federated single-sign-on to AWS using Google Workspace”: https://aws.amazon.com/blogs/security/how-to-set-up-federated-single-sign-on-to-aws-using-google-workspace/Cloudsaga: https://github.com/awslabs/aws-cloudsagalastweekinaws.com: https://lastweekinaws.comTranscriptCorey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it’s nobody in particular’s job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.Corey: Couchbase Capella Database-as-a-Service is flexible, full-featured, and fully managed with built-in access via key-value, SQL, and full-text search. Flexible JSON documents aligned to your applications and workloads. Build faster with blazing fast in-memory performance and automated replication and scaling while reducing cost. Capella has the best price performance of any fully managed document database. Visit couchbase.com/screaminginthecloud to try Capella today for free and be up and running in three minutes with no credit card required. Couchbase Capella: Make your data sing.Hello and welcome to Last Week in AWS Security. A lot has happened; let’s tear into it.So, there was a “Sort of yes, sort of no” security issue with CodeBuild that I’ve talked about previously. The blog post I referenced has, in fact, been updated. AWS has stated that, “We have updated the CodeBuild service to block all outbound network access for newly created CodeBuild projects which contain a customer-defined VPC configuration,” which indeed closes the gap. I love happy endings.On the other side, oof. Orca Security found a particularly nasty Azure breach called AutoWarp. You effectively could get credentials for other tenants by simply asking a high port on localhost for them via curl or netcat. This is bad enough; I’m dreading the AWS equivalent breach in another four months of them stonewalling a security researcher if the previous round of their nonsense silence about security patterns is any indicator.“Google Announces Intent to Acquire Mandiant”. This is a big deal. Mandiant has been a notable center of excellent cybersecurity talent for a long time. Congratulations or condolences to any Mandoogles in the audience. Please let me know how the transition goes for you.Hive Systems has updated its password table for 2022, which is just a graphic that shows how long passwords of various levels of length and complexity would take to break on modern systems. The takeaway here is to use long passwords and use a password manager.Corey: You know the drill: You’re just barely falling asleep and you’re jolted awake by an emergency page. That’s right, it’s your night on call, and this is the bad kind of Call of Duty. The good news is, is that you’ve got New Relic, so you can quickly run down the incident checklist and find the problem. You have an errors inbox that tells you that Lambdas are good, RUM is good, but something’s up in APM. So, you click the error and find the deployment marker where it all began. Dig deeper, there’s another set of errors. What is it? Of course, it’s Kubernetes, starting after an update. You ask that team to roll back and bam, problem solved. That’s the value of combining 16 different monitoring products into a single platform: You can pinpoint issues down to the line of code quickly. That’s why the Dev and Ops teams at DoorDash, GitHub, Epic Games, and more than 14,000 other companies use New Relic. The next late-night call is just waiting to happen, so get New Relic before it starts. And you can get access to the whole New Relic platform at 100 gigabytes of data free, forever, with no credit card. Visit newrelic.com/morningbrief that’s newrelic.com/morningbrief.And of course, another week, another terrifying security concern. This one is called DirtyPipe. It’s in the Linux kernel, and the name is evocative of something you’d expect to see demoed onstage at re:Invent.Now, what did AWS have to say? Two things. The first is “Manage AWS resources in your Slack channels with AWS Chatbot”. A helpful reminder that it’s important to restrict access to your AWS production environment down to just the folks at your company who need access to it. Oh, and to whomever can access your Slack workspace who works over at Slack, apparently. We don’t talk about that one very much, now do we?And the second was, “How to set up federated single-sign-on to AWS using Google Workspace”. This is super-aligned with what I want to do, but something about the way that it’s described makes it sounds mind-numbingly complicated. This isn’t a problem that’s specif...

Want to give your ears a break and read this as an article? You’re looking for this link.https://www.lastweekinaws.com/blog/my-mental-model-of-aws-regionsNever miss an episodeJoin the Last Week in AWS newsletterSubscribe wherever you get your podcastsHelp the showLeave a reviewShare your feedbackSubscribe wherever you get your podcastsWhat's Corey up to?Follow Corey on Twitter (@quinnypig)See our recent work at the Duckbill GroupApply to work with Corey and the Duckbill Group to help lower your AWS bill

AWS Morning Brief for the week of March 14, 2022 with Corey Quinn.

Links:The Register:https://www.theregister.com/2022/02/28/tech_response_to_ukraine/“WTF is Cloud Native Data Security?”:https://blog.container-solutions.com/wtf-is-cloud-native-data-securityImdsv2 wall of shame:https://github.com/SummitRoute/imdsv2_wall_of_shame/blob/main/README.md“Piercing the Cloud Armor”:https://kloudle.com/blog/piercing-the-cloud-armor-the-8kb-bypass-in-google-cloud-platform-wafVia a third-party:https://www.theregister.com/2022/03/03/amazon_alexa_speaker_vuln/“Streamlining evidence collection with AWS Audit Manager”:https://aws.amazon.com/blogs/security/streamlining-evidence-collection-with-aws-audit-manager/Security assessment solution:https://github.com/awslabs/aws-security-assessment-solutionDomain Protect:https://github.com/ovotech/domain-protectTranscriptCorey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it’s nobody in particular’s job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.Corey: This episode is sponsored in part by our friends at Sysdig. Sysdig is the solution for securing DevOps. They have a blog post that went up recently about how an insecure AWS Lambda function could be used as a pivot point to get access into your environment. They’ve also gone deep in-depth with a bunch of other approaches to how DevOps and security are inextricably linked. To learn more, visit sysdig.com and tell them I sent you. That’s S-Y-S-D-I-G dot com. My thanks to them for their continued support of this ridiculous nonsense.Corey: Well, oops. Last week in the newsletter version of this podcast I used the wrong description for a link. On the plus side, I do find myself wondering if anyone hunts down the things I talk about on this podcast and the newsletter I send out, and now I know an awful lot of you do. And you have opinions about the correctness of my links. The actual tech company roundup that I linked to last week was, in fact, not an AWS blog post about QuickSight community—two words that are an oxymoron if ever two were—but instead a roundup in The Register. My apologies for the oversight. Now, let’s dive into what happened last week in the wide world of AWS security.In my darker moments, I find myself asking a very blunt question: “WTF is Cloud Native Data Security?” I confess it never occurred to me to title a blog post with that question, and this article I found with that exact title is in fact one of the better ones I’ve read in recent days. Check it out if the subject matter appeals to you even slightly because you’re in for a treat. There’s a lot to unpack here.Scott Piper has made good on his threat to publish a imdsv2 wall of shame. So far, two companies have been removed from the list for improving their products’ security posture—I know, it’s never happened before—but this is why we care about these things. It’s not to make fun of folks; it’s to make this industry better than it was.A while back I talked about various cloud WAFs—most notably AWS’s—having a fun and in-hindsight-obvious flaw of anything above 8KB just sort of dances through the protective layer. Well, even Google and its, frankly, impressive security apparatus isn’t immune. There’s an article called “Piercing the Cloud Armor” that goes into it. This stuff is hard, but honestly, this is kind of a recurring problem. I’m sort of wondering, “Well, what if we make the packet bigger?” Wasn’t that the whole problem with the Ping of Death, back in the ’80s? Why is that still a thing now?Corey: This episode is sponsored in part by LaunchDarkly. Take a look at what it takes to get your code into production. I’m going to just guess that it’s awful because it’s always awful. No one loves their deployment process. What if launching new features didn’t require you to do a full-on code and possibly infrastructure deploy? What if you could test on a small subset of users and then roll it back immediately if results aren’t what you expect? LaunchDarkly does exactly this. To learn more, visit launchdarkly.com and tell them Corey sent you, and watch for the wince.And of course, a now patched vulnerability in Amazon Alexa meant that the speaker could activate itself. Because it’s a security problem with an Amazon product that I’ve paid for, I of course learn about this via a third-party talking about it. Man, my perspective on Amazon’s security messaging as a whole has gone from glowing to in the toilet remarkably quickly this year. And it’s their own damn fault.Now, AWS had a single post of note here called “Streamlining evidence collection with AWS Audit Manager”. This post slash quote-unquote “Solution” highlights a concern that’s often overlooked by security folks. It very innocently talks about collecting evidence for an audit, which is perfectly reasonable.You need evidence that your audit controls are being complied with. Now, picture someone walking past a room where you’re talking about this, and all they hear is “Evidence collection.” Maybe they’re going to feel like there’s more going on here than an audit. Perhaps they’re going to let their guilty conscience—and I assure you, everyone has one—run wild with fears that whatever imagined transgression they’ve committed has been discovered? Remember the human.And of course, I found two tools in open-source universe that might be of interest to folks. The first: AWS has open-sourced a security assessment solution to use Prowler and ScoutSuite that scan your environment. It’s handy, but I’m having a hell of a hard time reconciling its self-described ‘inexpensive’ with ‘it deploys a Managed NAT gateway.’And Domain Protect—an open-source project with a surprisingly durable user interface—scans dangling DNS entries to validate that you’re not, y’know, leaving a domain of yours open to exploit. You’re going to want to pay attention to this vector, but we haven’t for 15 years, so why would we start now? And that’s what happened last week in the w...

Want to give your ears a break and read this as an article? You’re looking for this link.https://www.lastweekinaws.com/blog/handling-secrets-with-awsNever miss an episodeJoin the Last Week in AWS newsletterSubscribe wherever you get your podcastsHelp the showLeave a reviewShare your feedbackSubscribe wherever you get your podcastsWhat's Corey up to?Follow Corey on Twitter (@quinnypig)See our recent work at the Duckbill GroupApply to work with Corey and the Duckbill Group to help lower your AWS bill

AWS Morning Brief for the week of March 7, 2022 with Corey Quinn.

Links:Charlie Bell in the Wall Street JournalThe Register’s RoundupMelijoe.com’s awardAWS AnnouncementGrantedTranscriptCorey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it’s nobody in particular’s job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.Corey: Couchbase Capella Database-as-a-Service is flexible, full-featured, and fully managed with built-in access via key-value, SQL, and full-text search. Flexible JSON documents aligned to your applications and workloads. Build faster with blazing fast in-memory performance and automated replication and scaling while reducing cost. Capella has the best price performance of any fully managed document database. Visit couchbase.com/screaminginthecloud to try Capella today for free and be up and running in three minutes with no credit card required. Couchbase Capella: Make your data sing.Corey: We begin with a yikes because suddenly the world is aflame and of course there are cybersecurity considerations to that. I’m going to have more on that to come in future weeks because my goal with this podcast is to have considered takes, not the rapid-response, alarmist, the-world-is-ending ones. There are lots of other places to find those. So, more to come on that.In happier news, your favorite Cloud Economist was quoted in the Wall Street Journal last week, talking about how staggering Microsoft’s security surface really is. And credit where due, it’s hard to imagine a better person for the role than Charlie Bell. He’s going to either fix a number of systemic problems at Azure or else carve his resignation letter into Satya Nadella’s door with an axe. I really have a hard time envisioning a third outcome.A relatively light week aside from that. The Register has a decent roundup of how various companies are responding to Russia’s invasion of a sovereign country. Honestly, the solidarity among those companies is kind of breathtaking. I didn’t have that on my bingo card for the year.Corey: You know the drill: You’re just barely falling asleep and you’re jolted awake by an emergency page. That’s right, it’s your night on call, and this is the bad kind of Call of Duty. The good news is, is that you’ve got New Relic, so you can quickly run down the incident checklist and find the problem. You have an errors inbox that tells you that Lambdas are good, RUM is good, but something’s up in APM. So, you click the error and find the deployment marker where it all began. Dig deeper, there’s another set of errors. What is it? Of course, it’s Kubernetes, starting after an update. You ask that team to roll back and bam, problem solved. That’s the value of combining 16 different monitoring products into a single platform: You can pinpoint issues down to the line of code quickly. That’s why the Dev and Ops teams at DoorDash, GitHub, Epic Games, and more than 14,000 other companies use New Relic. The next late-night call is just waiting to happen, so get New Relic before it starts. And you can get access to the whole New Relic platform at 100 gigabytes of data free, forever, with no credit card. Visit newrelic.com/morningbrief that’s newrelic.com/morningbrief.Corey: If you expose 200GB of data it’s bad. If that data belongs to customers, it’s worse. If a lot of those customers are themselves children, it’s awful. But if you ignore reports about the issue, leave the bucket open, and only secure it after your government investigates you for ignoring it under the GDPR, you are this week’s S3 Bucket Negligence Awardwinner and should probably be fired immediately.AWS had a single announcement of note last week. “Fine-tune and optimize AWS WAF Bot Control mitigation capability”, and it’s super important because, with WAF and Bot Control, the failure mode in one direction of a service like this is that bots overwhelm your site. The failure mode in the other direction is that you start blocking legitimate traffic. And the worst failure mode is that both of these happen at the same time.And a new tool I’m kicking the tires on, Granted. It’s apparently another way of logging into a bunch of different AWS accounts, so it’s time for me to kick the tires on that because I consistently have problems with that exact thing. And that’s what happened last week in AWS security which, let’s be clear, is not the most important area of the world to be focusing on right now. Thanks for listening; I’ll talk to you next week.Corey: Thank you for listening to the AWS Morning Brief: Security Edition with the latest in AWS security that actually matters. Please follow AWS Morning Brief on Apple Podcast, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign up for the Last Week in AWS newsletter at lastweekinaws.com.Announcer: This has been a HumblePod production. Stay humble.

Want to give your ears a break and read this as an article? You’re looking for this link.https://www.lastweekinaws.com/blog/status-paging-youNever miss an episodeJoin the Last Week in AWS newsletterSubscribe wherever you get your podcastsHelp the showLeave a reviewShare your feedbackSubscribe wherever you get your podcastsWhat's Corey up to?Follow Corey on Twitter (@quinnypig)See our recent work at the Duckbill GroupApply to work with Corey and the Duckbill Group to help lower your AWS bill