AWS Morning Brief

AWS Morning Brief for the week of December 20, 2021 with Corey Quinn.

Links:The internet is now on fire:https://www.engadget.com/log4shell-vulnerability-log4j-155543990.htmlBlog post:https://blog.cloudflare.com/exploitation-of-cve-2021-44228-before-public-disclosure-and-evolution-of-waf-evasion-patterns/Expecting to be down for weeks:https://www.darkreading.com/attacks-breaches/kronos-suffers-ransomware-attack-expects-full-restoration-to-take-weeks-Update for the Apache Log4j2 Issue:https://aws.amazon.com/security/security-bulletins/AWS-2021-006/Log4Shell Vulnerability Tester at log4shell.huntress.com:https://log4shell.huntress.com/TranscriptCorey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it’s nobody in particular’s job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.Corey: It seems like there is a new security breach every day. Are you confident that an old SSH key or a shared admin account isn’t going to come back and bite you? If not, check out Teleport. Teleport is the easiest, most secure way to access all of your infrastructure. The open-source Teleport Access Plane consolidates everything you need for secure access to your Linux and Windows servers—and I assure you there is no third option there. Kubernetes clusters, databases, and internal applications like AWS Management Console, Yankins, GitLab, Grafana, Jupyter Notebooks, and more. Teleport’s unique approach is not only more secure, it also improves developer productivity. To learn more, visit goteleport.com. And no, that’s not me telling you to go away; it is, goteleport.com.Corey: I think I owe the entire internet a massive apology. See, last week I titled the episode, “A Somehow Quiet Security Week.” This is the equivalent of climbing to the top of a mountain peak during a violent thunderstorm, then waving around a long metal rod. While cursing God.So, long story short, the internet is now on fire due to a vulnerability in the log4j open-source logging library. Effectively, if you can get an arbitrary string into the logs of a system that uses a vulnerable version of the log4j library, it will make outbound network requests. It can potentially run arbitrary code.The impact is massive and this one’s going to be with us for years. WAF is a partial solution, but the only real answer is to patch to an updated version, or change a bunch of config options, or disallow affected systems from making outbound connections. Further, due to how thoroughly embedded in basically everything it is—like S3; more on that in a bit—a whole raft of software you run may very well be using this without your knowledge. This is, to be clear, freaking wild. I am deeply sorry for taunting fate last week. The rest of this issue of course talks entirely about this one enormous concern.Corey: This episode is sponsored in part by my friends at Cloud Academy. Something special for you folks: if you missed their offer on Black Friday or Cyber Monday or whatever day of the week doing sales it is, good news, they’ve opened up their Black Friday promotion for a very limited time. Same deal: $100 off a yearly plan, 249 bucks a year for the highest quality cloud and tech skills content. Nobody else is going to get this, and you have to act now because they have assured me this is not going to last for much longer. Go to cloudacademy.com, hit the ‘Start Free Trial’ button on the homepage and use the promo code, ‘CLOUD’ when checking out. That’s C-L-O-U-D. Like loud—what I am—with a C in front of it. They’ve got a free trial, too, so you’ll get seven days to try it out to make sure it really is a good fit. You’ve got nothing to lose except your ignorance about cloud. My thanks to Cloud Academy once again for sponsoring my ridiculous nonsense.Cloudflare has a blog post talking about the timeline of what they see as a global observer of exploitation attempts of this nonsense. They’re automatically shooting it down for all of their customers and users—to be clear, if you’re not paying for a service you are not its customer, you’re a marketing expense—and they’re doing this as part of the standard service they provide. Meanwhile AWS’s WAF has added the ruleset to its AWSManagedRulesKnownBadInputsRuleSet—all one word—managed rules—wait a minute; they named it that? Oh, AWS. You sad, ridiculous service-naming cloud. But yeah, you have to enable AWS WAF, for which there is effectively no free tier, and configure this rule to get its protection, as I read AWS’s original update. I’m sometimes asked why I use CloudFlare as my CDN instead of AWS’s offerings. Well, now you know.Also, Kronos, an HR services firm, won the ransomware timing lottery. They’re expecting to be down for weeks, but due to the log4shell—which is what they’re calling this exploit: The log4shell problem—absolutely nobody is paying attention to companies that are having ransomware problems or data breaches. Good job, Kronos.Now, what did AWS have to say? Well, they have an ongoing “Update for the Apache Log4j2 Issue” and they’ve been updating it as they go. But at the time of this recording, AWS is a Java shop, to my understanding.That means that basically everything internet-facing at AWS—which is, you know, more or less everything they sell—has some risk exposure to this vulnerability. And AWS has moved with a speed that can only be described as astonishing, and mitigated this on their managed services in a timeline I wouldn’t have previously believed possible given the scope and scale here. This is the best possible argument to make for using higher-level managed services instead of building your own things on top of EC2. I just hope they’re classy enough not to use that as a marketing talking point.And for the tool of the week, the Log4Shell Vulnerability Tester at log4shell.huntress.com automatically generates a string and then lets you know when that is exploited by this vulnerability what systems are connecting to is. Don’t misuse it obviously, but it’s great for validating whether a certain code path in your environment is vulnerable. And that’s what happened last week in AWS Security, and I just want to say again how deeply, deeply sorry I am for taunting fate and making everyone’s year suck. I’ll talk to you next week, if I live.Corey: Thank you for listening to the AWS Morning Brief: Security Edition with the latest in AWS security that actually matters. Ple...

Want to give your ears a break and read this as an article? You’re looking for this link.https://www.lastweekinaws.com/blog/lessons-in-trust-from-us-east-1 Never miss an episodeJoin the Last Week in AWS newsletterSubscribe wherever you get your podcastsHelp the showLeave a reviewShare your feedbackSubscribe wherever you get your podcastsWhat's Corey up to?Follow Corey on Twitter (@quinnypig)See our recent work at the Duckbill GroupApply to work with Corey and the Duckbill Group to help lower your AWS bill

AWS Morning Brief for the week of December 13, 2021 with Corey Quinn.

Links:Cyber-security insurance providers are increasing their requirements to be insurable: https://Twitter.com/SwiftOnSecurity/status/1467879429707866112“Why the C-suite doesn’t need access to all corporate data”: https://www.darkreading.com/vulnerabilities-threats/why-the-c-suite-doesn-t-need-access-to-all-corporate-data“Amazon S3 Object Ownership can now disable access control lists to simplify access management for data in S3”: https://aws.amazon.com/about-aws/whats-new/2021/11/amazon-s3-object-ownership-simplify-access-management-data-s3/Cloud provider security mistakes: https://github.com/SummitRoute/csp_security_mistakesTranscriptCorey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it’s nobody in particular’s job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.Corey: Are you building cloud applications with a distributed team? Check out Teleport, an open-source identity-aware access proxy for cloud resources. Teleport provides secure access for anything running somewhere behind NAT: SSH servers, Kubernetes clusters, internal web apps, and databases. Teleport gives engineers superpowers. Get access to everything via single sign-on with multi-factor. List and see all of SSH servers, Kubernetes clusters, or databases available to you in one place, and get instant access to them using tools you already have. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. And best of all, Teleport is open-source and a pleasure to use. Download Teleport at goteleport.com. That’s goteleport.com.Corey: re:Invent has come and gone, and with it remarkably few security announcements. Shockingly, it was a slow week for the industry. I’m glad but also disappointed to be proven wrong in my, “The only thing you, as a company who isn’t AWS, should be announcing during re:Invent is your data breach since nobody will be paying attention,” snark. But it’s for the best. It means that maybe—maybe—we’re starting to see things normalize a bit.Now, from the Community, we saw some interesting stuff. Scuttlebutt has it that cyber-security insurance providers are increasing their requirements to be insurable. This makes a lot of sense; as ransomware attacks become more numerous, nobody is going to want to cut large insurance checks to folks who didn’t think to have offline backups. You might want to check the specific terms and conditions of your policy.I also liked a writeup as to “Why the C-suite doesn’t need access to all corporate data.” It’s true, but it’s super hard to defend against. When the CTO ‘requests’ access to the AWS root account, who’s likely to say no? If you’re going to push for proper separation of duties, either do it the right way or don’t even bother.Corey: This episode is sponsored in part by my friends at Cloud Academy. Something special for you folks: if you missed their offer on Black Friday or Cyber Monday or whatever day of the week doing sales it is, good news, they’ve opened up their Black Friday promotion for a very limited time. Same deal: $100 off a yearly plan, 249 bucks a year for the highest quality cloud and tech skills content. Nobody else is going to get this, and you have to act now because they have assured me this is not going to last for much longer. Go to cloudacademy.com, hit the ‘Start Free Trial’ button on the homepage and use the promo code, ‘CLOUD’ when checking out. That’s C-L-O-U-D. Like loud—what I am—with a C in front of it. They’ve got a free trial, too, so you’ll get seven days to try it out to make sure it really is a good fit. You’ve got nothing to lose except your ignorance about cloud. My thanks to Cloud Academy once again for sponsoring my ridiculous nonsense.Corey: And from AWS, there was really one glaring announcement that made me happy in the security context, and that was that “Amazon S3 Object Ownership can now disable access control lists to simplify access management for data in S3,” and it’s huge. S3 ACLs have been a pain in everyone’s side for years. Remember that S3 was the first AWS service to general availability, and a second in beta, after SQS. Meanwhile, IAM wasn’t released until 2010. “Ignore bucket ACLs so you don’t have to think about them” is a huge step towards normalizing security within AWS, specifically S3.And from the community's tools—I guess it’s not a tool so much as it is a tip or I don’t even know how you would describe it but I love it because Scott Piper is doing the lord’s work by curating a list of cloud provider security mistakes. Lord knows that none of them are going to be showcasing their own failures, or—thankfully—those of their competition because I don’t want to get in the middle of that mudslinging prize. This is well worth checking out and taking a look at, particularly when one provider or another starts getting a little too full of themselves around what they’re doing in security. That’s what happened last week in AWS security. Thank you for listening.Corey: Thank you for listening to the AWS Morning Brief: Security Edition with the latest in AWS security that actually matters. Please follow AWS Morning Brief on Apple Podcast, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign up for the Last Week in AWS newsletter at lastweekinaws.com.Announcer: This has been a HumblePod production. Stay humble.

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/how-aws-measures-its-customers Never miss an episodeJoin the Last Week in AWS newsletterSubscribe wherever you get your podcastsHelp the showLeave a reviewShare your feedbackSubscribe wherever you get your podcastsWhat's Corey up to?Follow Corey on Twitter (@quinnypig)See our recent work at the Duckbill GroupApply to work with Corey and the Duckbill Group to help lower your AWS bill

Releasees of re:Invent LyricsAWS Backup speaks S3Systems Manager: RDPImprovements have hit Control TowerSystems Manager speaks GreengrassEvidently's name sucks ass(It does A/B testing by the hour)Streams in KinesisEMR and JesusMSK are now ServerlessRedshift is tooAnd this one should please youFSx supports OpenZFSMake development fasterWithout a disasterToo dangerous to go aloneYou might give them a slappin'For making this happenBut please go check out HoneyCombData Transfer new Free TierSlightly more free as in beerSo your bill is a bit less absurdDon't use CloudWatch RUMAWS is your chumIn the bloody sense of the wordThey can't remain namelessThank You to BlamelessFor helping out with SREIt goes beyond on-callAnd most importantly of allFingers aren’t pointing at meDMS Fleet AdvisorThe Sages get wiser(SageMaker got features but I just don't care)Now let’s show more respectTo our friend FSx’sOpenZFS support if you unawareIt impressed me a boatloadAmplify Studio's Low CodeBut Amazon's scared of that phraseDigital TwinMakerStuff for data lakersOpenZFS deserves so much praiseRoboRunner runs robotsArchive for EBS snapshotsIn case all your instances crashIf your users all sinEBS Snapshot Recycle BinBut they likely belong in the trash“Cloud WAN” “Evidently” “Private 5G” “Snow Family”And SageMaker Ground Truth PlusBut I won't be shamingSince the one person namingThings well just got hit by a busThanks go to NetlifyMore deadly than Jai AlaiTo AWS's clear JAMstack flexSure you could use S3ACM CloudFront and Route53That's just Netlify with extra stepsCDK V2 sounds like a bustSDKs for Swift Kotlin and RustConstruct Hub has launched into GANetwork Analyzer for VPCDisable ACLs in S3Storage admins will have a field dayBlock regions within Control TowerCompute optimizer bills you per picohourNow the Snow Family speaks tapeWorkspaces Web does you favorsEC2 has many more flavorsBut I still go for Cherry and GrapeYou knew this was comingBecause for four years runningIt's sponsored by ChaosSearchIt speaks just like ElasticNow does SQL more drasticIf you want to spend moreThen get out of my churchStuff for the telecom sectorThere's a new InspectorThat's sneakily powered by SnykResilience Hub to fight failureThe Karpenter auto-scaler'sEither written in Go or in GreekSo Amazon is transitioningThank you for listeningTo all of the nonsense I sayNow I’m going homeWhere I can be aloneAnd I’ll probably be sleeping ‘till May.

AWS Morning Brief for Day 5 of re:Quinnvent on Friday, December 5 with Corey Quinn.

AWS Morning Brief for Day 4 of re:Quinnvent on Thursday, December 2 with Corey Quinn.

Links:Cost of a Data Breach Report: https://securityintelligence.com/cost-of-data-breach-bottom-line/Got its ass handed to it in a security breach last week: https://threatpost.com/Godaddys-latest-breach-customers/176530/Millions of Brazilians: https://www.zdnet.com/article/millions-of-brazilians-exposed-in-wi-fi-management-software-firm-leak/“You can now securely connect to your Amazon MSK clusters over the internet”: https://aws.amazon.com/about-aws/whats-new/2021/11/securely-connect-amazon-msk-clusters-over-internet/“AWS Security Profiles: Megan O’Neil, Sr. Security Solutions Architect”: https://aws.amazon.com/blogs/security/aws-security-profiles-megan-oneil-sr-security-solutions-architect/AWS Security Profiles: Merritt Baer, Principal in OCISO: https://aws.amazon.com/blogs/security/aws-security-profiles-merritt-baer-principal-in-ociso/Super important things to know: https://github.com/SummitRoute/aws_breaking_changes/issues/56Permissions.cloud: https://aws.permissions.cloud/TranscriptCorey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it’s nobody in particular’s job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.Corey: This episode is sponsored in part by LaunchDarkly. Take a look at what it takes to get your code into production. I’m going to just guess that it’s awful because it’s always awful. No one loves their deployment process. What if launching new features didn’t require you to do a full-on code and possibly infrastructure deploy? What if you could test on a small subset of users and then roll it back immediately if results aren’t what you expect? LaunchDarkly does exactly this. To learn more, visit launchdarkly.com and tell them Corey sent you, and watch for the wince.Corey: “Security is Job Zero” according to AWS. Next week I’ll have a fair bit on that I suspect, since this week is re:Invent. Let’s see what happened before the storm hit.IBM put out its annual Cost of a Data Breach Report which is interesting, but personally I find it genius. This is how you pollute SEO for the search term ‘IBM Data Breach’, which is surely just a matter of time if it hasn’t already happened.Speaking of, GoDaddy effectively got its ass handed to it in a security breach last week. We found out of course via an SEC filing instead of GoDaddy doing the smart thing and proactively getting in front of it. Apparently they were breached for at least two-and-a-half months, nobody noticed, and 1.2 million people got their admin creds stolen. I can’t stress enough that you should not be doing business with GoDaddy.And to complete the trifecta, ‘Millions of Brazilians’ is a fun thing to say unless you’re talking about who’s been victimized by an S3 Bucket Negligence Award; then nobody’s having fun at all.The AWS security blog had a few things to say. “You can now securely connect to your Amazon MSK clusters over the internet.” Wait, what? What the hell was going on before? Were you unable to access the clusters over the internet, or were you able to do so but it was insecurely? This is terrifying framing.“AWS Security Profiles: Megan O’Neil, Sr. Security Solutions Architect.” I really dig these! The problem is that the AWS security blog only really seems to put these out around major AWS conferences when there’s a bunch of other announcements. I’d love it if more of the AWS blogs would do periodic “The faces, voices, and people that power AWS” profiles because I assure you, most of the people building the magic never take the stage at these conferences.There was another profile of Merritt Baer. Who is a principal in the office of the CISO, and she’s an absolute delight. One of these days, post-pandemic, we’re going to try and record some kind of video or other, just so we can name it “Quinn and Baer it.”Corey: This episode is sponsored in part by something new. Cloud Academy is a training platform built on two primary goals: having the highest quality content in tech and cloud skills, and building a good community that is rich and full of IT and engineering professionals. You wouldn’t think those things go together, but sometimes they do. It’s both useful for individuals and large enterprises, but here’s what makes this something new—I don’t use that term lightly—Cloud Academy invites you to showcase just how good your AWS skills are. For the next four weeks, you’ll have a chance to prove yourself. Compete in four unique lab challenges where they’ll be awarding more than $2,000 in cash and prizes. I’m not kidding: first place is a thousand bucks. Pre-register for the first challenge now, one that I picked out myself on Amazon SNS image resizing, by visiting cloudacademy.com/corey—C-O-R-E-Y. That’s cloudacademy.com/corey. We’re going to have some fun with this one.Corey: And of course, “Macie Classic alerts that derive from AWS CloudTrail global service events for AWS Identity and Access Management (IAM) and AWS Security Token Service (STS) API calls will be retired (no longer generated) in the us-west-2 (Oregon) AWS Region.” See, that’s one of those super important things to know, and I hate how AWS buries it. That said, don’t use Macie Classic because it is horrifyingly expensive compared to modern Macie.And from the tools and tricks area, I discovered permissions.cloud last week and it’s great. The website uses a variety of information gathered within the IAM dataset and then exposes that information in a clean, easy-to-read format. It’s there to provide an alternate community-driven source of truth for AWS identity. It’s gorgeous as well, so you know it’s not an official AWS product.And that’s what happened in AWS security. Thank you for listening. I’ll talk to you n...