AWS Morning Brief

AWS Morning Brief for Day 3 of re:Quinnvent on Wednesday, December 1 with Corey Quinn.

Want to give your ears a break and read this as an article? You’re looking for this link. https://www.lastweekinaws.com/blog/amazon-linux-2022-codename-setenforce-0Never miss an episodeJoin the Last Week in AWS newsletterSubscribe wherever you get your podcastsHelp the showLeave a reviewShare your feedbackSubscribe wherever you get your podcastsWhat's Corey up to?Follow Corey on Twitter (@quinnypig)See our recent work at the Duckbill GroupApply to work with Corey and the Duckbill Group to help lower your AWS bill

AWS Morning Brief for Day 2 of re:Quinnvent on Tuesday, November 30 with Corey Quinn.

AWS Morning Brief for Day 1 of re:Quinnvent on Monday, November 29th, 2021 with Corey Quinn.

AWS Morning Brief for the week of November 29, 2021 with Corey Quinn.

Links$1.3 billion in funding: https://www.reuters.com/technology/cloud-security-startup-lacework-valued-83-bln-after-mammoth-funding-round-2021-11-18/NSA and CISA: https://www.csoonline.com/article/3640576/6-key-points-of-the-new-cisansa-5g-cloud-security-guidance.htmlFined by Singapore’s regulatory authority: https://www.theregister.com/2021/11/18/redoorz_fined_for_massive_data_leak/4 Security Questions to Ask About Your Salesforce Application: https://www.toolbox.com/it-security/security-vulnerabilities/guest-article/security-questions-to-ask-about-salesforce-application/Managing temporary elevated access to your AWS environment: https://aws.amazon.com/blogs/security/managing-temporary-elevated-access-to-your-aws-environment/Everything you wanted to know about trusts with AWS Managed Microsoft AD: https://aws.amazon.com/blogs/security/everything-you-wanted-to-know-about-trusts-with-aws-managed-microsoft-ad/Trailscraper: https://github.com/flosell/trailscraperTranscriptCorey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it’s nobody in particular’s job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.Corey: Writing ad copy to fit into a 30-second slot is hard, but if anyone can do it the folks at Quali can. Just like their Torque infrastructure automation platform can deliver complex application environments anytime, anywhere, in just seconds instead of hours, days, or weeks. Visit Qtorque.io today, and learn how you can spin up application environments in about the same amount of time it took you to listen to this ad.Corey: Happy Thanksgiving. Lacework raised an eye-popping $1.3 billion in funding last week. I joke about it being a result of them sponsoring this podcast, for which I thank them, but that’s not the entire story. “Why would someone pay for Lacework when AWS offers a bunch of security services?” Is a reasonable question. The answer is that AWS offers a bunch of security services, doesn’t articulate how they all fit together super well, and the cost of running them all on a busy account likely exceeds the cost of a data breach. Security has to be simple to understand. An architecture diagram that looks busier than a London Tube map is absolutely not that. Cloud services are complex, but inside of that complexity lies a lot of room for misconfiguration. Being condescendingly told after the fact about AWS’s Shared Responsibility Model is cold comfort. Vendors who can simplify that story and deliver on that promise stand to win massively here.Now, let’s see what happened last week. The NSA and CISA have a new set of security guidelines for 5G networks. I’m sorry, but what about this is specific to 5G networks? It’s all about zero trust, assuming that any given node inside the perimeter might be compromised, and the like. None of this is particularly germane to 5G, so I’ve got to ask, what am I missing?A company called RedDoorz—spelled with a Z, because of course it is—was fined by Singapore’s regulatory authority for leaking 5.9 million records. That’s good. The fine was $54,456 USD, which seems significantly less good? I mean, that’s “Cost of doing business” territory when you’re talking about data breaches. In an ideal world it would hurt a smidgen more as a goad to inspire companies to do better than they are? Am I just a dreamer here?I found a list of 4 Security Questions to Ask About Your Salesforce Application, and is great, and I don’t give a toss about the Salesforce aspect of it. They are, one, who are the users with excessive privileges? Two, what would happen if a legitimate user started acting in a suspicious way? Three, what would happen if a threat actor gained access to sensitive data through a poor third-Party integration? And, four, what would happen if your incident log is not properly configured? These are important questions to ask about basically every application in your environment. I promise, you probably won’t like the answers—but attackers ask them constantly. You should, too.Corey: This episode is sponsored in part by something new. Cloud Academy is a training platform built on two primary goals: having the highest quality content in tech and cloud skills, and building a good community that is rich and full of IT and engineering professionals. You wouldn’t think those things go together, but sometimes they do. It’s both useful for individuals and large enterprises, but here’s what makes this something new—I don’t use that term lightly—Cloud Academy invites you to showcase just how good your AWS skills are. For the next four weeks, you’ll have a chance to prove yourself. Compete in four unique lab challenges where they’ll be awarding more than $2,000 in cash and prizes. I’m not kidding: first place is a thousand bucks. Pre-register for the first challenge now, one that I picked out myself on Amazon SNS image resizing, by visiting cloudacademy.com/corey—C-O-R-E-Y. That’s cloudacademy.com/corey. We’re going to have some fun with this one.Corey: Now, from the mouth of AWS horse, there was an interesting article there. Managing temporary elevated access to your AWS environment. Now, this post is complicated, but yes, ideally users shouldn’t be using accounts with permissions to destroy production in day-to-day use; more restricted permissions should be used for daily work, and then people elevate to greater permissions only long enough to perform a task that requires them. That’s the Linux ‘sudo’ model. Unfortunately, implementing this is hard and ‘sudo zsh’ is often the only command people ever run from their non-admin accounts.And one more. Everything you wanted to know about trusts with AWS Managed Microsoft AD. Look, I don’t touch these things myself basically ever. I haven’t done anything with Active Directory since the mid-naughts, and I don’t want to know anything...

Want to give your ears a break and read this as an article? You’re looking for this link.https://www.lastweekinaws.com/blog/The-AWS-Managed-NAT-Gateway-is-Unpleasant-and-Not-RecommendedNever miss an episodeJoin the Last Week in AWS newsletterSubscribe wherever you get your podcastsHelp the showLeave a reviewShare your feedbackSubscribe wherever you get your podcastsWhat's Corey up to?Follow Corey on Twitter (@quinnypig)See our recent work at the Duckbill GroupApply to work with Corey and the Duckbill Group to help lower your AWS bill

AWS Morning Brief for the week of November 22, 2021 with Corey Quinn.

Links:re:Quinnvent: https://www.requinnvent.com"ChaosDB: Researchers Share Technical Details of Azure Flaw”: https://www.darkreading.com/cloud/chaosdb-researchers-share-technical-details-of-azure-flaw“Hackers Apologize to Arab Royal Families for Leaking Their Data”: https://www.vice.com/en/article/n7nw8m/conti-ransomware-hackers-apologize-to-arab-royal-families-for-leaking-their-dataAWS Artifact: https://aws.amazon.com/artifact/Policy Sentry: https://github.com/salesforce/policy_sentryProwler: https://github.com/toniblyx/prowlerTranscriptCorey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it’s nobody in particular’s job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.Corey: Writing ad copy to fit into a 30 second slot is hard, but if anyone can do it the folks at Quali can. Just like their Torque infrastructure automation platform can deliver complex application environments anytime, anywhere, in just seconds instead of hours, days or weeks. Visit Qtorque.io today and learn how you can spin up application environments in about the same amount of time it took you to listen to this ad.Corey: As I prepare for re:Quinnvent, I notice that most of the flurry of announcements aren’t centered around security. This is probably for the best; if security becomes too exciting, you might be an Azure customer. Onward.Let’s dive into what the whole Azure challenge is. The researcher who discovered the CosmosDB vulnerability that Azure suffered back in September have come out with a deeper dive into what they did and how they did it, and it is oh so very much worse than we thought. They were able to get access to the CosmosDB control plane itself.Microsoft has continued to say nothing about this, in spite of lingering questions such as, “How on earth did you not detect what amounts to a hypervisor escape?” “Holy God, why did you architect these systems without strict tenant isolation in mind since the beginning?” “How are customers supposed to trust anything you’re selling from a security perspective?” And, “What kind of clown shop are you people running over there?”Separately—and this is kind of amazing—a ransomware hacker gang publicly apologized and removed some of their stolen data because one of their victims was accidentally Mohammed bin Salman. You know, the crown prince of Saudi Arabia who resolves his differences with journalists via hit squads equipped with bone saws. These folks want to do crime, but the right level of crime; you know, the failure mode of, “Being extradited to serve time in a US federal prison,” not, “Being dismembered with a bone saw.”Corey: This episode is sponsored in part by something new. Cloud Academy is a training platform built on two primary goals. Having the highest quality content in tech and cloud skills, and building a good community the is rich and full of IT and engineering professionals. You wouldn’t think those things go together, but sometimes they do. Its both useful for individuals and large enterprises, but here's what makes it new. I don’t use that term lightly. Cloud Academy invites you to showcase just how good your AWS skills are. For the next four weeks you’ll have a chance to prove yourself. Compete in four unique lab challenges, where they’ll be awarding more than $2000 in cash and prizes. I’m not kidding, first place is a thousand bucks. Pre-register for the first challenge now, one that I picked out myself on Amazon SNS image resizing, by visiting cloudacademy.com/corey. C-O-R-E-Y. That’s cloudacademy.com/corey. We’re gonna have some fun with this one!AWS didn’t include much in the way of interest for security this week, so I’m going to draw your attention to AWS Artifact. It’s not a service in the traditional sense, but rather a no-cost, self-service portal for on-demand access to AWS’ compliance reports, of which there are oh so very many. You used to have to get these one-by-one from your account team under NDA; don’t do that. And for God’s sake don’t write your own. Grab these reports, throw them at your auditor, and get back to doing things that actually appear in your job description instead.Let’s talk about tools. Policy Sentry came out of Salesforce and is deceptively simple in concept: it makes it way easier to write simple, narrowly scoped IAM policies. This is what the official IAM Access Analyzer wishes it were, but it’s simply not there yet.And it’s also been a while since I dug into Prowler. Prowler is a command-line tool that helps you with AWS security assessment, auditing, hardening and incident response. Like most things that focus on CIS benchmarks, you’ll need to apply judgement. An awful lot of things in a responsible, secure environment make sense, but set off alarms from those benchmarks that are considerably more naive. And that’s what happened last week in security in the world of AWS. We have an interesting couple of weeks coming ahead. I’ll be talking to you more next week.

Want to give your ears a break and read this as an article? You’re looking for this link:https://www.lastweekinaws.com/blog/my-re-quinnvent-justification-letter Never miss an episodeJoin the Last Week in AWS newsletterSubscribe wherever you get your podcastsHelp the showLeave a reviewShare your feedbackSubscribe wherever you get your podcastsWhat's Corey up to?Follow Corey on Twitter (@quinnypig)See our recent work at the Duckbill GroupApply to work with Corey and the Duckbill Group to help lower your AWS bill