Posts

💸 Rational Using the public cloud will let you do experiments, iterate, test new services and new capabilities; it will unleash the potential of your teams to do innovation and, in the end, reduce the time to market with innovative products. Cloud computing comes with a promise: “Pay as you go”. In fact, this statement is partially true. However, it is only accurate if you take care – really care – of your active assets on your Cloud Service Provider (CSP). ...

Update from: 2021-12-23 Official Security bulletin from AWS AWSSupportServiceRolePolicy Informational Update https://aws.amazon.com/security/security-bulletins/AWS-2021-007/ You will find below details about the security incident that leads to this unattended access for millions of AWS customers. On 22nd December 2021, AWS deployed a new version (v20) of AWSSupportServiceRolePolicy used by a mandatory role: AWSServiceRoleForSupport for AWS Support access to all AWS Accounts. In this policy, they added the action: s3:getObject which gives access to all customer Amazon S3 data by AWS Support teams. ...

Rational Lately, I was looking for small automation to deploy a simple web redirect for a domain name hosted on Amazon Route 53. I didn’t find anything relevant so I’ve decided to do it by myself. The goal was to have a subdomain redirect to a totaly different domain and path using minimal efforts and infrastructure. From: asd.zoph.io To: http://awssecuritydigest.com Schema Tradeoff It does not support https, but you could use the http as an entrypoint, and then redirect traffic to https as needed. ...

Disclaimer: I’m not a REGEX expert :smile: Lately, I was working for one of my customers on a custom configuration of AWS Config recorder. My customer wanted to record using AWS Config All resources except a few of them: 'AWS::EC2::Subnet' 'AWS::EC2::VPC' 'AWS::EC2::SecurityGroup' Unfortunately, the AWS API and Console do not allow you to do this, you should cherry-pick manually which resource you want to record. The trade-off of this method is that if a new AWS Config resource type came out, it won’t be recorded until you manually select it in your AWS Config recorder setting. ...

TL;DR: AWS Managed Policies are safe. Currently. :arrows_counterclockwise: Previously in Policy Validation Before AWS Access Analyzer (AA) - Policy Validation release, few open source initiatives were available to lint AWS IAM Policies, like Parliament from Duolabs, CloudSplaining (Salesforce). The tricky part of these tools is that they are community-driven, from volunteer contributors, and most of the master data comes from AWS IAM docs web scrapping. It is difficult to maintain over time, especially if the documentation format is changing, or if the documentation is not in sync with the IAM reality. It will be easier for everyone if the one who is providing the rules is the one who creates the validation tool to run against these rules — Isn’t it? ...