Security on zoph.me

Speeding Up IAMTrail: One Boto3 Process Instead of 1,500 CLI Invocations

Sat, 04 Apr 2026 07:37:00 +0200

The 46-Minute Problem

The IAMTrail detection engine fetches ~1,500 AWS managed IAM policies every run. The original approach was pure bash:

aws iam list-policies --output json |
    jq -cr '...' |
    xargs -P 16 -n3 sh -c \
      'aws iam get-policy-version --policy-arn $1 --version-id $2 | jq --indent 4 . > "policies/$3"' sh

Looks fine, right? Except each iteration spawns a full AWS CLI process. That means a fresh Python runtime, boto3 import, credential resolution, one single HTTP call, then exit. Times 1,500.

IAMTrail.com: The AWS Managed Policy Archive (Evolved from MAMIP)

Thu, 23 Oct 2025 13:37:00 +0200

📜 The Origins

Back in 2019, Scott Piper started a GitHub repository to track changes to AWS Managed Policies. It was a simple setup, manually triggered but it worked well and was incredibly useful. Using git diff or the Github.com UI, Scott and the community could easily see how policies evolved over time.

At that time, AWS didn’t publicly share the changes made to managed policies by the various “two-pizza” product teams inside AWS.

AWS CloudFormation Phishing Attack: A Growing Threat

Mon, 10 Feb 2025 13:37:00 +0200

✨ Introduction

It starts with an innocuous-looking email. The sender claims to be AWS Support, warning the recipient about an urgent security issue. A single button labeled “Launch Stack” is prominently placed, urging immediate action. What appears to be a standard security advisory is, in reality, the gateway to a sophisticated AWS account takeover attempt.

Threat actors are exploiting AWS CloudFormation StackSets in phishing campaigns designed to compromise AWS environments. Originally reported by Rami McCarthy back in 2022 and by Scott Piper in this blog post (2021), this technique continues to evolve, demonstrating how adversaries leverage AWS automation against its own users.

About AWS Security Digest acquisition

Wed, 31 Jul 2024 13:37:00 +0200

📜 History

In late 2020, I was floored by the number of announcements, changes, re:Invent releases, and blog posts that AWS pushes every week.

Then, I decided to automate part of my weekly routine to stay up to date. The idea was to get a digest email summary of what was going on. It was very helpful for my job as an Indie AWS Security Consultant.

A few weeks later, I decided to open my weekly digest to external subscribers, as I believed it could interest folks in the same field. Here we were with the ASD Newsletter in January 2021.

Brewing the Best in AWS Security: Top Reads of the Year

Sun, 17 Dec 2023 13:37:00 +0200

As we welcome 2024, I’m excited to share a special post for the AWS Security Digest Newsletter. It’s been a remarkable year, and your engagement has made it even more so.

🔗 I’ve compiled the top 5 most-clicked links from our 2023 editions.

These links represent the most intriguing, informative, and impactful topics in the AWS Security landscape.

1️⃣ Enabling Just-In-Time (JIT) Access for AWS S3 Buckets
2️⃣ Actionable AWS Security Best Practices [Cheat Sheet]
3️⃣ AWS Security Foundations For Dummies
4️⃣ Bare minimum AWS Security Alerting and Configuration
5️⃣ AWS ImdsPacketAnalyzer

👨‍🍳 Why a Chef? You might wonder about the image. In our newsletter, we ‘cook’ complex AWS concepts into digestible insights, much like a chef preparing a gourmet meal. This theme has been a fun and integral part of our journey.

Elevate your AWS Security with basic alerting

Sun, 12 Feb 2023 13:37:00 +0200

As businesses continue to adopt cloud computing and move their operations to the cloud, it’s crucial to ensure the security of their cloud environment. Amazon Web Services (AWS) is the leading cloud platform, but with the ease of use comes the responsibility of securing the data, applications, and services deployed on the cloud.

AWS provides a vast array of security services, but it can be challenging to keep track of all the activities and changes happening in your AWS account. That’s where the AWS Security Survival Kit (ASSK) comes in. This comprehensive and free open-source kit sets up basic proactive monitoring and alerting on common suspicious activities in your AWS account.

The day when the AWS Support got access to your S3 data

Wed, 22 Dec 2021 13:37:00 +0200

Update from: 2021-12-23

Official Security bulletin from AWS AWSSupportServiceRolePolicy Informational Update

https://aws.amazon.com/security/security-bulletins/AWS-2021-007/

You will find below details about the security incident that led to this unattended access for millions of AWS customers.

On 22nd December 2021, AWS deployed a new version (v20) of AWSSupportServiceRolePolicy, used by a mandatory role AWSServiceRoleForSupport for AWS Support access to all AWS Accounts. In this policy, they added the action s3:getObject, which gives AWS Support teams access to all customer Amazon S3 data.

Does AWS drink its own champagne? 🍾

Tue, 06 Apr 2021 13:37:00 +0200

TL;DR: AWS Managed Policies are safe. Currently.

:arrows_counterclockwise: Previously in Policy Validation

Before the AWS Access Analyzer (AA) Policy Validation release, a few open source initiatives were available to lint AWS IAM Policies, like Parliament from Duolabs and CloudSplaining (Salesforce).

The tricky part of these tools is that they are community-driven, from volunteer contributors, and most of the master data comes from AWS IAM docs web scraping. It is difficult to maintain over time, especially if the documentation format is changing, or if the documentation is not in sync with the IAM reality. It will be easier for everyone if the one who is providing the rules is the one who creates the validation tool to run against these rules. Isn’t it?

Keeping you posted on AWS Security

Fri, 22 Jan 2021 13:37:00 +0200

Since my last post on how to deal with information overload and reading pipeline, I’ve created a free digest newsletter about AWS Security.

The goal of this curated AWS Security Digest is to condense what happened last week, from the most relevant sources:

🔦 A highlight of the week
👮 Changes since last week on AWS Managed IAM Policies
💌 Curated cloud security newsletters
👀 AWS API changes
🔒 IAM permissions changes
🆙 Most upvoted posts on r/AWS
🔗 Top shared links on Twitter (by cloudsec folks)
🐦 Most engaged tweets from the community

This is an ongoing side project, so more content will be added over time.

Level-up your online privacy using PGP

Tue, 29 Sep 2020 13:37:00 +0200

TL;DR

I’m now using PGP for archive file encryption.

The trigger

This summer, I read Permanent Record from Edward Snowden, “Ed” for those in the know. I was pretty impressed at how a government organization with a multi-billion dollar budget can organize a mass surveillance program at a worldwide scale in only a few decades.

“Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”

[MAMIP] Monitor AWS Managed IAM Policies

Sat, 22 Feb 2020 13:37:00 +0200

This article was originally posted in September 2019. Updated in February 2020.

Disclaimer

Thanks to @0xdabbad00 from SummitRoute for the original idea and jq parsing.

Purpose

When your production workloads rely on AWS IAM Managed Policies (don’t do this), you will need to be notified when changes occur behind the scenes. It’s also interesting to monitor new AWS service releases ahead of the announcements to get spoiled.

This pet project automates the retrieval (every 4 hours) of new AWS Managed IAM Policies to make it easier to monitor and get alerted when changes occur (by AWS), using the “Watch” feature on GitHub, RSS or a dedicated Twitter Account.

AWS Security Toolbox (AST)

Mon, 16 Dec 2019 13:37:00 +0200

In my day-to-day job, I was wasting time reinstalling and dealing with the dependencies of all my favorite tools for AWS Security Audits and Assessments.

So, lately, I’ve decided to start another pet project trying to solve this issue and provide a simple Docker container with all the security-related tooling for your AWS Assessments.

I’ve decided to open-source it. After some discussion with my peers, they were interested in this kind of stuff to avoid wasting hours installing a myriad of apps and Python dependencies on their own laptop or customer machine.

[FR] AWS re:Inforce 2019

Mon, 15 Jul 2019 13:37:00 +0200

re:Inforce 2019

Il s’agit de la première édition de cette conférence AWS dédiée à la sécurité de ce Cloud Service Provider (CSP). AWS est actuellement en train de proposer de nouveaux événements et summits sur des sujets spécifiques, en plus de l’événement annuel, le re:Invent.

Cette conférence aura lieu chaque année dans une ville différente des États-Unis, il est question de Houston pour l’année prochaine.

https://reinforce.awsevents.com/

J’ai eu l’occasion de participer au re:Cap du re:Inforce proposé par AWS France, voici en synthèse, les éléments à ne pas manquer.

[FR] leHack 2019

Sat, 13 Jul 2019 13:37:00 +0200

Présentation

Anciennement “la Nuit du Hack”, c’est une conférence sur la sécurité informatique, le ethical hacking de manière plus générale, organisée depuis plus de 16 ans par la même équipe. Cette année était la première année après son changement de nom, les organisateurs attendaient cette fois-ci plus de 3500 personnes.

J’ai eu la chance d’y participer pour la première fois cette année à la Cité des Sciences et de l’Industries de Paris.

Enable Default Encryption for EBS (Worldwide)

Mon, 10 Jun 2019 13:37:00 +0200

Following the announced new opt-in option regarding the default encryption of EBS volumes a few days ago, I’ve made a small Python script to enable this feature on all AWS regions within an AWS account. Quick and ~~Dirty~~ Simple.

This is an example. Use it at your own risk, and test it before applying to production, as usual :)

import boto3

AWS_REGION = 'eu-west-1'
session = boto3.Session(region_name=AWS_REGION)
ec2 = session.client('ec2')

def main(event, context):
    ec2_regions = [region['RegionName'] for region in ec2.describe_regions()['Regions']]
    # For all AWS Regions
    for region in ec2_regions:
        conn = boto3.client('ec2', region_name=region)
        print ("Checking AWS Region: " + region)
        status = conn.get_ebs_encryption_by_default()
        print ("===="*10)
        result = status["EbsEncryptionByDefault"]
        if result == True:
            print ("Activated, nothing to do")
        else:
            print("Not activated, activation in progress")
            conn.enable_ebs_encryption_by_default()

if __name__ == '__main__':
    main(0,0)

That’s all folks!

Wanacry or Wanasmile?

Mon, 29 May 2017 22:31:32 +0200

In this article, you will find best practices regarding security and the high availability of your data to prevent the spread of Wanacry and other ransomware.

What is wanacry?

Wanacry is a ransomware that uses a hole in the SMB protocol called EternalBlue, then DoublePulsar is installed as a backdoor to run Wanacry. After you get infected, your files begin to be encrypted with the AES-128-CBC cipher, and then a popup asks you for a ransom to get them back. It spreads through the network using port TCP/445 (SMB v1).