AWS Morning Brief
aws-section-divider
Audio Icon
I Azure You This Shall Pass
Episode Summary
This week its all news and a little bit of snark! iRobot brings out Principals in AWS IAM, biometric myth busters, and Azure will eventually end up in fail compilation! Listen in for more on this episode of AWS Morning Brief: Security Edition...
Episode Show Notes and Transcript
Links:

Transcript
Corey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it’s nobody in particular’s job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.


Corey: This episode is sponsored in part by Thinkst Canary. This might take a little bit to explain, so bear with me. I linked against an early version of their tool, canarytokens.org, in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, or anything else like that that you can generate in various parts of your environment, wherever you want them to live; it gives you fake AWS API credentials, for example. And the only thing that these are empowered to do is alert you whenever someone attempts to use them. It’s an awesome approach to detecting breaches. I’ve used something similar for years myself before I found them. Check them out. But wait, there’s more because they also have an enterprise option that you should be very much aware of: canary.tools. Take a look at this: what it does is it provides an enterprise approach to drive these things throughout your entire environment and manage them centrally. You can even get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files that it presents on a fake file store, you get instant alerts. It’s awesome. If you don’t do something like this, instead you’re likely to find out that you’ve gotten breached the very hard way. So, check it out. It’s one of those few things that I look at and say, “Wow, that is an amazing idea. I am so glad I found them. I love it.” Again, those URLs are canarytokens.org and canary.tools. And the first one is free because of course it is. The second one is enterprise-y. You’ll know which one of those you fall into. Take a look. I’m a big fan. More to come from Thinkst Canary in the weeks ahead.


Corey: Ben Kiko, cloud robotics research scientist at iRobot—motto: “All IoT sucks, but ours is supposed to”—walks us through Principles in AWS IAM. It’s short, it’s concise, and it’s definitely worth taking the time to dig into what he has to say. If you only hunt down one thing from this podcast this week, this is the one.


[Version three of OpenSSL was released 00:03:19], so expect a few conversations around that. There’s also apparently a Rusttls, which is ostensibly OpenSSL rewritten in Rust for the modern era but is in practice just another talking point for the Rust evangelism strikeforce, who is actively encouraged not to find a way to leave a comment on this episode.


Sneak or Snack or Synack raised—however they’re pronounced—[raised a big funding round last week 00:03:19] and still stubbornly refuses to buy a vowel. More interestingly, they report that 50% of security jobs are unfilled. Further, any solution predicated on devs becoming security experts is doomed, which is exactly the point of this podcast. What you need to know about cloud security, minus the fluff and 
gatekeeping. Okay fine, yes, and some snark added to keep it engaging because my God, is it dull without that.


Another week, another [Azure Security failure 00:03:19]. This time a flaw existed that could leak data between users of Azure Container Services. Look, this whole thing is about AWS, so why do I talk about Azure issues like this? Simply put, people are going to bring it up in a cloud isn’t secure context, and you should be aware of what they’re talking about when they do. Azure, please get it together. Stuff like this hurts all cloud providers.


Corey: Troy Hunt has a post informing you that despite what your AWS bill may have you believe in the moment, self-immolation is unnecessary. Okay, that’s not actually his point, but specifically, You Don’t Need to Burn off Your Fingertips (and Other Biometric Authentication Myths) doesn’t hit quite the same way. It’s a super handy reminder that for most of you folks, adversaries are not going to steal your fingerprints to get into your systems. They’re either going to bribe you or hit you with a wrench until you tell them your password.


From the mouth of AWS horse—or from the horse’s AWS—Amazon Detective offers Splunk integration. Amazon Detective and the Case of the Missing Mountain of Money is apparently this month’s hot comic book.


And AWS—motto: “Opinions my own”—has a [security checklist 00:03:19], and it’s worth taking a look at because a few of these items that they issue from time to time are, like, “Use multiple AWS accounts,” directly contravenes older guidance. It’s always good to check on things like this around best practices that AWS is putting out there because even if you don’t make changes to your systems as a result, you should know where AWS’s head is at with respect to where the future of the industry is going.


And lastly, there was an interesting tool that came out called IAM Vulnerable. It’s an IAM privilege escalation playground that lets you muck around with exploiting improperly set IAM policies. It’s a good way to kill an hour on an afternoon when you’re not particularly motivated to do other things. Another good ‘I need a distraction’ task is rotating reused or weak passwords that you have in your password manager. And that’s what happened.


Announcer: Have you implemented industry best practices for securely accessing SSH servers, databases, or Kubernetes? It takes time and expertise to set up. Teleport makes it easy. It is an identity-aware access proxy that brings automatically expiring credentials for everything you need, including role-based access controls, access requests, and the audit log. It helps prevent data exfiltration and helps implement PCI and FedRAMP compliance. And best of all, Teleport is open-source and a pleasure to use. Download Teleport at goteleport.com. That’s goteleport.com.


Corey: I have been your host, Corey Quinn, and if you remember nothing else, it’s that when you don’t get what you want, you get experience instead. Let my experience guide you with the things you need to know in the AWS security world, so you can get back to doing your actual job. Thank you for listening to the AWS Morning Brief: Security Editionwith the latest in AWS security that actually matters. Please follow AWS Morning Brief on Apple Podcasts, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign up for the Last Week in AWS newsletter at lastweekinaws.com.


Announcer: This has been a HumblePod production. Stay humble.
View Full TranscriptHide Full Transcript