Episode Summary
Episode Show Notes & Transcript
- “Developer Experience is Security”: https://redmonk.com/rstephens/2022/02/17/devex-is-security/
- Cleansing their network of ransomware: https://www.espn.com/nfl/story/_/id/33283115/san-francisco-49ers-network-hit-gang-ransomware-attack-team-notifies-law-enforcement
- “Control access to Amazon Elastic Container Service resources by using ABAC policies”: https://aws.amazon.com/blogs/security/control-access-to-amazon-elastic-container-service-resources-by-using-abac-policies/
- “Introducing s2n-quic—‘sin-i-quick?’ ‘sin-two-quick?’ Yeah—a new open-source QUIC protocol implementation in Rust”: https://aws.amazon.com/blogs/security/introducing-s2n-quic-open-source-protocol-rust/
- “Top 2021 AWS Security service launches security professionals should review–Part 1”: https://aws.amazon.com/blogs/security/top-2021-aws-security-service-launches-part-1/
- Ghostbuster: https://blog.assetnote.io/2022/02/13/dangling-eips/
Corey: Somehow a week without an S3 Bucket Negligence Award to pass out for anyone. I really hope I’m not tempting fate by pointing that out, but good work, everyone.
Also, now that the professional football season is over, the San Francisco 49ers eagerly turn to their off-season task of cleansing their network of ransomware. Ouch. Not generally a great thing when you find that your organization has been compromised and you can’t access any of your data.
Now, AWS had a couple of interesting things out there. “Control access to Amazon Elastic Container Service resources by using ABAC policies”. I was honestly expecting there to be a lot more stories by now of improper tagging being used to gain access via ABAC. The problem here is that for the longest time tagging was at best a billing metadata construct; it made sense to have everything be able to tag itself. Suddenly, with the advent of attribute-based access control, anything that can tag resources now becomes a security challenge.
“Top 2021 AWS Security service launches security professionals should review–Part 1”. Okay, this summary post highlights an issue with how AWS talks about things. Some of these enhancements are helpful, some are not, but every last one of them are features to an existing service. Sometimes those refinements are helpful, other times they simply add unneeded complexity to a given customer’s use case. This feels a lot more like a comprehensive listing than it does a curated selection, but maybe that’s just me.
Transcript
Corey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it’s nobody in particular’s job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.
Corey: This episode is sponsored in part by our friends at Sysdig. Sysdig is the solution for securing DevOps. They have a blog post that went up recently about how an insecure AWS Lambda function could be used as a pivot point to get access into your environment. They’ve also gone deep in-depth with a bunch of other approaches to how DevOps and security are inextricably linked. To learn more, visit sysdig.com and tell them I sent you. That’s S-Y-S-D-I-G dot com. My thanks to them for their continued support of this ridiculous nonsense.
Corey: Somehow a week without an S3 Bucket Negligence Award to pass out for anyone. I really hope I’m not tempting fate by pointing that out, but good work, everyone.
So, from the community. Redmonk’s Rachel Stephens once again hits the nail on the head with her post, “Developer Experience is Security”. I don’t believe it’s a coincidence that for a while now I’ve thought that Google Cloud offers not only the best developer experience of the hyperscale clouds but also the best security. I didn’t come to that conclusion lightly.
Also, now that the professional football season is over, the San Francisco 49ers eagerly turn to their off-season task of cleansing their network of ransomware. Ouch. Not generally a great thing when you find that your organization has been compromised and you can’t access any of your data.
Now, AWS had a couple of interesting things out there. “Control access to Amazon Elastic Container Service resources by using ABAC policies”. I was honestly expecting there to be a lot more stories by now of improper tagging being used to gain access via ABAC. The problem here is that for the longest time tagging was at best a billing metadata construct; it made sense to have everything be able to tag itself. Suddenly, with the advent of attribute-based access control, anything that can tag resources now becomes a security challenge.
Corey: This episode is sponsored in part by LaunchDarkly. Take a look at what it takes to get your code into production. I’m going to just guess that it’s awful because it’s always awful. No one loves their deployment process. What if launching new features didn’t require you to do a full-on code and possibly infrastructure deploy? What if you could test on a small subset of users and then roll it back immediately if results aren’t what you expect? LaunchDarkly does exactly this. To learn more, visit launchdarkly.com and tell them Corey sent you, and watch for the wince.
“Introducing s2n-quic—‘sin-i-quick?’ ‘sin-two-quick?’ Yeah—a new open-source QUIC protocol implementation in Rust”. Now, with a name like that, you know it came out of AWS. This is a bit in the weeds for most of us, but the overall lesson to take from the release-slash-announcement is, “Don’t roll your own cryptographic implementation,” with the obvious exception case of, “Unless you are AWS.”
“Top 2021 AWS Security service launches security professionals should review–Part 1”. Okay, this summary post highlights an issue with how AWS talks about things. Some of these enhancements are helpful, some are not, but every last one of them are features to an existing service. Sometimes those refinements are helpful, other times they simply add unneeded complexity to a given customer’s use case. This feels a lot more like a comprehensive listing than it does a curated selection, but maybe that’s just me.
And lastly, I stumbled over a tool called Ghostbuster which is surprisingly easy to use. It scans your DNS records and finds dangling Elastic IPs that can be misused for a variety of different purposes, none of which are going to benefit you directly. It’s been a while since I found a new tool that I was this happy with how straightforward and simple it was to use. Good work. And that’s what happened last week in AWS security. I’m Corey Quinn. Thanks for listening.
Corey: Thank you for listening to the AWS Morning Brief: Security Edition with the latest in AWS security that actually matters. Please follow AWS Morning Brief on Apple Podcast, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign up for the Last Week in AWS newsletter at lastweekinaws.com.
Announcer: This has been a HumblePod production. Stay humble.