Stop Embedding Credentials

Corey: This is the AWS Morning Brief: Security Edition. AWS is fond of saying security is job zero. That means it’s nobody in particular’s job, which means it falls to the rest of us. Just the news you need to know, none of the fluff.

Corey: Writing ad copy to fit into a 30-second slot is hard, but if anyone can do it the folks at Quali can. Just like their Torque infrastructure automation platform can deliver complex application environments anytime, anywhere, in just seconds instead of hours, days, or weeks. Visit Qtorque.io today, and learn how you can spin up application environments in about the same amount of time it took you to listen to this ad.

Corey: It’s a pretty quiet week on the AWS security front because I’m studiously ignoring Robinhood’s breach. There’s nothing to see here.

So, Ransomware sucks and it’s getting worse. Kevin Beaumont wrote a disturbing article earlier this summer—that I just stumbled over, so it’s new to me—about how we effectively aren’t prepared for what’s happening in the ransomworld space. It’s a new battle with new rules, and we haven’t seen the worst of it by far. Now look, alarmism is easy to come by, but Kevin is very well respected in this space for a reason; when he speaks, smart people listen.

If you do nothing else for me this week, please, please, please be careful with credentials. Don’t embed them into apps you ship other places; don’t hardcode them into your apps; ideally for those applications you run on AWS itself you use instance or function or whatever roles that have ephemeral credentials. Because if you don’t, someone may steal them like they did with Kaspersky’s Amazon SES token and use it for Office365 phishing attacks.

And I found analysis that I rather liked about the Twitch breach—although I believe they pronounce it ‘Twetch’. It emphasizes that this stuff is hard, and it talks about the general principles that you should be considering with respect to securing cloud apps. Contrary to the narrative some folks are spinning, Twitch engineers were neither incompetent nor careless, as a general rule.

Corey: This episode is sponsored in part by something new. Cloud Academy is a training platform built on two primary goals: having the highest quality content in tech and cloud skills and building a good community that is rich and full of IT and engineering professionals. You wouldn’t think those things go together, but sometimes they do. It’s both useful for individuals and large enterprises, but here’s what makes this something new—I don’t use that term lightly—Cloud Academy invites you to showcase just how good your AWS skills are. For the next four weeks, you’ll have a chance to prove yourself. Compete in four unique lab challenges where they’ll be awarding more than $2,000 in cash and prizes. I’m not kidding: first place is a thousand bucks. Pre-register for the first challenge now, one that I picked out myself on Amazon SNS image resizing, by visiting cloudacademy.com/corey—C-O-R-E-Y. That’s cloudacademy.com/corey. We’re going to have some fun with this one.

There was an AWS post: Implement OAuth 2.0 device grant flow by using Amazon Cognito and AWS Lambda. Awkward title but I like the principle here. The challenge I have is that Cognito is just. So. Difficult. I don’t think I’m the only person who feels this way.

Objectively, using Cognito is the best sales pitch I can imagine for FusionAuth or Auth0. I’m hoping for a better story at re:Invent this year from the Cognito team, but I’ve been saying that for three years now. The problem with the complexity is that once it’s working—huzzah, at great expense and difficulty—you’ll move on to other things; nobody is going to be able to untangle what you’ve done without at least as much work in the future, should things change. If it isn’t simple, I question its security just due to the risk of misconfiguration.

And this is—I don’t know if this is a tool or a tip; it’s kind of both. If you’re using AWS, which I imagine if you’re listening to this, you probably are, let me draw your attention to Systems Manager Parameter Store. Great service, dumb name. I use it myself constantly for things that are even slightly sensitive. And those things range from usernames to third-party credentials to URL endpoints for various things.

Think of it as a free version of Secrets Manager. The value of that service is that you can run arbitrary code to rotate credentials elsewhere, but it’ll cost you 40¢ per month per secret to use it. Now contrasted with that, Parameter Store is free. The security guarantees are the same; don’t view this as being somehow less secure because it’s missing the word ‘secrets’ in its name. Obviously, if you’re using something with a bit more oomph like HashiCorp’s excellent Vault, you can safely ignore everything that I just said. And that’s what happened last week in AWS security. If you’ve enjoyed listening to this, tell everyone you know to listen to it as well. Become an evangelist and annoy the hell out people, to my benefit. Thanks for listening and I’ll talk to you next week.

Corey: Thank you for listening to the AWS Morning Brief: Security Edition with the latest in AWS security that actually matters. Please follow AWS Morning Brief on Apple Podcast, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign up for the Last Week in AWS newsletter at lastweekinaws.com.

Announcer: This has been a HumblePod production. Stay humble.