--- title: "The Gruntled Developer" id: "12155" type: "podcast" slug: "the-gruntled-developer" published_at: "2022-01-20T12:00:00+00:00" modified_at: "2026-05-17T00:05:13+00:00" url: "https://www.lastweekinaws.com/podcast/last-week-in-aws-podcast/the-gruntled-developer/" markdown_url: "https://www.lastweekinaws.com/podcast/last-week-in-aws-podcast/the-gruntled-developer.md" taxonomy_shows: - "Last Week In AWS Podcast" --- About the Author Corey is the Chief Cloud Economist at Duckbill, where he specializes in helping companies improve their AWS bills by making them smaller and less horrifying. He also hosts the "Screaming in the Cloud" and "AWS Morning Brief" podcasts; and curates "Last Week in AWS," a weekly newsletter summarizing the latest in AWS news, blogs, and tools, sprinkled with snark and thoughtful analysis in roughly equal measure. [https://podcasts.apple.com/us/podcast/aws-morning-brief/id1466344305](https://podcasts.apple.com/us/podcast/aws-morning-brief/id1466344305) [https://overcast.fm/itunes1466344305/aws-morning-brief](https://overcast.fm/itunes1466344305/aws-morning-brief) [https://pca.st/AKs0](https://pca.st/AKs0) [https://podcastaddict.com/podcast/2382583](https://podcastaddict.com/podcast/2382583) [https://open.spotify.com/show/3A04JNrNAcZMvn8cvDWpWU](https://open.spotify.com/show/3A04JNrNAcZMvn8cvDWpWU) [https://feeds.transistor.fm/aws-morning-brief](https://feeds.transistor.fm/aws-morning-brief) ## Episode Summary This week in security: more S3 Bucket Negligence Awards, a disgrungtled developer laids down some curruption, some AWS backup security practices, and more! ## Episode Show Notes & Transcript **Links:** - S3 Bucket Negligence Award: [http://saharareporters.com/2022/01/10/exclusive-hacker-breaks-nimc-server-steals-over-three-million-national-identity-numbers](http://saharareporters.com/2022/01/10/exclusive-hacker-breaks-nimc-server-steals-over-three-million-national-identity-numbers) - Anyone in a VPC, any VPC, anywhere: [https://Twitter.com/santosh_ankr/status/1481387630973493251](https://twitter.com/santosh_ankr/status/1481387630973493251) - A disgruntled developer corrupts their own NPM libs ‘colors’ and ‘faker’, breaking thousands of apps: [https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/](https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/) - “Top ten security best practices for securing backups in AWS”: [https://aws.amazon.com/blogs/security/top-10-security-best-practices-for-securing-backups-in-aws/](https://aws.amazon.com/blogs/security/top-10-security-best-practices-for-securing-backups-in-aws/) - Glue: [https://aws.amazon.com/security/security-bulletins/AWS-2022-002/](https://aws.amazon.com/security/security-bulletins/AWS-2022-002/) - CloudFormation: [https://aws.amazon.com/security/security-bulletins/AWS-2022-001/](https://aws.amazon.com/security/security-bulletins/AWS-2022-001/) - S3-credentials: [https://simonwillison.net/2022/Jan/18/weeknotes/](https://simonwillison.net/2022/Jan/18/weeknotes/) **Transcript** Corey: This is the *AWS Morning Brief: Security Edition*. AWS is fond of saying security is job zero. That means it’s nobody in particular’s job, which means it falls to the rest of us. Just the news you need to know, none of the fluff. Corey: This episode is sponsored in part by my friends at Thinkst Canary. Most companies find out way too late that they’ve been breached. Thinkst Canary changes this and I love how they do it. Deploy canaries and canary tokens in minutes, and then forget about them. What’s great is then attackers tip their hand by touching them, giving you one alert, when it matters. I use it myself and I only remember this when I get the weekly update with a, “We’re still here, so you’re aware,” from them. It’s glorious. There is zero admin overhead to this, there are effectively no false positives unless I do something foolish. Canaries are deployed and loved on all seven continents. You can check out what people are saying at[canary.love](https://canary.love/) . And, their Kube config canary token is new and completely free as well. You can do an awful lot without paying them a dime, which is one of the things I love about them. It is useful stuff and not a, “Oh, I wish I had money.” It is spectacular. Take a look. That's[canary.love](https://canary.love/) because it’s genuinely rare to find a security product that people talk about in terms of love. It really is a neat thing to see.[Canary.love](https://canary.love/) . Thank you to Thinkst Canary for their support of my ridiculous, ridiculous nonsense. Corey: So, yesterday’s episode put the boots to AWS, not so much for the issues that Orca Security uncovered, but rather for its poor communication around the topic. Now that that’s done, let’s look at the more mundane news from last week’s cloud world. Every day is a new page around here, full of opportunity and possibility in equal measure. This week’s [S3 Bucket Negligence Award](http://saharareporters.com/2022/01/10/exclusive-hacker-breaks-nimc-server-steals-over-three-million-national-identity-numbers) goes to the Nigerian government for exposing millions of their citizens to a third party who most assuredly did not follow coordinated disclosure guidelines. Whoops. There’s an interesting tweet, and exploring it is still unfolding at time of this writing, but it looks that making an API Gateway ‘Private’ doesn’t mean, “To your VPCs,” but rather, “To [anyone in a VPC, any VPC, anywhere](https://twitter.com/santosh_ankr/status/1481387630973493251) .” This is evocative of the way that, “Any Authenticated AWS User,” for S3 buckets caused massive permissions issues industry-wide. And a periodic and growing concern is one of software supply chain—which is a fancy way of saying, “We’re all built on giant dependency chains”—what happens when, say, [a disgruntled developer corrupts their own NPM libs ‘colors’ and ‘faker’, breaking thousands of apps](https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/) across the industry, including some of the AWS SDKs? How do we manage that risk? How do we keep developers gruntled? Corey: Are you building cloud applications with a distributed team? Check out [Teleport](https://goteleport.com/) , an open-source identity-aware access proxy for cloud resources. Teleport provides secure access for anything running somewhere behind NAT: SSH servers, Kubernetes clusters, internal web apps, and databases. Teleport gives engineers superpowers. Get access to everything via single sign-on with multi-factor, list and see all of SSH servers, Kubernetes clusters, or databases available to you in one place, and get instant access to them using tools you already have. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility, and ensuring compliance. And best of all, Teleport is open-source and a pleasure to use. Download Teleport at [goteleport.com](https://goteleport.com/) . That’s [goteleport.com](https://goteleport.com/) . AWS had a couple of interesting things. The first is [“Top ten security best practices for securing backups in AWS”](https://aws.amazon.com/blogs/security/top-10-security-best-practices-for-securing-backups-in-aws/) . People really don’t consider the security implications of their backups anywhere near seriously enough. It’s not ‘live’ but it’s still got—by definition—a full set of your data just waiting to be harvested by nefarious types. Be careful with that. And of course, AWS had two security bulletins, one about its [Glue](https://aws.amazon.com/security/security-bulletins/AWS-2022-002/) issues, one about its [CloudFormation](https://aws.amazon.com/security/security-bulletins/AWS-2022-001/) issues. The former allowed cross-account access to other tenants. In theory. In practice, AWS did the responsible thing and kept every access event logged, going back for the full five years of the service’s life. That’s remarkably impressive. And lastly, I found an interesting tool called [S3-credentials](https://simonwillison.net/2022/Jan/18/weeknotes/) last week, and what it does is it helps generate tightly-scoped IAM policies that were previously limited to a single S3 bucket, but now are limited to a single prefix within that bucket. You can also make those credential sets incredibly short-lived. More things like this, please. I just tend to over-scope things way too much. And that’s what happened *Last Week in AWS: Security*. Please feel free to reach out and tell me exactly what my problem is. Corey: Thank you for listening to the *AWS Morning Brief: Security Edition* with the latest in AWS security that actually matters. Please follow *AWS Morning Brief* on Apple Podcast, Spotify, Overcast—or wherever the hell it is you find the dulcet tones of my voice—and be sure to sign up for the *Last Week in AWS* newsletter at [lastweekinaws.com](https://lastweekinaws.com/) . Announcer: This has been a HumblePod production. Stay humble. View Full Transcript Hide Full Transcript ## You might also like [More Podcast Episodes](https://www.lastweekinaws.com/podcast/last-week-in-aws-podcast/) ### [M3 Ultra Macs, Claude Platform, and 619 New APIs Walk Into a Bar](https://www.lastweekinaws.com/podcast/last-week-in-aws-podcast/m3-ultra-macs-claude-platform-and-619-new-apis-walk-into-a-bar/) Last Week In AWS Podcast 05.18.2026 7 Minutes [Listen Now](https://www.lastweekinaws.com/podcast/last-week-in-aws-podcast/m3-ultra-macs-claude-platform-and-619-new-apis-walk-into-a-bar/) ### [AI-Native Foundations and the CVEs That Love Them](https://www.lastweekinaws.com/podcast/last-week-in-aws-podcast/ai-native-foundations-and-the-cves-that-love-them/) Last Week In AWS Podcast 05.11.2026 7 Minutes [Listen Now](https://www.lastweekinaws.com/podcast/last-week-in-aws-podcast/ai-native-foundations-and-the-cves-that-love-them/) ### [Bedrock Bags OpenAI, Q Developer Bags Groceries](https://www.lastweekinaws.com/podcast/last-week-in-aws-podcast/bedrock-bags-openai-q-developer-bags-groceries/) Last Week In AWS Podcast 05.04.2026 9 Minutes [Listen Now](https://www.lastweekinaws.com/podcast/last-week-in-aws-podcast/bedrock-bags-openai-q-developer-bags-groceries/)