#security | Cloud Security (1)

All about the shared responsibility model in the cloud. Includes topics like networking (VPC), authentication and authorization (IAM), and more.

KMS Key Policy Privilege Escalation

Encrypting data at rest is a widespread best practice on AWS. In 2019, Werner Vogels set the tone with his motivational slogan, “Dance like nobody’s watching. Encrypt like everyone is!”. AWS shipped the ability to encrypt data at rest for almost all its...

Read more

AWS Security Monitoring in 2023: Untangle the chaos

AWS security monitoring is a set of practices, tools, and processes designed to detect and respond to security threats and vulnerabilities within the Amazon Web Services (AWS) cloud environment. Sounds easy? In this blog post, I share how I use a variet...

Read more

Security Iceberg: AWS Security Hub the right way

This is a warning about AWS Security Hub. Organizations that use AWS Security Hub to monitor and mitigate risks pay too much attention to the visible part of the AWS security iceberg, namely the findings. These organizations tend to overlook or underest...

Read more

Application Authentication and Authorization on AWS

In this blog post, you will learn to implement authentication and authorization for your own HTTP(S)-based applications on AWS. Most applications offer some functionality only to authenticated clients. A client can be a human or a machine. Humans usuall...

Read more

How to create a security group allowing traffic from CloudFront only?

It is one of those problems for which there has been no satisfactory solution for years. How do you ensure that only CloudFront is granted access to an Elastic Load Balancer - CLB, ALB, or NLB? Without the ability to restrict incoming traffic, all of Cl...

Read more

Sanction Russia: Block traffic using CloudFront Geo Restriction

Russia attacked a sovereign state this week. Most states condemn the attack and impose sanctions. Among other things, sanctions are intended to mobilize the Russian population to rise up against their aristocrat Putin. As of today, cloudonaut is no long...

Read more

Enabling S3 Versioning is not a backup strategy

Here are three reasons why enabling S3 Versioning is not a backup strategy. Instead, you should consider AWS Backup for S3, which AWS released on February 18th, 2022. AWS Backup enables you to control and automate managing backups centrally. To do so, A...

Read more

AWS Security: Stephen Kuenzli and Andreas Wittig on IAM

Stephen Kuenzli and I lead several cloud migration projects. In this conversation, we shared our learnings focusing on AWS security and IAM (Identity and Access Management). The result is advice and inspiration that will help you in your daily work. Our...

Read more

EC2 Checklist: 7 things to do after launching an instance

Launching an EC2 instance takes minutes. Keeping your virtual machines secure and maintaining your VMs is more work. In this blog post, I share seven things to do after launching a Linux, Windows, or macOS instance: Configure remote access with SSM Ses...

Read more

The AWS Security Journey (2021)

A lot has happened in the area of security at AWS over the years. By now, AWS has released an exhaustive range of security services and the role of the security officer has changed significantly. This article looks back and forecasts where the journey w...

Read more

How I use AWS Security Hub

AWS Security Hub provides a centralized and org-wide overview of how well you are doing in terms of security. Security Hub follows two strategies to collect the needed information: First, Security Hub runs checks based on security standards. Second, Sec...

Read more

Managing application secrets: SSM Parameter Store vs. Secrets Manager

Many applications interact with external or internal systems like databases or REST APIs. When your application talks to another system, it usually authenticates with a secret, e.g., an API key, username + password, or a certificate. This leads to the q...

Read more

DNSSEC with Route 53: Protecting the core of the Internet

The Internet relies on DNS. This makes it all the more important to do everything possible to protect the global DNS infrastructure from attacks. Andreas explains how DNSSEC protects from DNS spoofing. During the demo you will learn how to enable DNSSEC...

Read more

A Deep Dive into AWS CloudTrail

Who made changes to sensitive parts of your cloud infrastructure? Capture audit logs with AWS CloudTrail. Learn how to analyze the audit logs with the help of CloudWatch Logs Insights or Athena. On top of that, we discuss how to rollout CloudTrail to al...

Read more

Does your VPC endpoint allow access to half of the Internet?

Are you using VPC endpoints to enable private connections between your VPC and AWS services? Drop everything and check the policy attached to your VPC Endpoint for S3. You might have allowed access to half of the Internet - assuming that half of the Int...

Read more

Debugging a VPC: Security Groups, Network ACLs, and Routing Tables

Configuring a VPC (Virtual Private Cloud) and firewalls (Security Groups and Network ACLs) is tricky. What to do when you cannot find the cause for a connection refused or connection timed out error when connecting to an EC2 instance, RDS database insta...

Read more

Transition to IMDSv2 on EC2 - Introduction, Preparation, Pitfalls

IMDSv2 can improve EC2 security. For a couple of weeks, AWS Foundational Security Best Practices recommends that EC2 instances use IMDSv2 (control EC2.8). This video explains why IMDSv2 is useful and what attacks it protects you against, including a li...

Read more

Have you replaced IAM Users with AWS SSO yet?

The most secure option to isolate workloads from each other is to use multiple AWS accounts. Many organizations use different AWS accounts for testing and production, for example. The more AWS accounts you use, the more complicated it gets to manage use...

Read more

AWS needs a bug bounty program

A few weeks ago, while evaluating an AWS service, I stumbled upon an issue with the way the AWS API evaluates IAM policies for a particular IAM action. I contacted aws-security@am&...

Read more

Terraform, can you keep a secret?

Did you know that Terraform state can - and most likely does - contain sensitive data? A few examples of sensitive information stored in the Terraform state: Initial password for an RDS instance. Unencrypted value fetched from SSM parameter (SecureStri...

Read more