Tag security

Three simple rules to avoid data leaking from S3

Three simple rules to avoid data leaking from S3

Reviewing AWS accounts with a focus on security is part of my day-to-day job. My most common finding: unwanted public read or write access to S3 buckets. Why is that? Because there are three different ways to define who can access your S3 buckets: IAM p...

Read more
Restricting Access to EC2 Instances Based on Tags

Restricting Access to EC2 Instances Based on Tags

The principle of least privilege is key when it comes to securing your infrastructure on AWS. For example, an engineer should only be able to control EC2 instances that are in scope for her day-to-day work. But how do you make sure an engineer is only a...

Read more
Analyzing CloudTrail with Athena

Analyzing CloudTrail with Athena

Which IAM users have been active within your AWS account within the last 30 days? Are all of the 999 IAM roles still in use, or can you remove some of them to clean up your infrastructure? Is it safe to remove the action s3:GetObject from the IAM policy...

Read more
Passwordless database authentication for AWS Lambda

Passwordless database authentication for AWS Lambda

Does your serverless application need to access an RDS database? Where do you store the username and the password required to authenticate with the database? Storing the password in plain text within your source code should not be an option. Same is tru...

Read more
AWS Security Primer

AWS Security Primer

I was preparing some AWS Security related training. Soon, I realized that this topic is too huge to fit into my brain. So I structured my thoughts in a mind map1. Within a couple of minutes2 I came up with this: What is your first reaction? Mine was pr...

Read more
Beyond the default: a Multi-VPC architecture

Beyond the default: a Multi-VPC architecture

I created my first AWS account on December 23, 2012. The one thing that surprised me most was the possibility to define private networks with Virtual Private Cloud (VPC). As this allowed me creating isolated areas, a fundamental prerequisite for buildin...

Read more
Improve Security (Groups) using VPC Flow Logs & AWS Config

Improve Security (Groups) using VPC Flow Logs & AWS Config

As mentioned in the previous post Your AWS Account is a mess? Learn how to fix it!, most AWS accounts are a mess. This can be a serious risk, especially for security-related resources like Security Groups. In this post, we will describe a technique to m...

Read more

Complete AWS IAM Reference

Writing IAM policies is hard. Following the principle of least privilege is even harder. To write a secure IAM policy you need to know: What actions are needed? Are resource-level permissions supported and on what levels? Are conditions supported to re...

Read more
Your AWS Account is a mess? Learn how to fix it!

Your AWS Account is a mess? Learn how to fix it!

Have you no wildcard ec2:* in your IAM policies? Your Security Group rules are as strict as possible? Your S3 Bucket Access Policies only contain rules you know? You know about every single resource that runs in your account? If so, stop reading and ple...

Read more

DevOps and Security #c9d9

What are some of the best practices for building security as an integral part of your tools and practices throughout your delivery pipeline? On Tuesday I participated in an online panel on the subject of DevOps and Security, as part of Continuous Discus...

Read more
Marbot Logo

Incident Management for Slack

Team up to solve incidents with our chatbot marbot. Never miss a critical alert. Escalate alerts from your AWS infrastructure among your team members. Strong integrations with all parts of your AWS infrastructure: CloudWatch, Elastic Beanstalk, RDS, EC2, ...

Slack icon
Try for free