This will be a little chaotic. Different IAM privileges depending on when your account was created and they are retiring some privileges.

https://twitter.com/awswhatsnew/status/1613277455003049990

This breaking change has everything.
- Short time line: Things start changing next Friday.
- Weekend breakage: Starts at 11am PT which is 7PM London time on Friday (why would you do this on Friday?).
- Console only functionality to check for affected policies (no API).

It's great to see a company talk about the migration and some of the gotchas of migrating to FIDO2 enforcement. "Buy yubikeys" is NOT the work involved in these efforts. I'm baffled that neither Yubico nor Okta offer meaningful assistance in these migrations.

https://twitter.com/jack_naglieri/status/1578459937575161857

In a previous role I told Yubico I was looking to purchase 10,000 yubikeys and wanted assistance with the migration, and they didn't offer it. YubiEnterprise Delivery will ship yubikeys, but no assistance with planning enforcement, recovery processes for lost laptops, etc.

Random research today, I ranked the states by their population per _private_ sq mile of land. Alaska is only 4% private land (the size of South Carolina in terms of private land size), so the population per land you can actually own is higher than you expect. I was curious because land prices in the middle of nowhere mountains in Utah are more expensive than it seems it should be given the general population density, but Utah is 75% public land.
Land prices are of course effected by many other things than simply supply per person.

As the year wrap's up, let's run through some of the worst public security mistakes and delays in fixes by AWS in 2020. A thread. First, that time when an AWS employee posted confidential AWS customer information including including AWS access keys for those customer accounts to github.

https://twitter.com/VickerySec/status/1220346787455627267

Every week I get a message asking "Who is the version of you for Azure or GCP?" I don't know of anyone. I wrote a thread trying to motivate people to do this[1], so this thread will about more specific actions to do this. 1/

[1]

https://twitter.com/0xdabbad00/status/1262056865665409025

After encountering some success, one wonders how much was luck? (Right place, right time, knowing the right people, etc. vs hard work) This is my attempt at outlining the steps that are within your control.

Happy anniversary to Summit Route! 3 years ago today I started my AWS security consulting business.

With recent tech layoffs happening, perhaps I can offer some advice as I've had some success with this life path and believe there are similar consulting opportunities. I had been the sole security person at a company before this wearing too many hats. I wanted to focus and be an expert in something. I was doing our surveillance cameras, badge readers, appsec, corpsec, cloudsec, etc. I didn't know much about AWS security.

@halvarflake A common problem is lambda loops where the lambda writes to an S3 bucket, which causes a lambda to kick off, which writes to the S3 bucket, etc. medium.com/@asankha/lambd… @halvarflake Similarly, lambda tries to read from an event source, has error and exits, new lambda spawns trying to read the same event, errors and exits, etc. Something you thought might have a few lambda execution per day, now has tens of thousands.

@GeorgeAlton It'd be interesting to go through a comparison of the cloud providers security to point out the weaknesses of AWS. Ex. GCP encrypts all data at rest by default. AWS only does that for DynamoDB, Glacier, WorkMail, WorkDocs, Snowball, and Storage Gateway. @GeorgeAlton GCP: All inter-service traffic are encrypted.
AWS: Not always and not by default. Ex. ElasticSearch node-to-node encryption must be turned on (not the default) when you create the cluster: docs.aws.amazon.com/elasticsearch-…

I've taken an initial look at AWS's ElasticSearch Alerting. It's configured through Kibana or the ES REST interfaces, so it's not done via AWS APIs, so you won't be able to use CloudFormation to configure these like CloudWatch Alarms. You schedule how often these checks will run, and they then use ES queries to find matches.

@jvehent Yes, it works well and should be enabled. For what it does, it's both the best and cheapest solution. You don't need to turn on flow logs for GuardDuty to monitor that. It has separate, internal access to flow log data. It is also the only thing with access to VPC DNS data. @jvehent Similarly, you don't need to turn on CloudTrail for it to have access to that (although you should turn those on!). There are ways to bypass many of the GuardDuty alerts, like any IDS or AV, but in an incident you would likely have many of GuardDuty's rules alert.

I just heard a company plans to do a thing I'd been asking for for a long time. Such a great way to end the week, and makes my persistence feel worthwhile. A mentor of mine once explained to me the importance of having a stump speech 1/4 This is just some key points you repeatedly state in every interaction with a group of people. In his case, it was every time he talked to execs at our company, he would mention these points. 2/4

AWS Service count by month using botocore. I walked the git commits and recorded the count of services at that time. Currently 138 services by this measure (cat botocore/data/endpoints.json | jq '.partitions[0].services|keys|length') botocore's commit history goes back to 2012, but the directory structure changed at the start of 2016, which is why this only goes back that far right now.

Been working on a private project to help me audit AWS IAM least privileges better. Happy to chat more with interested folks. Uses Access Advisor data to show the privileges granted vs used. This screenshot shows the high level charts to help narrow in on the worst offenders. This sceenshot is the generated graph of users and roles and which policies or groups they have.