Reminder, Security is not here to do this.
Hey folks, I am Jam Leomi, here to chime in with all the hot AWS tea while Corey is enjoying some new kiddo time. You may know me from various speaking engagements where I’ve spoken on DevOps, Ops, Security, and how those all combine for the best meme-ified content (see the salutation above, or, better yet, Honk the Planet 😉). Currently I’m the head coach of Security over at Honeycomb but I’ve been at all the fantastic companies, usually starting with a G. Outside of work, I try to stay sane and make pens. If you want to follow more of what I do, my random mixed bag of content can be found at @jamfish728 on Twitter and I write at blog.jam.fish.
From the Community
People might say traces can be used anywhere, but let’s face it: you absolutely need them when you’re dealing with distributed systems and microservices. You probably don’t have them yet because instrumenting your apps to collect them will get you super table-flippy. (╯°□°)╯︵ ┻━┻
Until now. Download Distributed Tracing: A Guide to Microservices & More and get the tracing you deserve the easy peasy way. Guess less & know more with Honeycomb. Sponsored
From all of us at Last Week in AWS / The Duckbill Group, a huge thank you for your support of our annual charity t-shirt fundraiser! With your help, we sold exactly 500 t-shirts and raised $15,225.63 for 826 National. <3 <3 <3 Shirts are scheduled to start shipping out this week, so be on the lookout.
One last tiny favor: Whether or not you took part in the fundraiser, would you take a moment to let us know your thoughts about it?
So for community stuff, I first wanted to highlight a person doing wonderful community type work, even if it isn’t AWS. Tiffani Ashley Bell, behind Human Utility is doing a huge service that I think doesn’t get a big enough platform. Especially in a time where clean water is a critical public health need, her and the crew are making sure families get it when they can’t afford it. And that’s how tech is speaking truth to power in action.
Scott Piper updated his paper AWS Security Maturity Roadmap that gives a different spin on securing AWS services. Though some things may be a bit extreme (some folks may not be able to create separate accounts), I think it’s good to have a doc for best practices that isn’t associated directly with a benchmark for better approachability.
Jobs
If you’ve got an interesting job for this newsletter’s eminently employable subscribers, get in touch!
If you’ve been working on infrastructure for a while (OK more than a week maybe) you’re sure to have Opinions on how our industry could improve the workflows we put in place to keep systems secure. Come work at Sym to help us build the platform to solve this! We’re looking for a Security & Infrastructure Engineer to lead our security program and improve the safety and reliability of our environment.
Do you hold a US Security Clearance? Do you want to build exciting things? Protect exciting secrets? Make big trouble for Moose and Squirrel? Check out the AWS Cleared Jobs and see if AWS might have a role that’s up your alley. Many restrictions apply; see page for details.
Chime is a challenger bank providing free banking & credit services – our mission is to give people financial peace of mind, we’re tangibly helping people in the real world, and we were recently valued as the #1 most valuable fintech company in the US (with a $14B valuation). We’re looking for AWS/Terraform experts who can help us secure our cloud infrastructure – if you’d like to learn more about it then we’d love to hear from you (for “How did you hear about this job?” please enter “LastWeekInAWS”).
Choice Cuts
Unhappy with your current cloud provider? Are you considering a hybrid or multicloud environment? Founded in 2003 with love for Linux, open-source technologies, and the communities surrounding them, Linode offers virtualized hosting, S3-compatible object storage, Kubernetes, GPUs, and more. Try Linode with $100 in free credit. Create your free account. Sponsored
In the Works – AWS Region in Hyderabad, India – Finally we’re getting the expansion announcement that is a big deal (enough where Corey did message in the early morning to make sure I put it in). All that aside, this huge for the India tech hub that is finally getting its due.
Amazon API Gateway now supports disabling the default REST API endpoint – Congratulations! You can now up your security by obscurity game by shutting down the default endpoint for your Amazon API endpoint. Let freedom from low-level bug bounty reports reign!!
Amazon Kendra achieves HIPAA eligibility – For the AWS fan person in your life you said “No, because compliance” to that one time, the intelligence-powered search service is now available to index and make all your service compliance dreams come true!
Amazon SES now offers list and subscription management capabilities – I bring this up because like all companies, you may have a marketing team that needs that email management boost, and this could make it easier on them. Value your non-engineer teams, folks.
Application Load Balancers enables gRPC workloads with end to end HTTP/2 support – HTTP/2 is a protocol I really appreciate and it’s good to see that it’s ability has been expanded to gRPC. Now if only more companies could ensure client connections made use of it.
Announcing AWS PrivateLink support for Amazon Braket – Now you don’t have to share or manage your loud braket on the public internet!! YAAAAY. But seriously though, private connections to VPCs is truly clutch, and a way to pipe down on compliance worries.
AWS Client VPN announces self service portal to download VPN profiles and desktop applications – Did anybody realize AWS had VPN? Cause I didn’t. Today I learned though! In any case, if you are in the know, AWS is making client onboarding even easier.
AWS Security Hub adds five new integrations and a new consulting partner – There’s a new list of integrations (including my favorite, prowler) to everyone’s soon-to-be favorite AWS Security tool. That being said, while I appreciate AWS giving us a buffet of integrations slapped on a haystack of a product nest, I think I’ll take my AWS Security a la carte.
Choosing the Right DNS Architecture for VMware Cloud on AWS – This primer on DNS with AWS and VMware should prove useful, because somewhere, out there, there is a person clinging onto VMWare being better than containers and the Kubernetes and yells at me to get off their lawn.
Onboarding and Managing Agents in a SaaS Solution – Using AWS IoT Core – This caught my eye as IoT is a thing and trying to manage agents in a SaaS solution sounded pretty dope. I mean, with IoT kind of being a security trash fire (unlike 2020 levels), why not give it a sword and shield to defend itself against Level 8 (aka User) vulnerabilities?
Field Notes: How to Identify and Block Fake Crawler Bots Using AWS WAF – Did I click on this because Bot detection is fun and could have applications beyond Crawler Bots? Yes. Will this be useful to the bottom line of my AWS bill to try it out? Depends on your threat model and your funding round. It’s a fun article if though if you use AWS Web Application Firewalls and and are trying to get fine-tuned when it comes to sharing your non-paywalled content.
Handling data erasure requests in your data lake with Amazon S3 Find and Forget – I found this one to be interesting as beyond legal laws, there really isn’t a good strategy around S3 and storage when it comes to servicing erasure requests. Though this talks about about one specific use case, if you already don’t have one, this might be something to look into if you’re figuring out your CCPA & GDPR solutions (or, improving them after an audit).
Definitive Guide to AWS EKS Security – Download eBook
When using Amazon’s Elastic Kubernetes Service (EKS), you must understand which pieces of the security management role fall on you. Use this 42-page eBook from StackRox to learn about EKS cluster security, including the standard controls and best practices for minimizing the risk around cluster workloads, as well as specific requirements for securing an EKS cluster and its associated infrastructure. Sponsored
Create a pipeline with canary deployments for Amazon EKS with AWS App Mesh – My first of two juicy Kube cuts, we have pipeline foo with Amazon. Though this is a great example of canary deployments, where’s the security background on this Amazon? Is there a part two?
Windows Authentication on Amazon EKS Windows pods – In our next and final addition to juicy Kube cuts, we have learning how to setup Windows Auth on EKS which apparently is new, but long awaited. So cheers, Windows server users, you made it into the Kubernetes ecosystem and now have to suffer like the rest of us.
Performing major version upgrades for Amazon Aurora MySQL with minimum downtime – This for my Ops/DBA folks!! It involves using blue-green deployments on backend services which while at first blew my mind, kind of reminded me of a replication DB swap, except with more resiliency. Still though, I think it’s pretty cool and would help a lot of folk.
Running Hyperledger Explorer on Amazon Managed Blockchain – Gonna be honest, only included this one because it’s Blockchain and all the cool kids love them some cryptocurrency technobabble. So have at it!
Automating deployments to Raspberry Pi devices using AWS CodePipeline – While doing things with Raspberry Pi’s doesn’t seem enterprise worthy, as King Bumi says, “you gotta open your brain to the possibilities”. Especially being stuck at home, why not tinker with some home automation?
Creating an intelligent ticket routing solution using Slack, Amazon AppFlow, and Amazon Comprehend – Another example in a how-to that you could potentially expand on. Always great to have more applications to automating tasks while slacking.
Introducing the COVID-19 Simulator and Machine Learning Toolkit for Predicting COVID-19 Spread – I don’t know how many biomedical data scientists are subscribed, but, if you have the energy, this might be something to take a gander at. For others, this is still a cool development that I hope can be of some use.
Building the future of robots development with ROS 2 – Because even Dirty Computers need open source software to run the world (and if you didn’t catch that, yes, it was Janelle Monáe reference).
Distributed tracing with OpenTelemetry – I love how this article is spreading the concept of OpenTelemetry to a new audience and helping folks still wrapping their head around it. That being said, ending is a little sus.
Building tech skills and jobs in America’s rural communities – In order for technology to move forward, we need to think about how we can make sure that everyone is included at the table. One of those groups are rural communities. The article reflects that, but I hope we also can include more of their voices and reasoning in further conversations.
How to implement password-less authentication with Amazon Cognito and WebAuthn – Stop trying to “Cognito” happen. It’s not going to happen. The fact that you have to jump Security, Ops, and Developer hoops to configure Cognito defeats it’s point in ease of use. And this is fact even before adding webauthn (which by itself is pretty cool and also because it’s Duo so of course its rad AF).
We’re reviewing security essentials in episode four of AWS Power Hour: Cloud Practitioner – Check out the latest in essential AWS Certifications that still won’t match up to having CISSP on your resume.
Tools
Stupendous news folks! My friends at ChaosSearch – the same ones who have cracked the code to efficient log analysis at massive scale (terabytes of daily ingest? No problem!), are launching a new 3 part webinar series on Nov 12th: “From Log Data to Visionary Clarity.” They’ll be diving head-first into how you can easily derive critical business intel from your raw CloudTrail data (Nov 12), ELB data (Nov 19) & VPC Flow Logs data (Dec 3). Register today, and see exactly how easy it is to make transformative changes to your current approach, and elevate your company’s decision-making capabilities overnight! I’ve been a huge fan of ChaosSearch – even before they started sponsoring my newsletter – join this 3-Part webinar series to see why! Sponsored
aquasecurity/kube-bench: kube-bench supports the tests for Kubernetes as defined in the CIS Kubernetes Benchmarks. – This tool actually can be run EKS cluster, though sidenote: EKS also has a CIS Benchmark which you should check out as well.
stackrox/kube-linter: KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices. – Sometimes beyond benchmarking, you just want to make sure things are running right with proper availability (as remember, that’s tenet of Security too).
… and that’s what happened Last Week in AWS.