AWS Identity Centre makes access sane, but the config file still ends up full of manual work. Every account, every permission set, every profile name. Setlist removes the tedium by building a full .aws/config from the permission sets you actually have provisioned. It walks AWS Organizations, pulls the permission sets per account, and writes clean profiles for each combination. If you want friendly names instead of 12 digit account IDs, it can map those too. ...
If you’ve been running AWS ECS for any length of time, you’ve likely noticed something annoying: task definition revisions accumulate. Every deployment creates a new revision, and AWS never cleans up the old ones. Over years of active development, this adds up. I recently inherited an AWS account that had been running ECS workloads for about 6 years. When I looked at the task definitions, I found over 178,000 revisions spread across various task families. The AWS Console offers no bulk delete option, so cleaning these up manually would mean clicking through each revision one by one. That’s not happening. ...
If you’ve ever worked with AWS Security Hub, you know the feeling: thousands of security findings scattered across multiple accounts, buried in the AWS console, and no easy way to share them with your team. Sure, the data is there, but getting actionable insights? That’s a different story. That’s why I built Prism. What is Prism? Prism is a CLI tool that transforms AWS Security Hub findings into something you can actually work with. Written in Go, it collects security findings from AWS and presents them in multiple formats—interactive HTML reports, JSON exports, CSV spreadsheets, Markdown documents, or colourised terminal output. ...
I’ve been designing VPC architectures in AWS, conventional wisdom tells us to avoid overlapping CIDR blocks. Heck, every single company I’ve worked at has an infrastructure or network team beholden to this idea. The reasoning is straightforward: non-overlapping CIDRs allow you to connect VPCs via peering, Transit Gateway, or other networking constructs if needed later. But what if preventing that connection is exactly what you want? I have been given side eye for even suggesting this practice before, but hear me out. ...
A long time ago I wrote about my method of book-keeping using Ledger CLI. Nearly 10 years later, I’m still using it track my finances down to the penny. It’s an amazing tool, and has helped me identify problematic spending habits. But it does have one achilles heel, it’s not very friendly to non-technical people. I share my finances with my family because I want to teach financial literacy and help them feel like they are a part of any decision-making activities related to money. Given that Ledger is text-based, it means they don’t need to install any programs. But because it is text-based, it means they need to learn to use a text editor and the terminal (I could import it into things like Gnu Cash, but I’m not going down that rabbit hole). To improve this accessibility problem, I devised an automated notification scheme whereby once I finish updating the ledger, a summary is emailed to everyone. Here’s how I did it. ...
This is part 4 in a series of articles. To follow along via code, visit the Github repository. In the last article, I reviewed the template for operational and security risks. Let’s go fix some of them now. Making Unsafe Defaults Safe First, some guard rails are added to the template. Remove the Default attribute from both SSHLocation and HTTPLocation, ensuring that the caller specifies them in the CloudFormation template. That way, if the caller does use 0.0.0.0/0, it is a decision they have made, not the template. ...
This is part 3 in a series of articles. To follow along via code, visit the Github repository. The last article discussed some refactoring use new(-ish) CloudFormation features, which help improve the readability and reduce the template’s file size. This article temporarily moves away from template modifications and focuses on how someone can review a CloudFormation template for security and operational risks. Parameters Let’s start with the Parameters section, because that is going to tell us what dependencies we need to bring into this template from our AWS or organizational environment. ...
This is part 2 in a series of articles. To follow along via code, visit the Github repository. In the last article, I showed how we can improve the operational capabilities of the AlienVault sensor deployment in AWS, simply by adding some automation and formatting changes to the generic CloudFormation template supplied to customers. Let’s further improve the YAML template to make it more readable and less code-heavy by using the newest features of CloudFormation. ...
This is part 1 in a series of articles. To follow along via code, visit the Github repository. I recently needed to review the AlienVault Sensor deployment for AWS and, well, it left me wanting more. Many companies are smart to offer infrastructure-as-code for their appliances. It provides customers with a near one-click deployment model. It also provides customers with insight into what permissions, servers, and resources the appliance will require. The issue with vendor-supplied code is that it needs to apply to a generic customer base; a sort of lowest common denominator scenario where insecure defaults are needed to fit various environments and customers with various skill levels. ...
I am working on a new project, Security Awareness for Busy People, and I accidentally found a trick to bypass one of the restrictions when working in the AWS SES sandbox. But first, can I just say that I love finding undocumented functionality in AWS? I feel like a techie version of Indiana Jones! AWS SES, or Simple Email Service, is a service provided by Amazon Web Services that allows customers to send emails. This is similar to services like SendGrid. Emails can be sent either via SMTP or through their API. It’s really cool, fairly cheap, and very easy to setup and get started. The best part is that you can hook your incoming or outgoing emails into the entire AWS ecosystem and process them automatically. But I digress. ...