Security

IAM provides a way for users and roles to become another role. This is known as IAM role switching and uses the underlying sts:AssumeRole action. You can restrict IAM role switching in one of two ways, what I like to call the single lock and double lock methods. With any IAM role switch, there involves a two-way handshake. The person (source) switching to the role (target) must be allowed to assume the role, plus the target must allow the source to assume it. That way, an IAM role switch can be used to switch between roles within the same account, or roles within different AWS account (maybe one that you don’t even own). ...

I don’t often talk of employer, mainly to keep an arm’s length distance between them and the writing on my blog. However, one of the great things about working at Unbounce is the concept of a Professional Development day (Pro-D). This is just like when you were in school and the teachers would take a day for themselves to improve. At Unbounce, every employee gets one day (8 hours) every 2 weeks to educate themselves and elevate their professional and career interests. Some of my best ideas have come out of things I learned on Pro-D day. Today, I decided to take a moment to learn about the AWS Systems Manager Session Manager (whoa, that’s a mouthful). ...

NB: Linebreaks (\) have been added to the CLI commands for readability. I am in the process of setting up an AWS account for my family and part of that initial setup is to create users and roles for family members. Everyone receives readonly privileges and has to assume an IAM to gain elevated privileges. The people who are allowed to assume these elevated privileges must have a valid MFA session. ...

Secrets management is a constant topic for debate in tech and security circles, even more so for users of cloud providers. There are solutions like Hashicorp Vault, Sneaker, and Credstash (even a locked down S3 bucket) that we have looked at using at Unbounce. Each solution has its own level of complexity to setup and maintain. All of these solutions suffer from the same problem, which I like to call “Step 0” or, how the heck do I manage the master key that unlocks everything? At some point in the encryption process, trust has to be established and that is the point where encryption cannot be used (Step 0). ...

This article demonstrates how you can quickly rotate your AWS keys in 2 minutes. Anything longer and I’m certain that nobody will do it. This is important as you should be in the habit of rotating these credentials often. Personally, I set reminders to change my keys every 30 days. Caveats You must have only one set of access keys created. Your IAM policy must allow you to manage your own keys. You must know where you store your AWS credentials (everyone is a bit different here). Key Rotation Process The process is thus: ...

Many people I speak with don’t have a security mindset, not because they aren’t aware of security, but rather that it doesn’t play a role in their life. As computers become more involved in our everyday lives, we all need to understand the security implications and defend against attacks. The only proper way to defend against something is to understand how it is attacked. I’ll paraphrase a tweet I saw on Twitter 1 about security, “An attacker uses maps, but defenders use lists.” To explain what this means in security terms, let’s look at the definition of those terms. ...

I am working with a client right now on their Web application. While creating an account to do testing, I noticed a glaring security issue that allows people to harvest usernames. This topic has been covered before, I am still surprised that it keeps popping up around the Web, but this time is a bit different. I should note that the client knows about the issue, but what I want to point out in this article is how insidious the issue becomes. ...