Sir Winston Churchill, introducing the Universal Cloud Threat Model to the House of Commons, June 1940.
Chris Farris in the Multicloud of Madness
Multicloud is Madness!!!!
Your organization is doing a poor job protecting the one cloud you have. Why in heaven’s name would you want to deploy into another cloud? In this two-part blog post, we’ll cover details from my HackCon 2024 talk “Chris Farris in the MultiCloud of Madness” (slides). Part one is here, and it covers all the weirdness between the three major hyperscalers - AWS, Azure, and GCP. The second part will provide checklists to help you establish Minimally Viable Cloud Governance in each cloud.
re:Invent 2023 recap
I’m back from re:Invent and still trying to adjust my sleep schedule (I’m on the East Coast and go to bed early; 6 pm Las Vegas time is my biological clock’s bedtime).
This year was one of my favorite re:Invents. I got to meet old and new co-workers and hang out with a lot of Community Builders and AWS Heroes, talk to service teams about what they should do to make their products work more for the security 99%. I got to a couple of good chalk talks on GenAI and GenAI security, which will help inform my poking at that over the holidays.
As for announcements, in the last seven days, there were 195 things posted to AWS What’s New. These are the ones I care to follow up on.
For simplicity, we’ll break them down into:
- Security Features
- Cloud Governance & Costs
- Serverless Stuff
- GenAI & Bedrock
- Other nifty stuff that may only matter to me
- I just wanna Snark
AWS pre:Invent 2023
As has been my tradition the last few years, I prep for re:Invent by reviewing all the interesting announcements that happen in the weeks leading up to the event. This gives me a chance to keep an eye out for sessions and chalktalks related to things I care about, and a chance to corner an SA or product manager at the AWS Booth and go like this:
This year I’ll be attending AWS as a Security Hero. The good news for all 845,000 attendees is that I don’t have to wear tights. Instead I’ll be hanging out in the Heroes lounge with the other Heroes and Community Builders (hopefully sipping mimosas during the keynotes).
Public Access Key - 2023
I deliberately published an Access Key and Secrets. Here’s what happened.
Deploying Terraform using CodePipeline
There is no canonical way to use Terraform in CodeBuild, with CodePipeline as the method to review plans before applying them. This post defines a Cloudformation template and the buildspec files needed to create a CodePipeline that runs terraform plan
, allows a human to review it, then runs terraform apply
.
An afternoon blogging with ChatGPT
With ChatGPT being all the rage, I decided to see if she (it?) could write my next blog post for me. I’d already written all the Steampipe queries and determined the security value behind the blog post. I just didn’t feel like writing it.
The post’s topic was on enumerating your network-plane cloud perimeter.
AWS pre:Invent 2022
My third annual pre:Invent roundup is posted over on Steampipe’s blog. You can also check out 2021 and 2020 if you’re so inclined.
Back in 2018, I wrote a semi-serious post on what you as a security practitioner should be looking for as it relates to re:Invent announcements.
There were a few hot-takes that didn’t warrant mention on my work post, so I’ll include them here for your general amusement.
Organizations CloudFormation
It’s pre:Invent 2022, the time of year AWS releases a bunch of new products and features that aren’t big enough to make it on the keynote state of re:Invent. One of my long-awaited features was released last night: CloudFormation support for AWS Organizations!
Before this release, the management of Service Control Policies, Organizational Units, and AWS Accounts was either artisanal or via third-party tools like org-formation. I can finally manage my AWS Organization using the same IaC as I manage the accounts in that organization.
Tailscale in the Enterprise
I feel like the phrase “disruptor” is an overused, Valley-Bro trope. However I can’t think of a better phrase to describe Tailscale, and what it will do to the enterprise firewall and VPN market for the security 99%.