Chris Farris

Notes and commands from my presentation “The Cloud is Dark and Full of Terrors” at BSides Augusta

It’s 2021, time to revisit what you should do when setting up a new AWS Organization from scratch. I last visited this topic in January of 2017, but recently I needed to spawn a new org from a single account for the SECCCDC Links will go to blog posts I’ve written or AWS announcements. If I say “(cft)", the link will take you to a CloudFormation template to automate the task.

What is Macie? Amazon’s marketing describes Macie as: Amazon Macie automates the discovery of sensitive data at scale and lowers the cost of protecting your data. Macie automatically provides an inventory of Amazon S3 buckets including a list of unencrypted buckets, publicly accessible buckets, and buckets shared with AWS accounts outside those you have defined in AWS Organizations. Then, Macie applies machine learning and pattern matching techniques to the buckets you select to identify and alert you to sensitive data, such as personally identifiable information (PII).

What it is The Southeast Collegiate Cyber Defense Competition is an annual competition where 8 teams from various colleges have to defend their systems from Red Team attacks while also executing on management-type business challenges. It is typically held in the spring. With the pandemic still in place, this year’s competition could not be held on the KSU campus like usual. Instead they decided to try and run the competition remotely in AWS, with teams communicating via Zoom, and working off AWS Workspaces.

Welcome to the American Thanksgiving holiday, which for us cloud peeps is the quiet period between pre:Invent and re:Invent. Traditionally the run up to AWS re:Invent is chock full of feature releases (and some product releases) that don’t merit mention in Andy or Werner’s keynotes. As I was slammed with work things, I wasn’t following pre:Invent (and will probably miss much of the lame online re:Invent), so I’m going back and reviewing all the announcements for things of note to a serverless nerd or security geek.

Building a public cloud security program from scratch is a lot of work. There are a ton of things you need to do and figuring out what you need to do and the priority is critical. CIS publishes a list of 20 Critical Security Controls. While primarily focused at traditional IT data-center centric organizations, the concepts and the order of the 20 Controls provides a reasonably good road map for anyone looking to start their cloud security journey.

I seem to be spending a lot of time discussing the Cloud Service Provider’s (CSP) side of shared responsibility, and no where near enough time discussing our side of shared responsibility. Time to throw down more thoughts on why you need to worry less about AWS, Azure and GCP’s engineering, and spend more time focused on your own security hygiene. Don’t lose sight of the fact that "95 percent of cloud security failures will be the customer’s fault.

“Architect for the AWS you have, not the AWS you want” –Chris Farris, 2017 AWS is constantly innovating. This is both a blessing and a curse. It’s a blessing because things are getting better, cheaper, and faster. It’s a curse because the best way to accomplish an objective is constantly changing. I’m interested in auto-remediation. How do I revert a bad state to a good state without asking a human to fix something.

Defining a new term: Networkless Computing

(With apologies for the click-bait headline. It seems to be what all the cool kids are doing when they’re not on TikTok) (2024 update: Daniel Grzelak has penned an excellent write up of how S3 encryption works, and demonstrated that S3 encryption is nothing more than an additional layer of access control. Check out S3 Bucket Encryption Doesn’t Work The Way You Think It Works) I have spent way too much of my life the last three years in the cloud compliance and cloud security posture monitoring space.