Chris Farris

Cloud Security Guy

A brief primer on how to think about threat modeling GenAI applications.

Threat Modelling Cloud Service Providers in 2025

With the US Government acting in an erratic and hostile manner towards its traditional allies, it makes sense for companies not typically subject to US Jurisdiction to reconsider their threat models when using the big three cloud providers. All of them are US-based companies, and all three conduct a substantial amount of business with the US Government.

Implementing Security Invariants in an AWS Management Account

How do you deploy security invariants in an AWS org management account? With Permission Boundaries tied to every principal.

Farris's Three Laws of Auto Remediation

I’ve finally settled on the wording for Farris’s Three Laws of Cloud Security Auto Remediation.

How AWS needs to change

In previous posts, I took AWS to task for not making the customer’s security Job Zero. This offended some sensibilities, so let me lay out my 95 13 Thesis against the current AWS Culture and how it is neither Customer-Obsessed, nor makes security job zero.

AWS pre:Invent 2024

It’s once again pre:Invent, that magical season where AWS announces new features related to their legacy products (cloud) before they jump all-in on Generative AI magician gimmicks at re:Invent in Las Vegas. This is my 5th year doing a pre:Invent round up. I almost decided not to do one. pre:Invent wasn’t the GenAI wank-show I expected it to be. In fact, some several exciting features and services were announced.

Effective Techniques for AWS Ransomware

In order to profit effectively from a ransomware attack, a threat actor needs to have something to offer in return for payment. This blog post outlines a process to encrypt AWS resources and then revoke access to the secret material until the ransom is paid.

Apparently, this post caused some consternation at AWS, and perhaps this technique is too effective to publish here. So, the original post has been revised to remove the actual scripts, include some mitigations, and provide commentary on how both Public Cloud (AWS Included) and Generative AI are dangerous tools in the hands of the general public and need more regulation.

Your AWS Account is a floating cloud of garbage. Mine is too.

Cloud Hygiene is a Cloud Security problem, and we need to cleanup the pollution in our cloud environments

The Cloud is Darker and More Full of Terrors - Sec-T 2024

I reprise my Cloud is Dark and Full of Terrors talk, focusing on cloud security incidents, root causes, and who is to blame. Shared Responsibility is a shield that too many providers hide behind and it has to stop.

Public Cloud is the most insecure form of infrastructure, except for all the others.

Introducing the Universal Cloud Threat Model - a model anyone can use to cover 90% of the cloud attacks they may experience.

Wandering in a Winter Wonderland

In February of 2024 I visited Oslo Norway as part of HackCon. Here’s a post about getting around and not freezing to death in the Nordic winter

Chris Farris in the Multicloud of Madness

My journey of discovery into the cloud security differences of AWS, Azure, and GCP

Organizations CloudFormation

It’s pre:Invent 2022, the time of year AWS releases a bunch of new products and features that aren’t big enough to make it on the keynote state of re:Invent. One of my long-awaited features was released last night: CloudFormation support for AWS Organizations! Before this release, the management of Service Control Policies, Organizational Units, and AWS Accounts was either artisanal or via third-party tools like org-formation. I can finally manage my AWS Organization using the same IaC as I manage the accounts in that organization.

Posted: November 19, 2022 Last Updated: January 06, 2024 AWS , CloudSecurity , Technology

2022 Conference Roundup - Google Next, Microsoft Ignite and Oracle Cloud World

I tracked down the meaningful insights from the other cloud conferences. I didn’t come away with a rosy outlook for the future.

Posted: November 08, 2022 Last Updated: March 26, 2023

Mastodon

Like much of InfoSec Twitter, I’ve gone and created a profile on Jerry Bell’s Infosec.exchange. I’m not sure about this whole Mastodon thing. But then again, I created my Twitter account in 2009, and didn’t really start using it till 2017 or so. Anyway, I’m officially @jcfarris@infosec.exchange. I hope Twitter doesn’t implode. I got a lot of value out of it.

Posted: November 06, 2022 Last Updated: March 26, 2023

Tailscale in the Enterprise

I feel like the phrase “disruptor” is an overused, Valley-Bro trope. However I can’t think of a better phrase to describe Tailscale, and what it will do to the enterprise firewall and VPN market for the security 99%.

Posted: October 19, 2022 Last Updated: March 26, 2023 Technology , Steampipe

Enrich Splunk events with Steampipe

My latest post at Steampipe.io is Enrich Splunk events with Steampipe . This was a fun one to write because it was a culmination on my recent IR work at BSides Atlanta and BSides Augusta.

I’ve written some crazy contraptions to get this stuff into Splunk, and I’ve got to say, Steampipe made it super easy.

Posted: October 18, 2022 Last Updated: March 26, 2023 AWS , CloudSecurity , Technology , Steampipe

Can't miss Security Sessions at re:Invent 2022

I got a bug to tell everyone about the sessions I’m looking forward to at re:Invent this year. Check it out.

Posted: October 09, 2022 Last Updated: January 06, 2024 AWS , CloudSecurity , AWS re:Invent , Technology

Adventures in post-pandemic Asian travel.

I found myself taking a new job this fall. One surprising aspect of that job was they had scheduled a company all-hands in Kuala Lumpur (KL) in mid-September. So after our family trip to Amsterdam, Finland, Sweden, and Estonia, I now had a trip to South East Asia on my calendar. This post is mainly intended as random travel advice for visiting Malaysia, flying SkyTeam, dealing with internet access, etc. There will be minimal if any, cloud security content.

Posted: September 24, 2022 Last Updated: March 26, 2023 Travel , Singapore , Kuala Lumpur

Incident Response in AWS

At BSides Atlanta today I gave a talk on how to handle an incident in AWS. The talk and this post is intended to help those already familiar with the principles of Incident Response to understand what to do when the incident involves the AWS Control Plane. You can find the Slides here.

Posted: August 27, 2022 Last Updated: March 26, 2023 AWS , CloudSecurity , Technology

Stockholm & Tallinn - 2022

This is part three of Baltic Adventures. Part One captured the chaos of post-pandemic travel and our bonus tour of Amsterdam. Part two covered our four days in Finland. This part covers our time in Stockholm and Tallinn and the trip home.

Posted: July 14, 2022 Last Updated: March 26, 2023 Travel , Baltic Adventure

Finland - 2022

This is part two of Baltic Adventures. Part One captured the chaos of post-pandemic travel and our bonus tour of Amsterdam. This post will cover our 4 days in Finland.

Posted: July 12, 2022 Last Updated: January 06, 2024 Travel , Baltic Adventure