For three years, I have been on the Twilio Cloud Security team as an individual contributor and Tech Lead. I am passionate about delivering scalable and resilient infrastructures and software, and for many years, I was enjoying doing just that.
SCPs provide great means to manage accounts’ IAM at scale but also introduce a “Single Point of Failure” to effectively lock all accounts out. Detecting unintended/unauthorized changes made to SCP becomes increasingly critical to ensure the stability and availability of your cloud environment.
AWS CloudFormation allows Parameters with regular expression requirement. We can explore this for resource tag enforcement while interacting with CloudFormation.
Roles with persistent escalated permissions are considered risky and provide a high-value target for attackers. However, Infrequent elevated privileges are still required for business needs on managing cloud infrastructure. A time-based pattern provides access for the platform and security team while ensuring the security of our cloud infrastructure by limiting the lifespan of escalated permissions. Requests for elevated privilege should be logged for future audit and threat detection.
Serverless Framework provides you with scaffolding, workflow automation, and best practices for developing and deploying your serverless architecture. However, as part of the setup steps, it instructs you to create IAM user and static IAM access keys. Creating access keys is almost never a good practice. Instead, we are going to set up a deployment pipeline for your Serverless application, removing the dependency on static credentials and improving the resiliency of your system.
In the modern cloud where democratized access to environments is granted to engineers, setting up guardrail is extremely important. While prevention is ideal, detection is a must. How does the security better scale its detection and response capability with the (hyper)growth of the organization? In this post, I will briefly go over some of the lessons learned for remediating cloud misconfigurations/vulnerability through AWS Step Functions.
So you have decided to move into the Multi-Account model for your AWS account structure. Now the natural topic that comes to mind is how to centrally manage infrastructures in all the accounts. This blog is to equip you with some knowledge and toolings to make life easier. We are going to explore using AWS StackSets to deploy Infrastructure as Code(IaC) in all of your AWS Accounts.
Software development consists of four major parts: coding, testing, listening, and designing.
“Starting a company is like throwing yourself off a cliff and assembling an airplane on the way down.”