Rotate your credentials and don’t forget MFA

Thumbnail

According to the Well-Architected Framework and the least privileges principle, you should change your access keys and login password regularly. Therefore the user should have the right to edit their credentials. But only their own. Also using MFA - multi-factor authentication enhances the security even more. Therefore the user should be able to change MFA. But only their own. But how to do that? You have to combine two parts of AWS documentation. We will show you how you provide a “self-editing” group for your users with the CDK.

Read more →

According to the Well-Architected Framework and the least privileges principle, you should change your access keys and login password regularly. Therefore the user should have the right to edit their credentials. But only their own. Also using MFA - multi-factor authentication enhances the security even more. Therefore the user should be able to change MFA. But only their own. But how to do that? You have to combine two parts of AWS documentation. We will show you how you provide a “self-editing” group for your users with the CDK.

Read more →

Three hurdles to skip before using the secure Instance Metadata Service V2

Thumbnail

Do not use new Instance Metadata Service V2 (imdsv2) without proper prevention!

You may think you can use Instance Metadata Service V2 right away, but there are a few caveats: Many old modules do not work with imdsv2 yet. We look at aws cli, the Systems Manager agent and the Instance Connect service. Currently, these services will not work with imdsv2 on an EC2 instance with the latest Amazon Linux 2 image out of the box. Here you can read how to make them work!

Read more →

Do not use new Instance Metadata Service V2 (imdsv2) without proper prevention!

You may think you can use Instance Metadata Service V2 right away, but there are a few caveats: Many old modules do not work with imdsv2 yet. We look at aws cli, the Systems Manager agent and the Instance Connect service. Currently, these services will not work with imdsv2 on an EC2 instance with the latest Amazon Linux 2 image out of the box. Here you can read how to make them work!

Read more →

Defenders - caller based EC2 security with CDK

Thumbnail
Defenders: Caller based EC2 security The risk with security credentials is that they get exposed an are being used elsewhere. What if we could prevent that the are being used elsewhere. The idea from the article of William Bengston from netflix was: Dynamically locking credentials to the environment. This implementation of this idea is much more simple with the cdk. So, let’s defend ourselves! Our story here is the battle of the defenders ™.
Read more →
Defenders: Caller based EC2 security The risk with security credentials is that they get exposed an are being used elsewhere. What if we could prevent that the are being used elsewhere. The idea from the article of William Bengston from netflix was: Dynamically locking credentials to the environment. This implementation of this idea is much more simple with the cdk. So, let’s defend ourselves! Our story here is the battle of the defenders ™.
Read more →

Verschlüsselung von Daten auf AWS S3

Thumbnail
Das Thema Datensicherheit und damit auch Verschlüsselung ist bei unseren deutschen Amazon Web Services Kunden eigentlich ein Dauerthema. Amazon AWS trägt diesem Bedürfnis zunehmend mehr Rechnung und hat gerade gestern wieder eine entsprechende Erweiterung der S3 Dienste veröffentlicht. Hier nun eine Übersicht, über die von Amazon Web Services angebotenen Verschlüsselungsoptionen für Ihre Daten auf S3: Transparente Verschlüsselung auf Basis von Amazon AWS gemanagten Keys (bereits seit 11.2011 verfügbar): pro Datei (Objekt) auf S3 können Sie unter Properties / Details die Server Side Encryption mit AES256 manuell aktivieren.
Read more →
Das Thema Datensicherheit und damit auch Verschlüsselung ist bei unseren deutschen Amazon Web Services Kunden eigentlich ein Dauerthema. Amazon AWS trägt diesem Bedürfnis zunehmend mehr Rechnung und hat gerade gestern wieder eine entsprechende Erweiterung der S3 Dienste veröffentlicht. Hier nun eine Übersicht, über die von Amazon Web Services angebotenen Verschlüsselungsoptionen für Ihre Daten auf S3: Transparente Verschlüsselung auf Basis von Amazon AWS gemanagten Keys (bereits seit 11.2011 verfügbar): pro Datei (Objekt) auf S3 können Sie unter Properties / Details die Server Side Encryption mit AES256 manuell aktivieren.
Read more →