CloudSecurity

Farris's Three Laws of Auto Remediation

I’ve finally settled on the wording for Farris’s Three Laws of Cloud Security Auto Remediation:

  • A bot must never harm stateful data or allow stateful data to come to harm.
  • A bot must act with utmost haste so functionality doesn’t become dependent on a misconfiguration.
  • A bot must announce its existence and tell a carbon-based life form what it did and why.

I think these reflect the key tenants of auto-remediation while staying true to the original source of the Three Laws.


AWS pre:Invent 2024

It’s once again pre:Invent, that magical season where AWS announces new features related to their legacy products (cloud) before they jump all-in on Generative AI magician gimmicks at re:Invent in Las Vegas. Once again, I will be in attendance at re:Invent, although I start to question my life choices every time I get off the plane in Vegas and am hit by the dry air, cigarette smoke, and insanely bright lights. Oh, right, I agreed to do a breakout session with Rich Mogull: DEV401 - Security invariants: From enterprise chaos to cloud order. We’re in Mandalay Bay (which is on the ass end of the strip) and in a silent disco setup, so I won’t be offended if you don’t attend, but if you do, Rich and I will probably set up for lunch somewhere afterward and talk about practical cloud security.

This is also my 5th year doing a pre:Invent round up. I almost decided not to do one. I’m in Germany this Thanksgiving week giving thanks that I’m not in the US for a bit. But at least it is conditioning me for the cigarette smoke onslaught I’ll experience in the casinos.


Effective Techniques for AWS Ransomware

In order to profit effectively from a ransomware attack, a threat actor needs to have something to offer in return for payment. This blog post outlines a process to encrypt AWS resources and then revoke access to the secret material until the ransom is paid.

Apparently, this post caused some consternation at AWS, and perhaps this technique is too effective to publish here. So, the original post has been revised to remove the actual scripts, include some mitigations, and provide commentary on how both Public Cloud (AWS Included) and Generative AI are dangerous tools in the hands of the general public and need more regulation.


The Cloud is Darker and More Full of Terrors - Sec-T 2024

In September 2024, I returned to Stockholm to give a talk at Sec-T. The Slides are here, and the YouTube Video is here.

In the last year or so talking to organizations of all sizes, shapes, and security budgets, it’s become clear there is a deeper problem than just “developers don’t know how to not make a bucket public”. How we as an industry use the public cloud is fundamentally unsafe. We wouldn’t give any random 16-year-old kid with a driver’s license a 787 to fly. Yet, with the public cloud, anyone with a credit card can sign up for one of the most technically complex creations the IT Industry has ever created. Engineers fresh out of school are given access to enterprise cloud tenants and told to deploy their applications. At no point do the cloud providers take reasonable measures to ensure you are qualified to operate the cloud safely, nor are their default auto-pilot settings all that safe.


Chris Farris in the Multicloud of Madness

Multicloud is Madness!!!!

Your organization is doing a poor job protecting the one cloud you have. Why in heaven’s name would you want to deploy into another cloud? In this two-part blog post, we’ll cover details from my HackCon 2024 talk “Chris Farris in the MultiCloud of Madness” (slides). Part one is here, and it covers all the weirdness between the three major hyperscalers - AWS, Azure, and GCP. The second part will provide checklists to help you establish Minimally Viable Cloud Governance in each cloud.


SecurityHub revisited

So earlier this year, I wrote (and then much later published) a blog post ripping AWS Security Hub. That led to conversations with folks on that team, and I got a chance to look at Security Hub’s new Central Configuration capabilities.

In short - this is an improvement for folks who use Security Hub and the built-in Security Standards. Sadly, it doesn’t solve many of the presentation issues that conflate “Compliance” and “Security”.


re:Invent 2023 recap

I’m back from re:Invent and still trying to adjust my sleep schedule (I’m on the East Coast and go to bed early; 6 pm Las Vegas time is my biological clock’s bedtime).

This year was one of my favorite re:Invents. I got to meet old and new co-workers and hang out with a lot of Community Builders and AWS Heroes, talk to service teams about what they should do to make their products work more for the security 99%. I got to a couple of good chalk talks on GenAI and GenAI security, which will help inform my poking at that over the holidays.

As for announcements, in the last seven days, there were 195 things posted to AWS What’s New. These are the ones I care to follow up on.

For simplicity, we’ll break them down into: