Chris Farris

Cloud Security Guy

I’ve finally settled on the wording for Farris’s Three Laws of Cloud Security Auto Remediation.

In previous posts, I took AWS to task for not making the customer’s security Job Zero. This offended some sensibilities, so let me lay out my 95 13 Thesis against the current AWS Culture and how it is neither Customer-Obsessed, nor makes security job zero.

AWS pre:Invent 2024

It’s once again pre:Invent, that magical season where AWS announces new features related to their legacy products (cloud) before they jump all-in on Generative AI magician gimmicks at re:Invent in Las Vegas. This is my 5th year doing a pre:Invent round up. I almost decided not to do one. pre:Invent wasn’t the GenAI wank-show I expected it to be. In fact, some several exciting features and services were announced.

Effective Techniques for AWS Ransomware

In order to profit effectively from a ransomware attack, a threat actor needs to have something to offer in return for payment. This blog post outlines a process to encrypt AWS resources and then revoke access to the secret material until the ransom is paid.

Apparently, this post caused some consternation at AWS, and perhaps this technique is too effective to publish here. So, the original post has been revised to remove the actual scripts, include some mitigations, and provide commentary on how both Public Cloud (AWS Included) and Generative AI are dangerous tools in the hands of the general public and need more regulation.

Your AWS Account is a floating cloud of garbage. Mine is too.

Cloud Hygiene is a Cloud Security problem, and we need to cleanup the pollution in our cloud environments

The Cloud is Darker and More Full of Terrors - Sec-T 2024

I reprise my Cloud is Dark and Full of Terrors talk, focusing on cloud security incidents, root causes, and who is to blame. Shared Responsibility is a shield that too many providers hide behind and it has to stop.

Public Cloud is the most insecure form of infrastructure, except for all the others.

Introducing the Universal Cloud Threat Model - a model anyone can use to cover 90% of the cloud attacks they may experience.

Wandering in a Winter Wonderland

In February of 2024 I visited Oslo Norway as part of HackCon. Here’s a post about getting around and not freezing to death in the Nordic winter

Chris Farris in the Multicloud of Madness

My journey of discovery into the cloud security differences of AWS, Azure, and GCP

SecurityHub revisited

Earlier this year, I wrote a blog post ripping AWS Security Hub. That led to conversations with folks on that team, and I got to look at Security Hub’s new Central Configuration capabilities.

re:Invent 2023 recap

My breakdown of the key announcements security folks should know about from AWS re:Invent 2023.

AWS pre:Invent 2023

There were 511 AWS announcements in pre:Invent season. I breakdown and snark about 43 of them relating to security and governance.

re:Invent 2023 recap

I’m back from re:Invent and still trying to adjust my sleep schedule (I’m on the East Coast and go to bed early; 6 pm Las Vegas time is my biological clock’s bedtime).

This year was one of my favorite re:Invents. I got to meet old and new co-workers and hang out with a lot of Community Builders and AWS Heroes, talk to service teams about what they should do to make their products work more for the security 99%. I got to a couple of good chalk talks on GenAI and GenAI security, which will help inform my poking at that over the holidays.

As for announcements, in the last seven days, there were 195 things posted to AWS What’s New. These are the ones I care to follow up on.

For simplicity, we’ll break them down into:

Posted: December 03, 2023 Last Updated: December 07, 2023 AWS , CloudSecurity , Technology , AWS re:Invent

AWS pre:Invent 2023

As has been my tradition the last few years, I prep for re:Invent by reviewing all the interesting announcements that happen in the weeks leading up to the event. This gives me a chance to keep an eye out for sessions and chalktalks related to things I care about, and a chance to corner an SA or product manager at the AWS Booth and go like this:

This year I’ll be attending AWS as a Security Hero. The good news for all 845,000 attendees is that I don’t have to wear tights. Instead I’ll be hanging out in the Heroes lounge with the other Heroes and Community Builders (hopefully sipping mimosas during the keynotes).

Posted: November 22, 2023 Last Updated: November 22, 2023 AWS , CloudSecurity , Technology , AWS re:Invent

The Consistently Inconsistence response to Access Key Leaks

So I did it again. Proving I’m the most incompetent Security Hero EVER, I committed eight different access keys to a public GitHub repository for eight different AWS Accounts.

What is fascinating is the consistently inconsistent response of AWS support. Behold a tale of seven cities and a professor.

Posted: October 03, 2023 Last Updated: October 03, 2023 AWS , CloudSecurity , Rants

Security Hub gives me imposter syndrome

I’m about 30 days¹ into building my fourth cloud security program. I want to avoid the mistakes or the past and focus on meaningful risk rather than compliance and security theater.

Coming on board, Security Hub was being used, and not wanting to rock the boat too much, I decided to enable it everywhere and use it for my KRI measurements.

Sadly, Security Hub failed to provide any valuable metrics. It generated so many findings that even I, someone who allegedly knows about cloud security, wanted to give up and raise Alpaca in North Georgia.

So, sit back and enjoy my review of AWS Security Hub.

Posted: October 01, 2023 Last Updated: October 01, 2023 AWS , Governance , CloudSecurity , Rants

Defining the Sensitive IAM Actions

Way back when I was working at Turner and deploying security audit roles, there were concerns over the level of access the ReadOnlyAccess policy would provide. We would have access to data that we were legally obligated to protect, but due to licensing and competition reasons, we could not be allowed to access. At the time, the specific division I was working with only stored this data in S3 and DynamoDB, so crafting a workaround that met everyone’s needs was reasonably straightforward.

Fast forward five years. AWS has gotten more complex, there are more services, and there still is no clear delineation between the access needed to audit an environment vs the access to the data in the environment.

Posted: August 11, 2023 Last Updated: August 11, 2023 AWS , IAM , CloudSecurity

AWS Security Hero

I’ve apparently been selected as one of the first cohorts of AWS Security Heroes. I was hoping for the title of Microsoft Security Villian, but I’ve got to admit I’m pretty honored.

Posted: August 01, 2023 Last Updated: January 06, 2024 AWS , CloudSecurity

Incident Response in AWS

Last year, I did a two-day training at BSides Augusta focused on conducting incident response in AWS. I had fun, the students gave me positive feedback, and BSides Augusta has invited me back to do it again.

Posted: July 22, 2023 Last Updated: January 06, 2024 AWS , Incident Response , CloudSecurity

Pen Testing AWS

This past weekend I spoke at BSides Nashville - Get outta my host and into my cloud: A primer for offensive operations in AWS. This talk was similar to my talk last year on Incident Response in AWS at BSides Atlanta. The intent was not to teach pentesting or red teaming, but rather helping to spread cloud knowledge to those who do that on a daily basis.

Posted: April 15, 2023 Last Updated: April 15, 2023 AWS , CloudSecurity , PenTesting

Announcing my consulting practice

I’ve decided it’s time for me to launch my consulting business. I’ve been doing cloud and cloud security for almost ten years now, and I’ve seen a lot of issues. PrimeHarbor’s focus is to help solve cloud security challenges at their source.
The ultimate shift-left security flex is to educate and empower developers and engineers

Posted: March 29, 2023 Last Updated: March 30, 2023 Announcements , CloudSecurity

Public Access Key - 2023

I deliberately published an Access Key and Secrets. Here’s what happened.

Posted: March 25, 2023 Last Updated: January 06, 2024 AWS , CloudSecurity , Technology