Chris Farris

I’m about 30 days¹ into building my fourth cloud security program. I want to avoid the mistakes or the past and focus on meaningful risk rather than compliance and security theater.

Coming on board, Security Hub was being used, and not wanting to rock the boat too much, I decided to enable it everywhere and use it for my KRI measurements.

Sadly, Security Hub failed to provide any valuable metrics. It generated so many findings that even I, someone who allegedly knows about cloud security, wanted to give up and raise Alpaca in North Georgia.

So, sit back and enjoy my review of AWS Security Hub.

Way back when I was working at Turner and deploying security audit roles, there were concerns over the level of access the ReadOnlyAccess policy would provide. We would have access to data that we were legally obligated to protect, but due to licensing and competition reasons, we could not be allowed to access. At the time, the specific division I was working with only stored this data in S3 and DynamoDB, so crafting a workaround that met everyone’s needs was reasonably straightforward.

Fast forward five years. AWS has gotten more complex, there are more services, and there still is no clear delineation between the access needed to audit an environment vs the access to the data in the environment.

I’ve apparently been selected as one of the first cohorts of AWS Security Heroes. I was hoping for the title of Microsoft Security Villian, but I’ve got to admit I’m pretty honored.

Last year, I did a two-day training at BSides Augusta focused on conducting incident response in AWS. I had fun, the students gave me positive feedback, and BSides Augusta has invited me back to do it again.

This past weekend I spoke at BSides Nashville - Get outta my host and into my cloud: A primer for offensive operations in AWS. This talk was similar to my talk last year on Incident Response in AWS at BSides Atlanta. The intent was not to teach pentesting or red teaming, but rather helping to spread cloud knowledge to those who do that on a daily basis.

I’ve decided it’s time for me to launch my consulting business. I’ve been doing cloud and cloud security for almost ten years now, and I’ve seen a lot of issues. PrimeHarbor’s focus is to help solve cloud security challenges at their source.
The ultimate shift-left security flex is to educate and empower developers and engineers

I deliberately published an Access Key and Secrets. Here’s what happened.

There is no canonical way to use Terraform in CodeBuild, with CodePipeline as the method to review plans before applying them. This post defines a Cloudformation template and the buildspec files needed to create a CodePipeline that runs terraform plan, allows a human to review it, then runs terraform apply.

For MLK weekend, Leo and I made a quick trip to LA. My primary reason was to conduct a quick site survey of Anaheim for fwd:cloudsec 2023. I bribed Leo to come along by promising a day at Disneyland.

This is the story of how I spent $2621 to ride Rise of the Resistance.

Our final trip this year was to Morocco. We flew AirFrance from ATL to CDG, then from CDG to Marrakech. In Morocco, we spent two days in Marrakech, took the train to Tangier, then a Grand Taxi to Chefchaouen for an overnight, then back to Tangier and Casablanca. Our flight home had an 18-hour layover in Paris, so we also got a little bit of sightseeing there. Many blogs talk about backpacking or visiting Morocco, but they always leave out a few practical details that I wish I’d known before leaving.