Category: Security

AWS Security Checklist


Identity & Access Management Secure AWS account (AWS organization, MFA).Rely on centralized identity provider (SSO).Use multiple AWS accounts ot separate workloads and workloads stages such as production and non-production (SCP, Guardrails, Control Tower).Store and use secret securely (STS, Secrets Manager). Detection Enable foundation security services (AWS CloudTrail, Amazon GuardDuty, and AWS Security Hub).Configure service and … Continue reading AWS Security Checklist

ELBv2 ALB Security Group Check in Cloud Conformity


We use Cloud Conformity as a compliance check tool against our AWS environments. Recently, there is a new check failed - ELBv2 ALB Security Group, and the given reason is Load Balancer [alb-d-LoadB-XXXXXXXX] is not associated with valid and secure security groups. I have confirmed that the ALB is associated with a valid and security … Continue reading ELBv2 ALB Security Group Check in Cloud Conformity

Service Role for CodeBuild


Do you notice anything that is not right in the following CloudFormation template? ... Resources: CodeBuildServiceRole: # IAM role for the codebuild project. Type: AWS::IAM::Role Properties: RoleName: !Sub ${ProjectName}-CodeBuild-ServiceRole Path: /team-abc/ AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Action: ['sts:AssumeRole'] Effect: Allow Principal: Service: ['codebuild.amazonaws.com'] Policies: - PolicyName: !Sub ${ProjectName}-CodeBuild-Policy PolicyDocument: Version: "2012-10-17" Statement: - Action: # … Continue reading Service Role for CodeBuild

Renew AWS credential for a long run AWS CLI process


We use aws s3 sync to synchronise a big mount of files (800,000+ objects) from on-premise to AWS S3 bucket. Due to security restrictions, the Maximum CLI/API session duration is configured for 1 hour. So it is most likely the credential will expire before the sync job is completed. There are generally two places to … Continue reading Renew AWS credential for a long run AWS CLI process