Make a want. It could be granted! #awswishlist
It is a hiatus for a minute on my sequence on automating safety metrics to let you know in regards to the AWS Want Record.
Interlude: Nonetheless ready for copyrighted supplies to be faraway from of those websites. I added info on how one can report copyright infringement to Google’s authorized workforce right here:
Again after I labored at Capital One on the cloud engineering workforce one of many issues I used to be requested to do was to handle the listing of AWS options that Capital One needed AWS to implement. In fact Capital One had numerous leverage with AWS on the time as a result of they have been the primary main financial institution in america to maneuver to AWS. And sure that they had a breach, however cloud safety is sophisticated and that’s what my newest weblog sequence is making an attempt to handle.
At any price, Capital One did assist make some main enhancements to AWS safety. One of many points with AWS S3 is that it required purposes to traverse the Web as a way to put or get objects. This was one thing Capital One was not eager on doing since previous to cloud any connection to a vendor required a personal line (MPLS for many who are acquainted) to do enterprise with the financial institution. Sending information over the Web was simply not cool.
Capital one requested a characteristic that may enable corporations to maintain the data off the Web because it traversed the community from an AWS VPC to an S3 bucket and vice versa. That characteristic grew to become S3 endpoints. From there S3 endpoints have developed to Community Endpoints. Now you’ll be able to ship information from software sources to storage sources both inside your VPC or no less than preserve it on the AWS spine because it traverses the community. It’s going to rely on which companies you’re utilizing and in the event that they preserve all information between areas on the AWS spine or not.
Capital One clearly had a bit extra leverage than you or I do to get new options carried out at AWS, however AWS does take heed to prospects. If sufficient folks ask, they may implement new options and repair issues. There are other ways to submit requests to AWS however one of the crucial seen is the AWS Want Record.
In the future as I used to be pissed off about one thing I couldn’t do or was not working accurately I randomly tweeted it out on Twitter with the tag #awswishlist. I didn’t notice that anybody else had ever accomplished that earlier than. Out of curiosity I looked for that tag and located that another folks had accomplished one thing comparable.
Because it seems, AWS created an entire web site only for the #awswishlist. You possibly can see who’s contributing and among the needs which have been fulfilled.
You may also head over to Twitter to see what’s on the wishlist and like or retweet your favs. AWS will possible take discover if a selected tweet will get numerous likes and retweets.
A number of the different methods you’ll be able to ask for options or fixes on AWS, although I’ve had little success with a few of these not being an enormous company:
- AWS assist within the AWS console
- The suggestions hyperlink on the AWS web site — I’ve been submitting requested adjustments for SSO, Management Tower, and Organizations and I don’t see that any of them had any impact, sadly.
- A number of the AWS companies have Github accounts the place they publish their highway map and other people can submit suggestions instantly on a highway map for a particular service.
If have a TAM (account supervisor) with AWS and particularly in case you are a big firm paying some huge cash, you’ll possible have extra success with direct characteristic requests together with your account supervisor. I used to trace all our characteristic requests throughout the group with the assistance of our TAM in a spreadsheet, who submitted it, and when AWS was planning a launch of that characteristic (or in the event that they couldn’t do it.)
There are some issues that AWS stated have been “completely not doable” again then which can be doable at the moment. For instance, we bought a rise within the variety of safety group guidelines however there was no option to enhance the variety of guidelines for a subnet community entry management listing (NACL). I just lately observed that now you’ll be able to request a rise (although nonetheless restricted) to NACL ingress and egress guidelines however they warn you that may include a efficiency degradation. So by no means say by no means on the subject of a request. It might take a while for AWS to re-architecture issues but when sufficient folks ask — needs come true!
Bugs and Error Messages
Recently I’ve been engaged on a brand new batch of code on AWS and generally it’s the littlest factor that takes a lot time to resolve. If solely the error message was clear I might have fastened the issue very quickly and and get again to writing the code that really accomplishes my goal. As a substitute I’m digging round on Google and in AWS documentation in search of solutions to obscure issues with unclear error messages. I just lately began writing a weblog submit each time I hit one in all these obscurities each to assist myself sooner or later and anybody else having the identical downside. I’m documenting them on this new weblog — Bugs that Chew:
I don’t ship all these out in emails as a result of they won’t apply to everybody and who desires a bug listing? The bugs and error messages will not be all associated to AWS, that simply occurs to be the platform I’m engaged on in the mean time. If I switched to Azure or Google I might run into and equal or larger variety of issues as a result of I’ve — whereas getting ready for lessons or performing safety assessments or penetration exams on these platforms.
My international want for AWS is that they (and everybody else on this planet writing software program as a result of I discover bugs EVERYWHERE) would take the time to check code totally and write correct error messages. As well as, error handlers might be very useful in offering a correct response to errors. I don’t wish to put each one in all these on the wishlist as a result of a few of them are too sophisticated to clarify in a tweet, plus there are such a lot of and I don’t wish to overload the listing with little bugs versus main options or adjustments.
I put in a basic request for AWS to look by way of this listing and tackle a few of these points. In case you’ve ever skilled one in all these error messages or issues and really feel like a greater error message would assist please clap for the story to get it to rise to the highest of the listing.
A request to vary the foundations for penetration testing on AWS
My favourite AWS wishlist merchandise was the request to carry out a penetration check with out submitting a request kind. I feel I’ll have submitted that request a number of instances. This was after I used to be working at Capital One. I debated this merchandise with somebody in Seattle at AWS who oversaw or labored with that group situated in South Africa on the time, and he tried to inform me it was merely not doable, regardless that Microsoft and Google allowed it.
Then at some point, I used to be in the midst of my first beta class by way of 2nd Sight Lab and I spotted I forgot to request entry for college kids to carry out the pentest lab. Shoot! My college students weren’t going to have the ability to do the lab! Oh no…I rapidly despatched an e-mail to AWS begging them to rapidly course of the request. It was on that day that they informed me in an e-mail that I now not wanted to make that request. Hallelujah.
I put a replica of the e-mail on Twitter with an announcement: Behold…the foundations for Pentesting on AWS have modified… or one thing to that impact. I went to class and after I bought out the Tweet had about 1500 likes and was getting retweeted in all places, however somebody was questioning it as a result of the AWS web page hadn’t been up to date. I freaked out a bit as a result of I believed what if I had someway been despatched a bogus e-mail and was telling the world to hack AWS?! Nevertheless it was true. The web site bought up to date just a few days later.
I keep in mind going to a sophisticated penetration testing class at SANS Institute and somebody requested the trainer (who shall stay unnamed as a result of now he’s a colleague and buddy) how one can do penetration exams on AWS. He offered an incorrect reply so I raised my hand and defined that you just now not have to put in that request. I used to be publicly rebuked and humiliated in entrance of the category telling me I used to be incorrect. No onerous emotions however…I used to be not incorrect.
It’s so a lot simpler to carry out penetration exams for patrons now because of that change. There are nonetheless limitations on what you are able to do in a penetration check on AWS so be sure you comply with the foundations! Somebody contacted me and stated, “so I can check anybody’s account?” No, solely your personal.
Now…about that However Bounty request…. 🙂
In case you appreciated this story please clap and comply with:
Medium: Teri Radichel or E-mail Record: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests companies through LinkedIn: Teri Radichel or IANS Analysis
© 2nd Sight Lab 2022
All of the posts on this sequence:
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Cybersecurity & Cloud Safety Sources by Teri Radichel: Cybersecurity and Cloud safety lessons, articles, white papers, displays, and podcasts