Skip to content

Instantly share code, notes, and snippets.

@dstokes
Last active October 9, 2015 10:02
Show Gist options
  • Save dstokes/5b620d1a90417828b6d3 to your computer and use it in GitHub Desktop.
Save dstokes/5b620d1a90417828b6d3 to your computer and use it in GitHub Desktop.
re:Invent 2015 Notes

Amazon WAF (Web Application Firewall)

  • Configured against Cloudfront distributions
  • Filters:
    • IP
    • string matching against requests
    • SQLi
  • 1 minute rule propagation
  • 1 minute metrics
  • Allow, Deny and Record requests
  • Configurable alert triggers
  • 6 rules + 260MM views = $167/mo

Amazon VPC - One to Many

  • IGW's are horizontally scaled
  • Scalable NAT via:
    • EC2 auto reboot: reboots instances on failed system health check
    • EC2 auto recover: recovers machine to new hardware on failed node check
      • auto recover preserves instance id, dns, ip etc
  • Endpoints
    • First supported endpoint is S3
    • Prefix lists enable private network communication and ACL by abstracting service address space into a static value
    • Prefix list can be used in security groups
    • Hub and spoke model uses a single shared services VPC and several peered worker VPC's

Lambda as Cron

  • townclock.io, not a good solution
  • best way is to use SNS and lambda to create a recurring cloudwatch trigger
    • cloudwatch triggers SNS + lambda, lambda switches the value of the cloudwatch metric

ECS Scaling

  • Amazon ECS agent is OSS
  • Custom schedulers are wasy to create with SNS + Lambda
  • 1 minute metrics for tasks and clusters
  • supports versioned deployments
  • new registry service coming soon
  • OSS ecs-cli for richer integration with docker (compose etc)
  • new container configurations
    • hostname
    • working directory
    • log configuration
    • privileged execution

Amazon Inspector

  • Setup: Install agent, start, test application, stop, view findings
  • uses ec2 tags for assesment scope
  • supports configurable timeouts for agent assesment runs
  • built-in rule packages
    • CVE (Common Vulnerabilities and Exposures)
      • provides full information about cause / solution, links to CVE data
    • network security best practices
    • application security best practices
    • operating system best practices
    • authentication best practices
    • PCI DSS 3.0 readiness
  • full api integration from CLI
  • taggable assesments and findings for automation and workflow integration
  • demo involves identifying privelege escalation caused by improper permissions on a shared library that was loaded for only a few milliseconds (monitoring system calls?)
  • pairs with aws config tag enforcement
  • can be used for things like confirming security before deployment
  • limited beta in us-west only for now
  • limits: 50 apps, 500 assesments, 500 agents
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment