houey

Preface:

Its unfortunately extremely common for customers and enterprises operating in AWS to have chosen a workload/storage bearing account (more than likely, the main production account) as the Organization Management Account (formerly known Organization "Master" account, before AWS adopted better naming).
Many customers and companies operating in AWS made this decision in 2018 or so and its unforunately not something that can be easily changes as of today (2024). Many customers have requests to AWS to make a friendly path for rehoming the Org Management account but last I heard it is still not prioritized. Thus, we as customers are left to go through the nerve-wracking, if not dangerous process of migrating to a new AWS Organization in order to align with modern best practices and reduce common privilege escalation and account to account lateral movement concerns (made worse if you happen to have enabled things like Cloudformation Stacksets, Control Tower, or other powerful services in the s

kapilt

accessanalyzer access-analyzer-finding
support advisor-check
mwaa airflow
ec2 ami
apigateway apigw-domain-name
elbv2 app-elb-target-group
discovery appdiscovery-agent
appstream appstream-fleet
codeartifact artifact-domain
athena athena-named-query

badideasforsale

#!/bin/bash

# Get role name, git org or user, and git repo
# If not set, error out later
# @TODO: add help text
# @TODO: verify org/repo are not wildcards

while getopts ":r:o:g:h" opt; do
  case $opt in
    r) ROLE_NAME="$OPTARG"

jchrisfarris

#!/bin/bash

ROLENAME=$1

if [ -z $ROLENAME ] ; then
  echo "usage $0 <ROLENAME>"
  exit 1
fi

while read line ; do

houey

Talks and blog posts that all newcomers should check out when interested in Cloud Security

Bringing a machete to the amazon (Peterson)
https://youtu.be/y8nftRzbiXk

Flying a false flag: (Landers)
https://youtu.be/2BEwqbCbQuM

Another day another billion packets (Brandwine)
https://youtu.be/3qln2u1Vr2E

hashbrowncipher

One time at work, my team was upgrading an open source search-engine-cum-database that had an unfortunate predilection for breaking its external API. We had already deployed the new version of the database with its breaking changes, and now it was time to herd our customers off of the old version and onto the new version. Our customers were naturally reticent: for most of them it was just a bunch of work for very little reward. The migration would require careful testing, and just generally it didn't sound like a fun time. To top the situation off, some of these customers' services hadn't been touched in years, and the original authors had long since left.

I'm proud to say that my team was significantly more interested in accommodating our customers' needs than some other DBA teams I've worked with or around. During the migration we spent a fair bit of time chewing on ways to lessen the burden we placed on our customers. At one point the possibility of simply "handing off" the outdated search engines was dis

z0ph

#!/bin/bash

# From Victor (zoph) Grenu from zoph.io - https://zoph.io
# Twitter: @zoph

TARGET_ROLE_NAME="AdministratorAccess"

## Get list of AWS accounts using SSO
AWS_ACCESS_TOKEN=$(cat $(ls -1d ~/.aws/sso/cache/* | grep -v botocore) | jq -r "{accessToken} | .[]")
ACCOUNTS_IDS=($(aws sso list-accounts --access-token $AWS_ACCESS_TOKEN | jq -r '.accountList[] | .accountId'))

iann0036

route53domains:RegisterDomain
route53domains:RenewDomain
route53domains:TransferDomain
ec2:ModifyReservedInstances
ec2:PurchaseHostReservation
ec2:PurchaseReservedInstancesOffering
ec2:PurchaseScheduledInstances
rds:PurchaseReservedDBInstancesOffering
dynamodb:PurchaseReservedCapacityOfferings
s3:PutObjectRetention

noamsdahan

kmcquade

aws organizations attach-policy \
  --policy-id $(aws organizations create-policy --name pwn \
     --type SERVICE_CONTROL_POLICY \
     --description "pwn" 
     --content '{"Version": "2012-10-17","Statement": [{"Effect": "Deny", "Action": "*", "Resource": "*"}]}' \
    | jq ".Policy.PolicySummary.Id"\
    ) \
  --target-id $(aws organizations list-roots | jq ".Roots | .[0].Id")