This document summarizes Emily Gladstone Cole's presentation on best practices for managing AWS access keys. It identifies three common "nightmares" involving access keys: 1) storing keys in source code, 2) failing to regularly rotate old keys, and 3) leaving keys accessible on disk. The presentation provides solutions for each, such as using source code scanners to detect keys, automatically rotating keys, and storing keys securely using vault tools. It concludes with general best practices like generating temporary credentials as needed, uniquely associating keys with users/applications, and integrating AWS with single sign-on providers.
Presented at the USENIX LISA conference in Nashville, TN, On October 29, 2018 - an updated version of the presentation from DevOpsDays Silicon Valley 2018
A discussion of the problems with password security and how to make your passwords more secure. Also, we debunk some common myths about what makes a good password. (This was originally part one of a three part presentation on the need for and use of password managers.)
A talk I gave at DevOpsDays Silicon Valley in May of 2018. This is a high-level presentation about common security guidelines and how your DevOps team can automate their way to better security.
The Supporting Role of Antivirus Evasion while PersistingCTruncer
This talk goes over different techniques to evade detection by antivirus programs, talks about how Veil-Evasion evades the programs, and shows an AV signature bypass. It also then documents a large number of techniques on how actors can persist in networks.
We’ve all seen the recent news stories about companies whose data has been stolen by hackers. What was once a rare event has become all too common, and companies large and small are at risk. While it isn’t always possible to prevent intrusions, you can reduce the risk by encrypting your data. In this presentation, I’ll show you the four ways that SQL Server provides to encrypt data: hashes, cell-level encryption, database-level encryption (also known as transparent data encryption), and backup encryption. We’ll also discuss the keys required for each type of encryption and discuss how to protect the keys themselves.
Presented at the USENIX LISA conference in Nashville, TN, On October 29, 2018 - an updated version of the presentation from DevOpsDays Silicon Valley 2018
A discussion of the problems with password security and how to make your passwords more secure. Also, we debunk some common myths about what makes a good password. (This was originally part one of a three part presentation on the need for and use of password managers.)
A talk I gave at DevOpsDays Silicon Valley in May of 2018. This is a high-level presentation about common security guidelines and how your DevOps team can automate their way to better security.
The Supporting Role of Antivirus Evasion while PersistingCTruncer
This talk goes over different techniques to evade detection by antivirus programs, talks about how Veil-Evasion evades the programs, and shows an AV signature bypass. It also then documents a large number of techniques on how actors can persist in networks.
We’ve all seen the recent news stories about companies whose data has been stolen by hackers. What was once a rare event has become all too common, and companies large and small are at risk. While it isn’t always possible to prevent intrusions, you can reduce the risk by encrypting your data. In this presentation, I’ll show you the four ways that SQL Server provides to encrypt data: hashes, cell-level encryption, database-level encryption (also known as transparent data encryption), and backup encryption. We’ll also discuss the keys required for each type of encryption and discuss how to protect the keys themselves.
This explains how Forward Secrecy works, using the Diffie-Hellman Key Exchange protocol, and some discussion of how secure it is and what the vulnerabilities are
Have you ever wonder if the access to your cloud kingdom is secure? Have you ever thought how cyber criminals are hunting for your secrets? How can you be sure that your secret is not “mistakenly” available to the public? In my presentation I’m going to present you hackish methods used by cyber criminals to find access keys in the public Internet. How can Shannon Entropy help you? During the presentation, I’ll release my own scaners to search AWS and Azure space and in the end I will demonstrate my own tool to analyze big amounts of data in search for sensitive data. Lots of demos, technical stuff and educating moral for unaware specialists in the end. It’s gonna be fun!
Interested in protecting your information, but don’t really know where to start?
In this workshop we will give a brief explanation of how encryption works followed by a practical tutorial on how to communicate securely. Subjects of discussion will include:
- Irreversible functions and how they can hide data
- Creating a Cryptographic identity
- Sending a secure message with PGP
- Overview of applications and plugins with built-in encryption
- Getting your machine set up to use these tools seamlessly
- Common security problems
Workshop participants should have Thunderbird or Apple Mail.app setup and configured with their email accounts prior to this workshop.
Participants should also download the following ahead of time:
Windows:
gpg4win
Enigmail Plugin
Mac:
gpgtools
Cybersecurity Awareness Training Presentation v1.3DallasHaselhorst
This free cybersecurity awareness training slide deck is meant to be used by organizations and end users to educate them on ways to avoid scams and attacks and become more security aware. This slide deck is based on version 1.3 of our wildly popular slide deck we originally released as open-source in September 2019. In just over 6 months, it was downloaded thousands of times and in over 150 countries!
On our website, you will also find several other related goodies. For example, we have worksheets free and downloadable worksheets referenced in the training. We have a free cybersecurity quiz that is based directly off of this material so anyone can test their awareness knowledge. We even have a downloadable 'certificate of completion' for this training, which allows attendees to fill-in their name and date so they can then print it out to show others (or even their employer) that they are now more cyber aware.
https://www.treetopsecurity.com/cat
We also have a video/webinar presentation of this material if you would like to share it with others.
https://www.treetopsecurity.com/cat#video
Want to take this content and present it in your own community? Fantastic! You may download this slide deck as editable content. This allows you to make changes and present it at your local library, business events, co-working spaces, schools, etc. The latest version is always available on our website as a Microsoft PowerPoint presentation (.pptx) or using ‘Make a Copy’ in Google Slides.
https://www.treetopsecurity.com/slides
Welcome to the "How to Securely Create Cryptographic Keys" with Joshua McDougall. This presentation was delivered on Thursday, August 29th 2019.
In this class, scholars will learn the process of creating keys with proper entropy, backup processes, and how environmental factors can weaken or improve the strength and secrecy of the key.
By the end of the session, you will understand entropy sources, physical wallets, secure environments, and other helpful items that all come together to create strong keys for holding assets. You will each work within groups to create a multi-sig wallet that each scholar is a member of, verifying the key along the way and creating tamper-evident backups.
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...DynamicInfraDays
Slides from Jeff Mitchell's talk "Hiding in Plain Sight: Managing Secrets in a Container Environment" at ContainerDays Boston 2016: http://dynamicinfradays.org/events/2016-boston/programme.html#secrets
Bringing Down the House - How One Python Script Ruled Over AntiVirusCTruncer
This talk is about how a single python tool (Veil aka Veil-Evasion) is able to render AntiVirus useless. Veil's goal is to bypass antivirus products on workstations and servers.
In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system.
The public key is used to encrypt the data. As it can be openly distributed, it’s called a public key. Once a public key encrypts the data, no one can use the public key to decrypt the data. On the other hand, the private key is used to decrypt the data. As it can’t be openly distributed but needs to be kept a secret, that’s why it’s called a private key. In symmetric cryptography, the private key can encrypt and decrypt data.
Public and private keys both have their special objectives and uses in cryptography. As for public vs. private keys, we will discuss some key factors to better understand the situation. These are - working mechanism, performance, visibility, type, sharing, and storing.
To help you better understand the differences between a public key and a private key, 101 Blockchain offers exclusive courses. These courses will help you understand the principle behind both encryption types and make it easier for you to incorporate these in your blockchain project.
The following course will help you stay on top of the game ->
Blockchain Like a Boss masterclass
https://academy.101blockchains.com/courses/blockchain-masterclass
Learn more about the certification courses from here ->
Certified Enterprise Blockchain Professional (CEBP) course
https://academy.101blockchains.com/courses/blockchain-expert-certification
Certified Enterprise Blockchain Architect (CEBA) course
https://academy.101blockchains.com/courses/certified-enterprise-blockchain-architect
Certified Blockchain Security Expert (CBSE) course
https://academy.101blockchains.com/courses/certified-blockchain-security-expert
Learn more from our guides ->
https://101blockchains.com/private-key-vs-public-key/
https://101blockchains.com/public-key-cryptography-in-blockchain/
https://101blockchains.com/public-key-cryptography/
Introductory talk on the need to use password managers and a quick review of Lastpass' features.
Presented at the OWASP Austin Cryptoparty in January, 2021.
Session slides from Future Insights Live, Vegas 2015:
https://futureinsightslive.com/las-vegas-2015/
So many network intrusions, so many email spools made public. Remember HBGary, Stratfor, 'The Fappening', Sony Pictures hacks? How about the Snowden Files? The potential liabilities of communicating in plain text has become too expensive to continue to do so. Zero-Knowledge systems can be made useful, elegant even. The problem with putting privacy first in our communications tools is that most of the existing privacy applications were created by crypto-nerds, most of whom have never overlapped with the world of UX. In this talk, Privacy will be put at the core of application design by way of new metaphors for arcane cryptography jargon (that few endusers understand). Using frameworks and services created for this new 'privacy first' era, your application can be built in a way that removes liability, is regulatory-compliant and elegant.
Encryption is key to safety online, but also important offline. But how does it work? This presentation will cover the basics and help you to be safer.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
More Related Content
Similar to My AWS Access Key Nightmares... and Solutions
This explains how Forward Secrecy works, using the Diffie-Hellman Key Exchange protocol, and some discussion of how secure it is and what the vulnerabilities are
Have you ever wonder if the access to your cloud kingdom is secure? Have you ever thought how cyber criminals are hunting for your secrets? How can you be sure that your secret is not “mistakenly” available to the public? In my presentation I’m going to present you hackish methods used by cyber criminals to find access keys in the public Internet. How can Shannon Entropy help you? During the presentation, I’ll release my own scaners to search AWS and Azure space and in the end I will demonstrate my own tool to analyze big amounts of data in search for sensitive data. Lots of demos, technical stuff and educating moral for unaware specialists in the end. It’s gonna be fun!
Interested in protecting your information, but don’t really know where to start?
In this workshop we will give a brief explanation of how encryption works followed by a practical tutorial on how to communicate securely. Subjects of discussion will include:
- Irreversible functions and how they can hide data
- Creating a Cryptographic identity
- Sending a secure message with PGP
- Overview of applications and plugins with built-in encryption
- Getting your machine set up to use these tools seamlessly
- Common security problems
Workshop participants should have Thunderbird or Apple Mail.app setup and configured with their email accounts prior to this workshop.
Participants should also download the following ahead of time:
Windows:
gpg4win
Enigmail Plugin
Mac:
gpgtools
Cybersecurity Awareness Training Presentation v1.3DallasHaselhorst
This free cybersecurity awareness training slide deck is meant to be used by organizations and end users to educate them on ways to avoid scams and attacks and become more security aware. This slide deck is based on version 1.3 of our wildly popular slide deck we originally released as open-source in September 2019. In just over 6 months, it was downloaded thousands of times and in over 150 countries!
On our website, you will also find several other related goodies. For example, we have worksheets free and downloadable worksheets referenced in the training. We have a free cybersecurity quiz that is based directly off of this material so anyone can test their awareness knowledge. We even have a downloadable 'certificate of completion' for this training, which allows attendees to fill-in their name and date so they can then print it out to show others (or even their employer) that they are now more cyber aware.
https://www.treetopsecurity.com/cat
We also have a video/webinar presentation of this material if you would like to share it with others.
https://www.treetopsecurity.com/cat#video
Want to take this content and present it in your own community? Fantastic! You may download this slide deck as editable content. This allows you to make changes and present it at your local library, business events, co-working spaces, schools, etc. The latest version is always available on our website as a Microsoft PowerPoint presentation (.pptx) or using ‘Make a Copy’ in Google Slides.
https://www.treetopsecurity.com/slides
Welcome to the "How to Securely Create Cryptographic Keys" with Joshua McDougall. This presentation was delivered on Thursday, August 29th 2019.
In this class, scholars will learn the process of creating keys with proper entropy, backup processes, and how environmental factors can weaken or improve the strength and secrecy of the key.
By the end of the session, you will understand entropy sources, physical wallets, secure environments, and other helpful items that all come together to create strong keys for holding assets. You will each work within groups to create a multi-sig wallet that each scholar is a member of, verifying the key along the way and creating tamper-evident backups.
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...DynamicInfraDays
Slides from Jeff Mitchell's talk "Hiding in Plain Sight: Managing Secrets in a Container Environment" at ContainerDays Boston 2016: http://dynamicinfradays.org/events/2016-boston/programme.html#secrets
Bringing Down the House - How One Python Script Ruled Over AntiVirusCTruncer
This talk is about how a single python tool (Veil aka Veil-Evasion) is able to render AntiVirus useless. Veil's goal is to bypass antivirus products on workstations and servers.
In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system.
The public key is used to encrypt the data. As it can be openly distributed, it’s called a public key. Once a public key encrypts the data, no one can use the public key to decrypt the data. On the other hand, the private key is used to decrypt the data. As it can’t be openly distributed but needs to be kept a secret, that’s why it’s called a private key. In symmetric cryptography, the private key can encrypt and decrypt data.
Public and private keys both have their special objectives and uses in cryptography. As for public vs. private keys, we will discuss some key factors to better understand the situation. These are - working mechanism, performance, visibility, type, sharing, and storing.
To help you better understand the differences between a public key and a private key, 101 Blockchain offers exclusive courses. These courses will help you understand the principle behind both encryption types and make it easier for you to incorporate these in your blockchain project.
The following course will help you stay on top of the game ->
Blockchain Like a Boss masterclass
https://academy.101blockchains.com/courses/blockchain-masterclass
Learn more about the certification courses from here ->
Certified Enterprise Blockchain Professional (CEBP) course
https://academy.101blockchains.com/courses/blockchain-expert-certification
Certified Enterprise Blockchain Architect (CEBA) course
https://academy.101blockchains.com/courses/certified-enterprise-blockchain-architect
Certified Blockchain Security Expert (CBSE) course
https://academy.101blockchains.com/courses/certified-blockchain-security-expert
Learn more from our guides ->
https://101blockchains.com/private-key-vs-public-key/
https://101blockchains.com/public-key-cryptography-in-blockchain/
https://101blockchains.com/public-key-cryptography/
Introductory talk on the need to use password managers and a quick review of Lastpass' features.
Presented at the OWASP Austin Cryptoparty in January, 2021.
Session slides from Future Insights Live, Vegas 2015:
https://futureinsightslive.com/las-vegas-2015/
So many network intrusions, so many email spools made public. Remember HBGary, Stratfor, 'The Fappening', Sony Pictures hacks? How about the Snowden Files? The potential liabilities of communicating in plain text has become too expensive to continue to do so. Zero-Knowledge systems can be made useful, elegant even. The problem with putting privacy first in our communications tools is that most of the existing privacy applications were created by crypto-nerds, most of whom have never overlapped with the world of UX. In this talk, Privacy will be put at the core of application design by way of new metaphors for arcane cryptography jargon (that few endusers understand). Using frameworks and services created for this new 'privacy first' era, your application can be built in a way that removes liability, is regulatory-compliant and elegant.
Encryption is key to safety online, but also important offline. But how does it work? This presentation will cover the basics and help you to be safer.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
2. Emily Gladstone Cole @UnixGeekEm
Agenda
1. Introduction
2. Nightmare #1: Access Keys in Source Code
3. Nightmare #2: Old Access Keys
4. Nightmare #3: Keys on Disk
5. Access Key Best Practices
3. Emily Gladstone Cole @UnixGeekEm
Who is this Emily Person Anyway?
PAST
CURRENT
FUN FACTS
● UNIX SysAdmin/Operations background
● Experience in Security Incident Response, Security Research,
Security Engineering
● Senior Security Engineer at
● Mentor for SANS’ Women’s CyberTalent Immersion Academy
● My favorite computer game is Nethack
● None of the cats you will see here today are mine
4. Emily Gladstone Cole @UnixGeekEm
Disclaimers
I am not affiliated with Amazon or AWS.
I’m not being paid to give this talk.
I’m sharing what I have learned. There
are many others who know more about
AWS and Access Keys than I do. Some of
them are cited in the references.
5. Emily Gladstone Cole @UnixGeekEm
What is an AWS Access Key?
Access Key ID:
● Always starts with AKIA…
● Is the equivalent to your username
Secret Access Key:
● Secret really means secret
● Treat this key like a password
6. Emily Gladstone Cole @UnixGeekEm
When your Access Key is
compromised, an attacker
can do anything you can.
7. Emily Gladstone Cole @UnixGeekEm
For those of
you who
already knew
all this, this
slide is for
you.
On to the
good stuff!
9. Emily Gladstone Cole @UnixGeekEm
Access Keys in Source Code
When the repo is public, this means almost instant
compromise of the keys.
Remember: attackers can do anything you can, using
your Access Key and Secret Key.
● View and copy customer data
● Bitcoin Mining
11. Emily Gladstone Cole @UnixGeekEm
How can YOU find Access Keys in Source Code?
We can detect them with source code scanners!
● truffleHog
● git-secrets
● detect-secrets (can be run as a pre-commit hook)!
12. Emily Gladstone Cole @UnixGeekEm
What if I find an Access Key
● Rotate the key so it’s no longer valid
● Delete the commit that contained the Access Key so it’s not
sitting in the commit history
● Talk with your Dev team about storing keys differently
13. Emily Gladstone Cole @UnixGeekEm
DIY Honeypots: Canary Tokens
Canary Tokens are one implementation of a honeytoken.
● Can be in the form of a document, a key, a QR code, a DNS record…
● Alerts can be generated when the token is accessed, either to an email
address or a webhook
● You can know if someone is in your data
● Your Dev team will probably find this idea fun
15. Emily Gladstone Cole @UnixGeekEm
Access Keys get old
The longer an Access Key is around, the greater the chance it can be found
somewhere it shouldn’t.
16. Emily Gladstone Cole @UnixGeekEm
The longer Access Keys are
around, the higher the
chances something may
happen to them accidentally.
17. Emily Gladstone Cole @UnixGeekEm
Solution: Rotate your Access Keys
You can rotate your Access Keys manually, and it’s fairly straightforward.
There are tools to help you rotate your Access Keys automatically, like
aws-rotate-iam-keys which works well for individuals, but for application
users, it’s not that simple.
20. Emily Gladstone Cole @UnixGeekEm
Other ways to expose keys on disk
● Store them in environment variables
● Write them to log files
● Expose them through the Amazon Meta Data service v1 (Capital One)
21. Emily Gladstone Cole @UnixGeekEm
Hide Access Keys: aws-vault and vault
Using a vault tool will allow you to store your keys in a keystore, and interact
with the pointers, not the actual keys.
I don’t recommend storing shared AWS Access Keys in password managers.
22. Emily Gladstone Cole @UnixGeekEm
Don’t use permanent Access Keys at all
● Security Token Service can generate temporary credentials
○ Credentials inherently expire
● Roles use STS to delegate permissions
○ Roles can be created with Policies assigned
○ Can be used to grant access to a user in another account (cross-account)
○ Can be used by instances or applications
24. Emily Gladstone Cole @UnixGeekEm
If you were napping during the
first part of my talk, here’s a
quick meme to catch you up.
25. Emily Gladstone Cole @UnixGeekEm
Squad Goals: Access Keys are accessible only when needed
● Don’t have permanently-valid Keys sitting around in your source code
● Don’t have them sitting on disk
● Don’t have them loaded in environment variables
● Do have Keys that are only valid for a short amount of time
● Do have unique Keys for each user and application
● Only request a Key when you are about to use it
26. Emily Gladstone Cole @UnixGeekEm
Coming Soon: SSO and AWS
Can be used with Okta, Onelogin, Ping...
Here are some Okta-based integrations:
● okta-aws
● okta-awscli
● okta-aws-cli-assume-role
● AWS recently came out with an Okta integration as well!
Tying AWS into our SSO provider is our next step. We haven’t built that yet at
my company, but we’re working on it right now.
