Improving IAM policies

Security is a shared responsibility

As you might have read in my previous posts, public cloud itself should be considered as very secure. For major cloud providers such as AWS security is key. Security incidents would destroy AWS’ business so they are fully committed to prevent this from happening. Their almost unlimited access to security talent, extensive knowledge, years of experience, enormous budget, benefit of building things from scratch etc etc are indicators that security is serious business. And looking at the reported incidents compared to the size and scope of their services is impressive. If you are wondering which incidents have been reported, see here. No doubt about security of the cloud.

High-performance computing on AWS

How does High-Performance Computing differs from regular computing?

Today’s server hardware is powerfull enough to execute most compute tasks. With common compute resources most (serial) computing challenges can be solved. However, some tasks are very complex and require a different approach. Think of cases that require improved speed and efficiency, ability to handle large datasets and flexibility etc. For this HPC will bring massive parallel computing, cluster and workload managers and high-performance components to the table.

Amazon Linux 2023

Earlier this month AWS has released Amazon Linux 2023, in short AL2023. Amazon Linux is a Linux distribution maintained by AWS. It is no suprise that the main purpose of this distribution is an optimized experience for running on AWS as it comes with features and intergration with AWS-specific tools. Besides an Amazon Linux Image the distribution is also offered as an container image.

AL2023 is the last generation of Amazon Linux, the successor of the initial version Amazon Linux and Amazon Linux 2. With the release of AL2023 AWS will release a new major version every two years. According to the cadence we can expect AL2025, AL2027 and so on. With every upcoming release the current release will go from Standard to Maintanance support (security patches only) to be retired after 3 years. This means that a major version has a supported lifespan of 5 years, which is fairly long in cloud. The new versioning and cadence is new for those that are familiar with the versions Amazon Linux and Amazon Linux 2. The previous versions were a rolling release, while from AL2023 (or in hindsight AL2) onwards a new major version will be released every 2 years.

Getting started with sustainability

Sustainability is an important topic. This is not without a reason, since sustainability is key in preserving our planet. The combined world of sustainability and cloud is getting more and more traction. The investements pay off: we get more capabilities to work with and now it’s time to start harvesting. The urgency is also there. ICT, including cloud, is responsible for 3% of the global greenhouse gasses emissions. We, as consumers of cloud resource, easily have impact since making changes to your cloud environment can be done easily (e.g. no hardware to write off).

The five common mistakes on S3

In general the cloud object store Amazon S3 is pretty straightforward to use, but mistakes are easily made. The service itself is proven to be secure (“security of the cloud”), reliable and performant. However, misconfiguration by the owner of the S3 buckets can give a totally different experience (“security in the cloud”). In this blog the five most common mistakes will be addressed as a learning experience.

Configure OpenID Connect for GitLab and AWS

We do encounter a mix of DevOps tools being used in cloud project. For reasons we do prefer to work with AWS native tools and services. One of the reasons (but certainly not limited to that) for that opinion is that native tools provide seamless integration with the fundamentals of AWS itself. Think of tight integration with AWS Identity and Access Management (IAM) or AWS CloudTrail. In AWS it’s common to assign roles to resources. For exampl,e steps in CodeBuild (‘build runners’ in CodePipeline) have an IAM role with least-privileged policies assigned to grant access to the platform. Roles are using short-lived credentials and are provided natively by the platform. The time to live varies per service, but mostly anything between 15 minutes and 6 hours. Way shorter than static credentials, which are most likely to be rotated every 90 days in theory. The reality is that rotating static credentials manually is a big hassle and (almost) nobody does it.

Limiting access using geographic restrictions

The world is on fire. We’re heading towards - or exactly it already is - a humanitarian disaster in Ukraine. We’ve all seen the heartbreaking footage from the war. Thousands of homeless people fighting and fearing for their lives. I’ve written this blog to help. I do know that a large number of government websites are hosted on AWS.

The conflict between Ukraine and Russia is expanding with cyber warfare. There is fighting on the ground, but also online. Government websites are taken down, broadcasting companies are being hacked, etc. Everything is done to manipulate and disrupt communication technologies. Although most attacks will be sophisticated, there are some simple measurements in AWS you can take to make it more difficult for attackers. It will not be 100% waterproof. Hackers often use Tor-networks and Command and Control-machines. But every bit helps.