It was painful that you are unable to change the instance profile for existing EC2 instance. A good news is that you CAN now via AWS CLI!! Here is a step by step example.
SSSG Ninja is my new open source project - It is a all-in-one managemenet tool for SSSG (Site Shield Security Group), it not only makes recommendations but also can do the jobs for you. If you are interested to try, it can be found in my Github repo. Here are current supported features: Make recommendations based … Continue reading SSSG Ninja
Client -ssh only--> Jumpbox00 -ssh only--> Jumpbox01 --http only-> Internal network Here is how to ssh to jumpbox01, and visit websites in internal networks from Client. 1) Ensure you have a private key that is trusted by both jumpbox00 and jumpbox01. For example, jb.pem under ~/.ssh/, then run the following command: ssh-add ~/.ssh/jb.pem 2) Add the following … Continue reading Double SSH Hops example
AWS Trusted Advisor recently added a new check 'Exposed Access Key' in Security category. This to checks popular code repositories for access keys that have been exposed to the public and for irregular Amazon Elastic Compute Cloud (Amazon EC2) usage that could be the result of a compromised access key. By default Trusted Advisor run … Continue reading keyWatcher scan exposed AWS key
I found this bug in CloudTrail when working on the AWS keyWatcher project. I noticed that some CloudTrail logs do not have access key id field. Then I opened a ticket with AWS support, and they forwarded it to the CloudTrail service team. Here is the response which confirms it is a bug: Briefly speaking, … Continue reading CloudTrail bug
We have seen multiple times that users accidentally expose their AWS access key and secret key on Internet, e.g. GitHub. This is a really dangerous thing, as whoever get that key can do whatever you can do to your AWS account. Here are two examples, the exposed key was used by someone unknown to create … Continue reading AWS keyWatcher
In some cases, Akamai may need to add auth basic to incoming request before sending it to the origin. Here is how to: 1) encode the username and password in the format of username:password. It can be done either via bash script or the online tool. # echo -n username:password | base64 dXNlcm5hbWU6cGFzc3dvcmQ= https://www.base64encode.org/ 2) Add a behavior … Continue reading Akamai add basic auth to incoming request