CloudFormation: Limited-Privilege IAM Policies With cfn-nag

Hello! This article is about security testing in CloudFormation, if you're looking for functional testing, check out this. When you write IAM policies, you should grant the smallest set of permissions that work. So, looking at this policy defined in a CloudFormation resource: The Resource: '*' looks wrong. It grants permission to make the DescribeInstances … Continue reading CloudFormation: Limited-Privilege IAM Policies With cfn-nag

Lambda: Building Python 3 Packages

Hello! This is a guide for building lambda zip packages with pip dependencies in Python 3. It expands the AWS guide to: Build your code if it's either a single-file Python module or a pip-installable Python package (e.g. contains a setup.py). Track pip dependencies for single-file Python modules in the standard requirements.txt file. Show the file … Continue reading Lambda: Building Python 3 Packages

CloudWatch Logs Structured as JSON with Python Lambda Functions

Hello! If you're setting up JSON logging in a script and instead of a lambda function, check out this instead. The pattern is a little simpler. Recently, I've been switching to logs structured as JSON. That means output like this: Instead of this: This way, your log processor can reference keys in a JSON object … Continue reading CloudWatch Logs Structured as JSON with Python Lambda Functions

Simplifying Messy Conditions: Adaptive Models

Hello! Today we're getting into the thorns of programming. Beware cactus. 🌵 Years ago I found Martin Fowler's article on Adaptive Models. Adaptive models let you replace nests of conditions with a declaration of actions. That pattern has helped clean up my DevOps code a ton of times. Fowler is a better programmer than me. His … Continue reading Simplifying Messy Conditions: Adaptive Models

Python DevOps Code Error Checking: Lint with Pyflakes

Hello! For those unfamiliar with linting (static analysis), read Dan Bader's introduction. There are several linters for Python, but when I'm doing DevOps I use Pyflakes. I love the opening sentence of its design principals: Pyflakes makes a simple promise: it will never complain about style, and it will try very, very hard to never … Continue reading Python DevOps Code Error Checking: Lint with Pyflakes

CodePipeline: Python AWS Lambda Functions Without Timeouts

Hello! Today we're going to cover how to add Python AWS lambda functions to CodePipeline, and specifically how to do that without getting stuck in timeout loops you can't cancel. Copy/pastable code first, details below. Replace the two highlighted lines with the code you actually need to run in the pipeline. The commented raise is … Continue reading CodePipeline: Python AWS Lambda Functions Without Timeouts

Securing AWS Security Groups: Restricting Egress Rules

Good afternoon! Today's article demonstrates a surprisingly easy way to tighten the network-layer permissions in an AWS VPC. (If you're in AWS but you're not in a VPC: 😡) Security Groups have ingress and egress rules (also called inbound and outbound rules). In most SGs, the egress rules allow all traffic to everywhere. You've probably seen … Continue reading Securing AWS Security Groups: Restricting Egress Rules