Cloud Infrastructure: Automating For Security

Hello! The United States National Security Agency (NSA) just published guidance for mitigating cloud vulnerabilities. It reached my inbox via the United States Department of Homeland Security's Cyber Infrastructure (CISA) mailing list. The document covers a bunch of topics and I recommend reading the whole thing, but its "misconfiguration" section contains a guideline that's extra-relevant to … Continue reading Cloud Infrastructure: Automating For Security

Securing AWS Security Groups: Restricting Egress Rules

Good afternoon! Today's article demonstrates a surprisingly easy way to tighten the network-layer permissions in an AWS VPC. (If you're in AWS but you're not in a VPC: 😡) Security Groups have ingress and egress rules (also called inbound and outbound rules). In most SGs, the egress rules allow all traffic to everywhere. You've probably seen … Continue reading Securing AWS Security Groups: Restricting Egress Rules

AWS Security Groups: Stateful Statelessness

Hello! Recently, I rediscovered a fiddly networking detail: although ICMP's ping is stateless, AWS security groups will pass return ping traffic even when only one direction is defined in their rules. I wanted to see this in action, so I built a lab. If you just asked, "Wat❓", keep reading. Skip to the next section if … Continue reading AWS Security Groups: Stateful Statelessness