CategorySecurity & Privacy

Security and Privacy topics

Access Keys in AWS Lambda

A

Let’s look at AWS Access Keys inside a Lambda function, from how they are populated into the function’s execution context, how long they last, how to exfiltrate them out and use them, and how we might detect an compromised access keys. But before that, let’s go through some basics. Lambda functions run on Firecracker, a microVM technology developed by Amazon. MicroVMs are like...

Contact Tracing Apps: In this context their OK.

C

I thought I’d write down my thoughts on contact tracing apps, especially since a recent BFM suggested 53% of Malaysians wouldn’t download a contact tracing app due to privacy concerns. It’s important for us to address this, as I firmly believe, that contact tracing is an important weapon in our arsenal against COVID-19, and having 54% of Malaysians dismiss outright is concerning...

My experience with AWS Certified Security – Specialty

M

Last week I took the AWS Certified Security – Specialty exam — and I passed with a score of 930 (Woohoo!!) In this post I cover why I took it, what I did to pass, my overall exam experience, and some tips I learnt along the way. So let’s go. Why? Why would anybody pay good money, subject themselves to hours of studying, only to end up sitting in a cold exam room for hours...

Run serverless on GitHub actions

R

GitHub actions is the new kid on the workflow block. It allows users to orchestrate workflows using familiar git commands like push & pull requests, and un-familiar GitHub events like gollum, issue creation and milestone closures. In this post, we’ll use GitHub actions to orchestrate a build pipeline that will deploy lambda functions using the Serverless framework. There’s a lot...

Lambda functions in a VPC

L

In my honest (and truly humble) opinion, VPCs don’t make much sense in a serverless architecture — it’s not that they don’t add value, it’s that the value the add isn’t worth the complexity you incur. After all, you can’t log into a lambda function, there are no inward connections allowed. And it isn’t a persistent environment, some functions may...

Amazon KMS: Intro

A

Amazon KMS is one of the most integrated AWS services, but probably also the least understood. Most developers know about it, and what it can do, but never really fully realize the potential of the service. So here’s a rundown of the innards of the KMS service. What is KMS? KMS (Key Management Service) is an AWS offering that allows us to create, manage and use cryptographic keys. Like...

Interactive Shell on a Lambda Function

I

One of a great things about Lambda functions is that you can’t SSH into it. This sounds like a drawback, but actually it’s a great security benefit — you can’t hack what you can’t access. Although it’s rare to see SSH used as an entry path for attackers these days, it’s not uncommon to see organizations lose SSH keys every once in a while. So cutting down...

You own your software supply chain

Y

Just this week, my team was on the cusp of demo-ing a product they’ve been working on for the last 2 months, only for a build process to fail, just hours before the demo to some very high ranking people. Troubleshooting the build took a while, but eventually we found the root cause, a missing package version! This probably wouldn’t have been a big deal, had we not stumbled across it...

Securing Lambda Functions

S

First a definition. A lambda function is a service provided by aws that runs code for you without the introducing the complexity of provisioning servers of managing Operating Systems. It belongs in a category of architectures called serverless architectures. There’s a whole slew of folks trying to define with is serverless, but my favorite definition is this. Serverless means No Server...

Thoughts on SingHealth Data Breach

T

On the 20th of July, Singaporean authorities announced a data breach affecting SingHealth, the country largest healthcare group. The breach impacted 1.5 million people who had used SingHealth services over the last 3 years. Oh boy, another data breach with 1.5 million records … **yawn**. But Singapore has less than 6 million people, so it’s a BIG deal to this island I currently call...