AWS Want Record. Make a want. It may be granted… | by Teri Radichel | Cloud Safety | Sep, 2022

September 11, 2022

1

Make a want. It may be granted! #awswishlist

This can be a hiatus for a minute on my collection on automating safety metrics to let you know in regards to the AWS Want Record.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interlude: Nonetheless ready for copyrighted supplies to be faraway from of those websites. I added data on tips on how to report copyright infringement to Google’s authorized group right here:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Again once I labored at Capital One on the cloud engineering group one of many issues I used to be requested to do was to handle the listing of AWS options that Capital One needed AWS to implement. In fact Capital One had a variety of leverage with AWS on the time as a result of they had been the primary main financial institution in america to maneuver to AWS. And sure that they had a breach, however cloud safety is sophisticated and that’s what my newest weblog collection is attempting to deal with.

At any price, Capital One did assist make some main enhancements to AWS safety. One of many points with AWS S3 is that it required functions to traverse the Web in an effort to put or get objects. This was one thing Capital One was not eager on doing since previous to cloud any connection to a vendor required a non-public line (MPLS for many who are acquainted) to do enterprise with the financial institution. Sending knowledge over the Web was simply not cool.

Capital one requested a function that will enable corporations to maintain the knowledge off the Web because it traversed the community from an AWS VPC to an S3 bucket and vice versa. That function turned S3 endpoints. From there S3 endpoints have developed to Community Endpoints. Now you may ship knowledge from utility sources to storage sources both inside your VPC or at the very least maintain it on the AWS spine because it traverses the community. It should rely upon which companies you’re utilizing and in the event that they maintain all knowledge between areas on the AWS spine or not.

Capital One clearly had a bit extra leverage than you or I do to get new options carried out at AWS, however AWS does hearken to prospects. If sufficient folks ask, they are going to implement new options and repair issues. There are alternative ways to submit requests to AWS however one of the vital seen is the AWS Want Record.

In the future as I used to be pissed off about one thing I couldn’t do or was not working accurately I randomly tweeted it out on Twitter with the tag #awswishlist. I didn’t notice that anybody else had ever completed that earlier than. Out of curiosity I looked for that tag and located that another folks had completed one thing related.

Because it seems, AWS created an entire web site only for the #awswishlist. You’ll be able to see who’s contributing and a number of the needs which have been fulfilled.

You can too head over to Twitter to see what’s on the wishlist and like or retweet your favs. AWS will probably take discover if a selected tweet will get a variety of likes and retweets.

A number of the different methods you may ask for options or fixes on AWS, although I’ve had little success with a few of these not being an enormous company:

AWS assist within the AWS console
The suggestions hyperlink on the AWS web site — I’ve been submitting requested modifications for SSO, Management Tower, and Organizations and I don’t see that any of them had any impact, sadly.
A number of the AWS companies have Github accounts the place they publish their highway map and folks can submit suggestions straight on a highway map for a particular service.

If have a TAM (account supervisor) with AWS and particularly in case you are a big firm paying some huge cash, you’ll probably have extra success with direct function requests along with your account supervisor. I used to trace all our function requests throughout the group with the assistance of our TAM in a spreadsheet, who submitted it, and when AWS was planning a launch of that function (or in the event that they couldn’t do it.)

There are some issues that AWS stated had been “completely not attainable” again then which might be attainable right this moment. For instance, we received a rise within the variety of safety group guidelines however there was no approach to enhance the variety of guidelines for a subnet community entry management listing (NACL). I just lately seen that now you may request a rise (although nonetheless restricted) to NACL ingress and egress guidelines however they warn you which may include a efficiency degradation. So by no means say by no means relating to a request. It could take a while for AWS to re-architecture issues but when sufficient folks ask — needs come true!

Bugs and Error Messages

Recently I’ve been engaged on a brand new batch of code on AWS and typically it’s the littlest factor that takes a lot time to resolve. If solely the error message was clear I may have fastened the issue very quickly and and get again to writing the code that truly accomplishes my goal. As an alternative I’m digging round on Google and in AWS documentation looking for solutions to obscure issues with unclear error messages. I just lately began writing a weblog put up each time I hit considered one of these obscurities each to assist myself sooner or later and anybody else having the identical downside. I’m documenting them on this new weblog — Bugs that Chunk:

I don’t ship all these out in emails as a result of they may not apply to everybody and who desires a bug listing? The bugs and error messages should not all associated to AWS, that simply occurs to be the platform I’m engaged on for the time being. If I switched to Azure or Google I might run into and equal or better variety of issues as a result of I’ve — whereas making ready for lessons or performing safety assessments or penetration exams on these platforms.

My world want for AWS is that they (and everybody else on this planet writing software program as a result of I discover bugs EVERYWHERE) would take the time to check code totally and write correct error messages. As well as, error handlers will be very useful in offering a correct response to errors. I don’t wish to put each considered one of these on the wishlist as a result of a few of them are too sophisticated to elucidate in a tweet, plus there are such a lot of and I don’t wish to overload the listing with little bugs versus main options or modifications.

I put in a basic request for AWS to look by means of this listing and deal with a few of these points. Should you’ve ever skilled considered one of these error messages or issues and really feel like a greater error message would assist please clap for the story to get it to rise to the highest of the listing.

A request to vary the foundations for penetration testing on AWS

My favourite AWS wishlist merchandise was the request to carry out a penetration check with out submitting a request kind. I feel I’ll have submitted that request a number of instances. This was after I used to be working at Capital One. I debated this merchandise with somebody in Seattle at AWS who oversaw or labored with that group situated in South Africa on the time, and he tried to inform me it was merely not attainable, regardless that Microsoft and Google allowed it.

Then at some point, I used to be in the midst of my first beta class by means of 2nd Sight Lab and I noticed I forgot to request entry for college students to carry out the pentest lab. Shoot! My college students weren’t going to have the ability to do the lab! Oh no…I shortly despatched an e mail to AWS begging them to shortly course of the request. It was on that day that they informed me in an e mail that I now not wanted to make that request. Hallelujah.

I put a replica of the e-mail on Twitter with a press release: Behold…the foundations for Pentesting on AWS have modified… or one thing to that impact. I went to class and once I received out the Tweet had about 1500 likes and was getting retweeted in all places, however somebody was questioning it as a result of the AWS web page hadn’t been up to date. I freaked out a bit as a result of I believed what if I had one way or the other been despatched a bogus e mail and was telling the world to hack AWS?! Nevertheless it was true. The web site received up to date a number of days later.

I bear in mind going to a sophisticated penetration testing class at SANS Institute and somebody requested the trainer (who shall stay unnamed as a result of now he’s a colleague and good friend) tips on how to do penetration exams on AWS. He supplied an incorrect reply so I raised my hand and defined that you just now not have to put in that request. I used to be publicly rebuked and humiliated in entrance of the category telling me I used to be mistaken. No onerous emotions however…I used to be not mistaken.

It’s so a lot simpler to carry out penetration exams for purchasers now because of that change. There are nonetheless limitations on what you are able to do in a penetration check on AWS so ensure you observe the foundations! Somebody contacted me and stated, “so I can check anybody’s account?” No, solely your individual.

Now…about that However Bounty request…. 🙂

Teri Radichel

Should you preferred this story please clap and observe:

Medium: Teri Radichel or E mail Record: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests companies through LinkedIn: Teri Radichel or IANS Analysis