a lot of things are pretty much the manual process I mean you may have a little bit of automation inside of there where you're detecting things that are happening but the portion of responding to it takes a bit of time because while you respond to you also have to mitigate things you're developing an app security might be treated as an afterthought with functionality requirements and tight deadlines it's easy to accidentally write vulnerable code or use a vulnerable dependency but sneak can help you secure your coding real time so you don't need to slow down to build securely develop fast stay secure good developer sneak hello welcome to another episode of cloud security podcast and we're talking about aw security this month specifically today we're going to talk about instant response now incident response has not been covered that well across the globe in terms of just a cloud security concept so I'm looking forward to this conversation with a really good friend of mine Damien welcome to the show thank you for having me pretty good how about yourself good I'm really excited for this conversation man because I think instant response is one of those topics where people focus a lot more on how do we do thread detection but not enough about hey how are we respond to this in the first place so I'm really excited about this but before we start for people who don't know much about Damien please share a bit about yourself and how do you got to your role today oh yeah definitely so hi everyone my name is Damian so a little bit about me so I've been in a security industry for about four years and counting so my first role prior to this one because this one is my second role as a class security engineer was a security software developer for Verizon which is a telecommunations company in the United States so the majority of my work there I basically just built a bunch of tools for like penetration testers and you know blue teamers redeemers be able to help them perform their daily tasks throughout the day so I was pretty much a security tool developer the entire time so one thing led to another while I was doing that I was getting exposure into AWS and I started to like doing things in AWS so I got certified so I hold about three AWS certifications with my security specialty being the most recent one and then from there kind of pivoted into devsecops for the financial institution I worked for and then became a cloud security engineer all at once so that's pretty much how I got to where I am today in a very short and not long-winded way so yeah by the way it's a great great one because you probably well suited to kind of talk about instant responses topic as well because I guess a lot of people kind of get confused they think about pen test is when they think about it in response how would you describe incentives funds for people specifically in the cloud context because you burped in that space with more how would you describe in some response in the cloud concept for people who may not have been familiar with it otherwise so just from a basic standpoint incident response is pretty much per definition is the way an organization responds detects and responds to threats within the organization or that pretty much attempts to affect the organization from a cloud standpoint I would describe it as the organization's ability to be able to respond to Cloud native threats so that could also be in a way where they may have to leverage third-party tools or the specific Cloud specific services in order for them to be able to contain or mitigate those threats within the cloud specifically AWS there's plethora of services that they've come out with for you to be able to detect threats like security Hub there's also Macy for example for the testing S3 you know threats for pii and data and stuff like that so when it comes to Cloud for incident responses really about which tools you need to kind of evaluate your risk or your threat landscape for your environment and how you're going to use those to be able to respond to them effectively and efficiently so interesting would you describe that to be that different to say traditional instant response I would say it is a bit different definitely because my personal experience with incident response from a traditional standpoint is you have more control within your environment a lot of things like especially if it's on-prem you will know the ins and outs of the servers that may have been compromised or you know the code web applications that may have been compromised versus in the cloud you're pretty much working with the CSP to be able to understand what's happening and what's going on and what services you can use or how you can respond to that threat effectively to be able to mitigate and protect your organization's assets so from a cloud standpoint it becomes exceptionally important to collaborate more with not just the people within your organization but also the CSP interesting and I think it's the perfect timing as well because we're kind of recording this as we are coming close to AWS reinforce in four clouds you can all that as well just for people to get some idea of because you're doing a talk at both places well link to the talk when it gets available online so people can go and listen to it but in your talk you were talking about how the instant response plan can take a few hours I mean I'm just thinking from a perspective that hey I come to you saying Damien there's an incident hey man I need your help and you're starting from Ground Zero there's a lot to be done in the beginning just to understand the scope of it and all of that which takes hours and then you're trying to like do this automatic but you were saying in your talk that you've been able to reduce it quite a bit so before we go deep dive into the Talk itself what's an average time for insulin response usually that's the among when you talk to colleagues and otherwise just across the industry that you've seen so usually because a lot of things are pretty much the manual process I mean you may have a little bit of automation inside of there where you're detecting things that are happening but the portion of responding to it takes a bit of time because while you respond to you also have to mitigate things right so I would say average like if there was an incident that happens that detect in the analysis phase pretty much takes between like one or two hours it's the containment and the recovery phase of it all that takes the longest time because that phase which is where in my talk I'm talking about automating just that particular phase because that phase of the incident response life cycle takes the longest and on average containment but the timing is going to depend on how many services were compromised and how many things you need to mitigate or you need to save like if someone walked in there and decided to pop 500 IM roles where they leverage 500 IAM roles to create pivot Points in your environment you have to contain all 500 of those IM roles so that could take you quite a bit of time because if you're in AWS for example you have to create a policy so so you have to go through navigating various different screens you have to associate that denial policy to that IM role et cetera et cetera and that's just for one role so imagine doing that 500 times yeah right yeah I can already imagine because it's funny a lot of people imagine the scale of instant response on premise to be very similar to how bad can it really be but I think the 500 IAM role is a great example because I think when one of the conversations that I've had with AC sir friend of mine ages ago and we were talking about how automation is like a double-sized sword great for when you want things to work but when you don't want the thing to spread out it would still spread out everywhere and all the accounts you have and you're like oh my God why would this automation work exactly so I can see how it can become a job that could be really hard without automation I'm curious what kind of services can people and I know we're talking specifically about AWS as well but I'm sure others part of how the service but from an AWS perspective because it's aw security month what services did you end up using from AWS for making your instant response activity automated and you know going about it for sure so some of the services that I leverage for creating this framework that we developed is that functions for one so step functions allow us to be able to pass and payloads and trigger a Lambda function which is the second one and that Lambda function in itself you know when you have a step function that invokes a Lambda function it becomes very much scalable because that Lambda function has the ability to be able to reach into the account that's possible by assuming of course a privileged eye role to be able to execute a specific amount of containment actions for a given resource yeah so when you really sit down and you think about it it's really step functions I am step functions I am Lambda and there's also if you want to send out any kind of emails or stuff like that there's SNS and SES SNS is very much so a lot faster so SNS for you know people subscribe if you have stakeholders you want to subscribe to the topic you can send you can have them subscribe to the SNS topic to get that email oh it's like a page of Duty version yeah yeah yeah and I look also because I think you said step function Lambda IM rules because most incident response documentation that I see and I'm sure the audience would be seeing would be around eventbridge why not use eventbridge for this so when we're talking about you can use eventbridge from a detective standpoint so a lot of what I've seen in the industry is a lot of people use the eventbridge to build out their detective Solutions like guardrails yeah which allow them to be able to Traverse and detect things in negative activity or malicious activity within their AWS environments but the framework that was pretty much that I talked about previously is more or less focused on just that containment portion of it which takes the longest time but eventbridge is something that you can use and we could potentially use that for containment or automating containment you know the containment phase of the incident response life cycle yeah my big thing is that if you were to do something like that you would have to include some Advanced artificial intelligence or NLP because you will want something and the reason why I'm saying this because I have a little bit of experience writing models and stuff like that for security purposes okay you would need something to classify the event and automatically categorize the event to see if it is actually worth responding to and that's something that as the human being when we're at the Fort when we log into Splunk and we see something and they're just like oh well someone created this ec2 instance and then enabled imdbs version 2 or something like that right you know for a fact that you have to discern okay what's the priority compared to well we may need to actually respond quicker to this Estuary bucket that has Public Access enabled right because of course this may contain sensitive recognition or something exactly sensitive information that could be exposed right yeah so those are the things that you really want to sit down and you want to think about but the human is the person that's thinking about it so when you add something like that you want to create and then automate the entire life cycle you have to add some some type of classification methodology to be able to classify you know your incidents and what things you want to respond to and what things you don't want to respond to yeah awesome I think as you were saying it I'm like actually yeah going to eventbridge as a great service as it is it can look into every single event not even just a simple event of create SV bucket that could be multiple possibilities like I was talking hundreds of possibilities why someone created an SV bucket but how do you even see which one is malicious versus which one is good yeah I mean that definitely sounds like a problem to solve or a complex problem so I can see why so much it only makes more sense as well because then you're more aware of what you're doing and how much you want to I guess scope out because I'm talking about scoping as well in terms of environments I'm assuming the thinking that would have gone behind making this insane response plan or at least the containment of it would have had things like your I'm thinking more From perspective because most AWS environments would be multi-account and I'm sure that comes with its own challenges and maybe before we even Deep dive into the whole multi-account challenge you kind of mentioned two phases and I think I want to just quickly just tap on how you think about instant response that way people get to see why we are focusing containment as well so what are some of the stages you think about in an instant response plan because people are listening in I imagine some of them are leaders who are trying to figure out hey I need to make an instant response plan you mentioned containment as one phase what's before that and what's after that and so yeah it's like a sequence to it yeah there's pretty much a sequence so in my mind when I look at it and I don't necessarily have like the full like this plan but I would say if you are trying to construct your incident response plan definitely look into the nist IR life cycle because that's going to have like a full guided list of things that you should do when you're constructing your incident response plan from scratch yeah but when it comes down to this containment the eradication and Recovery phase which is pretty much all in one before that there's a detection and Analysis phase and then after that there is the okay Lessons Learned what did we do how do we do it how do we prevent things from happening after the fact and that's where those are pretty much like my three phases in my mind there's the detection analysis containment and mitigation phase and then there's the lessons on your face and without the Lessons Learned of course you're going to repeat the same problem and then in order for you to have the containment you need to be able to detect and also analyze what events are happening in your environment and classify them yeah yeah and I think to your point also the learning would also help improve the threat detection as well because then you can detect for them and yeah so cycle so talking about containment specifically for people who are starting on this like oh Damien great dog and everything I want to start doing this work with some of the first thinking that you had as you were kind of go another journey of working on this also what were some of the challenges so from a containment standpoint honestly I walk directly into matul that was automatically I would say pre-built but I would say my biggest challenge was really just kind of understanding the threat landscape of containment like okay what is it that we're containing how would we be able to do these things what permission sets we need and most importantly how is this going to scale and just those four or five questions really kind of identify the scope as far as like you know okay we know for a fact that we need something to automate because we need to scale which is most important we definitely need to know that there are going to be multiple use cases for this because there are multiple services and for every service you need some type of capability to mitigate any kind of threats for it in AWS specifically there is the aspect of getting those permissions right most organizations will have scps in place and of course I'm sure they may have like an essentialized IAM team to work with you'd have to figure out how you can get those things whitelisted and then the last thing would be from a deployment standpoint how do you get this into every account how do you have something in a centralized account how do you allow that Lambda function to reach into various different accounts to contain resources how do you do that and that right there the two biggest challenges that I faced was in fact from entertainment standpoint was roles and permissions and identifying the permissions and then the second thing was the deployment strategy for this because if you have an organization I'm pretty sure like you said there are multiple accounts right that an organization will use in AWS the question is how do you get this framework kind of deployed into every different account yeah and yeah that is something that you have to work with especially if you have a devops team they most likely are using AWS Landing Zone to deploy various resources but that's the challenge within itself how do you get that yeah I mean I think because I I kind of stopped at the part of it yeah lambdas can be deployed anyway but then as you kind of called it out I'm also thinking from a like if we just go back to the example of 500 IAM roles and each of those roles created an ec2 instance and you're like oh wow so I've got 500 times 500 ec2 instances and you know all of them in multi-account multi-region and you're like oh wow like I think the the scale just amplifies and you're like oh my tiny little Atlanta function cannot go through all the accounts and all of them and I mean even if you go to go down the path using step function and Lambda and everything he's trying to figure out I think I imagine encryption would be a challenge as well because I remember Ami was like oh my God it's going between one region to the other I mean I understand why they have that but did you have that challenge as well I also designed and developed a little bit of automation about the forensic space which is basically collecting snapshot so yes I would face a lot of challenges relating to the forensics aspect of collecting snapshots because you know KMS Keys as cmks are Regional Services yeah that's a regional key so you have to create one in every region the problem is when you have it from an IAM standpoint let's say if I wanted to collect a snapshot for an ec2 instance that's hosted in a different account and I wanted to copy that into another account by using another KMS key the role that you're using has to have permissions to the encrypt decrypt re-encrypt and also generate a data key for that KMS key and the Tenant account yep and if you're using a different cmk in another account it has to have permissions to that too but that's not all because the cmk itself has a key policy so you also have to make sure that that key policy get grants your IM role the permissions to do that so it's a lot of Grants you have to create those grants and you have to make sure that your keys themselves have permissions to give your role the rights to do what it is that you need to do so it's a bit convoluted but it can be done well you do talk about this in your talk as well yes okay cool I think because I was gonna say it does like what's the 30 second version of how would someone achieve this I guess or maybe a longer version that's okay as well I would say like this if you have an organization that has multiple accounts and you have let's say you you have multiple accounts of course yeah it would be ideal to start at the very foundational level to include those things so what I would suggest is that this is based on my experience and also is incredibly opinionated you have a module for example we're using terraform you have a module that everyone uses yeah to be able to deploy akms key into their AWS accounts if you're restricting them to using just that module for your KMS Keys your S3 buckets so on and so forth you can modify that module to allow a specific amount of roles to decrypt encrypt re-encrypt et cetera et cetera for that particular KMS key or that subset of KMS keys and that will help eliminate the overhead of going in and manually updating the KMS key policies for every key that in the organization that is used it's something that you bake into the sdlc okay right the deployment rate energy and oh okay so as a step towards containment you're basically adding that I am role to be part of that as in obviously everyone can choose to have this in the beginning but if they don't they can still just update there from basically update the I am role it's everywhere and then you can run your step function to kind of just get the whole thing going that's right yeah okay yeah because that that would to me make would make sense but would you still be able to kind of copy across because you're gonna have to almost like you're decrypting unencrypting copying in this kind of snapshot across then re-encrypting is that right because I I think at least because I remember when we were trying to do the whole golden Ami thing and we were trying to just be hey we will just use one golden Mi everywhere and then we decided against it because we're like we're just transferring between region which is like such a headache like because well if I'm already unencrypting it then what's the point so that's kind of where the a lot of the questions came in the encryption the more we're confusing the audio forget the point basically yeah watch out for anything option as you kind of walk across would you also be covering in your chalk around how will someone structure this because you know how AWS has recommendations around have a separate account where you have all your forensic tools all your everything that deep dives into every account there's a potential incident is that the kind of like a did he end up using it and did you find that valuable so we ended up following a similar pattern wherein we have for example the framework is deployed into a security account just for it yeah and then all of the other like resources that we have in which contain are obviously in our AWS tenant accounts right so and he's the Innocence the framework exists in one account we have our forensics accounts for for instance analysis and then there's also just a customer account so we can have the ability to be able to reach into to perform any kind of containment or collection action so we followed a similar process so and it definitely worked out well I would say that's pretty awesome man maybe just to put some more color onto this painting if you can probably give an example because let's just take the three popular services that people usually have in awsc AWS ec2 instance S2 bucket limited just just we take those two how can someone approach doing containment to these Services because I think maybe if you talk about the containment process just as you were explaining it all would one start about doing this for ec2 instance that's a great question so from an ac2 instance standpoint I would say mostly the idea for me for containing something is to completely break it and make it unusable so of course I'm pretty sure there are people who are probably not going to agree with me on that statement but you don't want anyone to have access to it at all unless of course there's Security Professionals right so yeah in my opinion when you contain an ec2 instance the first thing you want to do aside from detecting it and evaluating it to make sure you have the right these two instance is you want to completely disassociate the instance profile from it and removing the IEM rules that it has so that it can't necessarily you know let's say if you have an ec2 instance that connects to an RDS instance or something like that you want to make sure that it doesn't have any kind of permissions to do anything the next thing that you want to do is considering if your ec2 instance it has network connectivity which in most cases it will be you want to remove all the security groups and attach and deny all Security Group to it that prevents it from being able to connect prevents inbound and also outbound traffic so don't include any rules at all the final two things I would recommend is apply termination protection policy and that stops the attacker from trying to clean up their mess automatically and then the last thing is that you want to stop it from running so that when you take that snapshot it's not running so you have a whole bunch of like let's say for instance you have a web application running on it and it can't connect to anything it most likely will fill up your error logs right so you want to be able to just stop that from happening and stop the instance from you know running so that you have a nice EBS instance of volume so that you can copy that into your forensics accounts to perform that analysis purposes so that's what I would recommend for containing an ec2 instance awesome and snapshot of the EBS volume as well or absolutely for forensics capabilities snap take that snapshot of that EBS volume so you can analyze it you can check it out and see how the attacker was able to penetrate how the attacker was able to get in if you're watching this Cloud security podcast episode on YouTube Twitter or LinkedIn for the second time or third time or maybe have been a long-term viewer I would really appreciate if you can hit us the Subscribe or follow button on your popular social media where you watch it which is for the YouTube links your Twitter it helps us get discovered by more people but it also helps the speakers who are coming on to our podcast to know that their time would be valued by helping people like yourself so they can share their perspective and get more help for yourself in any slot security problems you're trying to solve or a skill setting Cloud security that you're trying to upskill in let's get back to the episode this is not a like a service it's just like a volume attached but it acts like a ram I don't know if it's still the case but essentially it was like a ram attached to a memory so can you still access memory and stuff is that still allowed in AWS I believe so I don't quote me on that I believe so because I imagine from a forensic perspective that's also like a lot of Juicy information as well right what was done because memory would have stored things that's trying to cap whether it's clipboard or whatever else maybe information that would be there in the memory of that you know that would be valuable as well so people can actually include that as well if they want you yes they could like if for example like if it was containing ec2 instance and you stop it and don't terminate it you still have all that information there and because it's isolated you don't necessarily have to worry about anybody connecting to it but I will say this there is a way for you to get into the instance if you allow if you assume a role and have SSM permissions yeah and that's where you can do the memory analysis if you have that SSM capability yeah so I think I know what you're saying yeah kind of like one of the ways that you can do it interesting yeah and what about S3 buckets and I think we hear a lot of use cases I think we had someone one of the guests in the past talk about whole ransomware in S3 buckets as well I couldn't believe this is ransomware and S3 bucket as well where basically people mtbs enter S3 and leave their Bitcoin as a text file like hey just my address and you're like okay but clearly there are incidents that happen in that context as well so from an S3 bucket perspective what's the line of action there from a container perspective oh my goodness I have so much wealth of knowledge for that so there's two things I have a open source project that I've developed all Datacom so it essentially contains an S3 bucket after you leveraging Macy okay yeah and also now Trend Micro a big shout out to Trend Micro for file storage because their tool also allows you to be able to scan for malware against their own private like signature repository so when it comes to containing an S3 bucket I'm so glad that AWS decided to update their security specifications and policies for history because now public access Is Not the Same by default which is great back then it wasn't so before then a lot of people would create these S3 buckets and of course Public Access will be enabled because they didn't know how to disable it right and that led to a lot of things but when you are attempting to contain an S3 bucket that is potentially malicious or has been compromised and popped I would say the key thing is that you want to make sure that first thing is Public Access is disabled you don't want anybody you know anyone from outside of your organization traversing through your history project that's the first thing and the second thing is the beautiful thing about S3 is that you can have an IM role that you can use to be able to view them but you can still if your bucket policy is by default takes precedence so you can restrict anything from happening if you update your bucket policy so the next thing is that you want to restrict or deny all Estuary access to that bucket by adding a deny all S3 bucket policy and only allowing explicit security roles to be able to assume a role into your account to view the S3 bucket and then collect any kind of analysis or anything like that so you can conduct that but that's my recommendation that I would say to kind of move forward with containing that is revoke all public access to it and then the next thing is create that bucket policy deny everyone except for security roles so interesting and no thanks for sharing that man I think that's definitely good because I think denying public access to every number one for most things especially if you know something has happened as an incident talking about instance as well I imagine you know how we started the conversation with just a conversation about in fact not many people even talk about and send response in the cloud context because they just assume it's already been taken care of or AWS would respond to them or something would happen nine out of 10 times audience members it does not happen you kind of are still relying on yourself and your threat detection capability to even identify that has happened right so for people who may have not even walked on this path and they hear you talk about this they hear you talk and go oh my God I need to work on this what are some of the good I guess building blocks for building an instant response plan that you would say Obviously we spoke about the three phases which people look at but what are some of the easy wins I feel like it's a daunting task to even start thinking about oh I'm gonna build a castle but I'm doing a brick yet so I think that's kind of like where I feel most people would get overwhelmed by the internet sponsoring so you have some recording invasions on people trying to build instant response plan for where they can start if you're looking to build it I will say the easiest portion to start with is the detection side of the house because when you start to look into how do I want to detect incidents in that process or in that discussion those conversations that you have yeah you realize that you also need to threat model things and that invokes another topic that you can dive into because when you start to direct model things you also start to understand and classify your business you know critical business applications you also start to classify if it's from an AWS service standpoint what services you want to restrict what services you want to recommend and so on and so forth so those are the type of things that you want to look into trying to build and try to develop in your your incidence response plan is start with the detective side get things threat modeled have those discussions of what you want to allow in AWS what services you want your individuals to use and then from there start maturing process around building automation around detecting those things because if you have a list of services that you allow you can start to threat model and create controls around those Services which those controls end up being detective controls it can also preventive controls right so that's where I say start first don't hop to containment build your detective and preventive controls first then you can move into automating the next part of the incident response lifecycle which is the containment analysis so on and so forth awesome great advice as well and what about even I feel like prepping for instance is also some not spoken about enough how can people go about preparing themselves for a production Center like they make that threat detection thread model all of that right how does one it's almost like a muscle memory for like a better word people want to develop that as they go forward especially in the cloud context they may have a lot of experience in on-premise context but cloud has its own challenges what's your recommendation for people to keep on top of that so the best prepare yourself for incidents I always recommend is just paying attention to what's going on in the cloud security space or in the cloud space the news is very powerful because it also can help you understand like whether or not you're also at risk if someone were to get compromised but the good thing about it is that it also inspires the educational aspect of it which is also very important like you want to make sure that you're studying for your certifications or you're learning the security best practices that the cfps are providing you with you know so you definitely want to make sure you're doing all of that and the last thing that I would say is from an incident response standpoint when you're kind of building it out and attempting to get your education right your tabletop exercises are exceptionally important because it's purple teaming but you also are working with everyone in your organization to ensure that you are actually responding to the events the way you have actually documented everything there's also playbooks and run books that you want to create as well and that will better prepare you responding effectively to any kind of incidents that you have within your Cloud environment so those are really really good things to have to repair yourself I think that would definitely strengthen the muscle memory people have with our incentive sponsor General as well I'm glad you had a talk about this that forward Cloud say that reinforces well that was kind of most of the questions I had man but I think I've got three fun questions for you so people get to know you a bit more as well not too technical just to get you a bit more but first one being what do you spend most time on when you're not working on cloud security or building incident response plans man oh man I think for me and so I have a couple of foster kittens right now me and my partner or my girlfriend really we Foster cat so that's pretty much like where the majority of my time is going is taking care of kittens that are less than 12 weeks old and attempting to play video games on top of that so that's pretty much what I do with my spare time how many things have you Foster at the same time so we have three little kittens at this time and we also have two cats of our own the world so yeah it's about like a house of five cats well are you gonna turn into a cat man is that is that even a thing it's like I know right I'm already there dude there's no going back oh okay next question what is something that you're proud of but it's not on your social media honestly I'm very proud to be learning martial arts that is pretty much like one way for me to kind of decompress relax and just kind of Center myself and with the universe and you know the environment and life and I don't necessarily share that as like one of my things on social media because I don't find the time to take pictures like when I go to Tai Chi practice I could completely disconnect my phone is somewhere outside of my car and I'm in the dojo just kind of doing my thing so look I don't think the internet wants 30 pictures of people exactly you're like oh my God a final question what is your favorite Cuisine or restaurant that you can share so that's tough that's a very hard question because I'm pretty much like a big foodie I eat so many different like dishes it's not even funny if I had to take a guess honestly and I know people in Texas who are listening to this will probably want to do something very terrible to me right now because it's not barbecue but I would have to say it's Seafood all right so I'm originally from New Orleans Louisiana and seafood is pretty much the staple Cuisine out there and it's something that I just can't get away from so if it any kind of crab fish Lobster all that and game I'm always interested in going to get some seafood would you be like a lobster chowder fan as well is that is that where it is yeah there's Lobster chowder clam chowder there's so many different chowders I would say I've had them all because I think New Orleans itself is very well known for food right I think yes very well known for food especially their gumbo and their crawfish yeah which gumbo is definitely like up there for me as well I think we had Vineyards the other day oh my God like I think we were lucky enough to find New Orleans style vignette in San Francisco and someone yeah I was surprised by it I think I can't remember the name of the place but it was really interesting that the guests we were interviewing and people would see it kind of like a bit of a teaser towards coming up in the coming months but we had Vineyards as part of the interview and the guy had it and he's like oh my God he's like New Orleans vignette like I've never had been the Olympics so I'm like for me this is vignette some of them had filling inside as well I don't know if that's how the New Orleans ones are but they had some like sugary filling inside with some kind of fruits in there oh I know which one you're talking about those are really really good but I don't think the last time I've been to New Orleans was about a year ago and I didn't start to get anything yet so I don't know all right if you ever do find yourself in New Orleans and you go to Cafe Dumas that's pretty much like the signature Beignets shop in New Orleans they may have it they might have it but I always get the original one that doesn't have the filling because it's just it's great it's just yeah yeah I mean we had the non-filling one as well I kind of personally enjoyed the because it was my first time I was like oh wow these are really good so now I'll leave the recommendations here as well for people to kind of comment back and see what they enjoy but dude that was most of the questions we had where can people find you to have follow conversations about the whole instant response and if they walk down that path maybe they can reach out to you as well where can people find you on the internet so you can find me on LinkedIn you can find me on Twitter I will post my link tree in the show notes so even if you want to have a discussion on some challenges that you're running into if you're trying to build like AWS Solutions and Frameworks connect with me on GitHub I'll help contribute to it if you guys need something but you can find me on social media for sure LinkedIn is most likely the place that you will find me all right definitely put that in the shows and description as well but dude thank you so much for coming and looking forward to getting your talk in person as well as when it comes over online I'll definitely add that to the description as well thank you so much and thank you for everyone watching as well we'll see you next episode all right thank you so much bye-bye thanks

‍