Episode Description
What We Discuss with Alexandre Sieira:
- What are the kind of Identities in AWS?
- Identity in AWS vs Identity in Azure?
- Best practices for Privilege and non-Privilege users in AWS?
- How important are Domain Accounts in Cloud World/
- Importance of 2FA?
- What is Cross Account and why does it matter in Cloud?
- IAM Role in AWS?
- AWS STS service in AWS?
- What about Bio metrics as a 2FA?
- How does one manage identity across a large cloud landscape?
- Multi-cloud or Poli-cloud?
- And much more…
THANKS, Alexandre Sieira!
If you enjoyed this session with Alexandre Sieira, let him know by clicking on the link below and sending him a quick shout out at Twitter:
Click here to thank Alexandre Sieira on Twitter!
Click here to let Ashish know about your number one takeaway from this episode!
And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.
Resources from This Episode:
- Tools & services, discussed during the Interview
- AWS SSO
- Cognito Research by Andres Riancho
- Auditing IAM using Cloud Spanning
- Policy Sentry
- Cloud Security Academy
Ashish Rajan: [00:00:00] Today’s topic, identity, access management of someone special from here is probably my first Brazilian guest. As only now, as I’m talking to you guys, I realized that should be, Oh, it is. it’s my first Brazilian guests. So no pressure. let me just bring him on.
Alexandre Sieira: [00:00:13] Hello. Thank you for having
Ashish Rajan: [00:00:16] me
me. I just realized you were my first Brazilian guests for, for this. So like no pressure at all. You’re representing Brazil. Are you setting the standard for Brazil over here?
Alexandre Sieira: [00:00:26] I’m representing the entire country right now. All
Ashish Rajan: [00:00:28] one. Yeah. It’s totally like,
that’s amazing. I’ve got, I’ve got a couple of people, who’s saying hi as well. so I think you can see the chat window up here. I imagine so RN. Hey, good morning. Or good morning you need, I think we have a really good support group over here that people join in and tune in even though super early in Australia.
So I’m looking forward to some of the questions from those guys, but I’m super excited to have you, thank you for you. Prefer Alex, but.
Alexandre Sieira: [00:00:57] Alex is going to be a lot easier, [00:01:00] but
Ashish Rajan: [00:01:01] Alex Alessandra, who I do love, I love the pronunciation of that. Even just want to say, I don’t know why people don’t say Portuguese with a sexy accent, but Alessandra sounds like better.
So for people who joined, no, you who is Alessandra.
Alexandre Sieira: [00:01:15] So I’m, I’m, I’ve been an entrepreneur in information security since the two thousands, About that time founded a company in Brazil called cipher secure co founded a company in Brazil called cybersecurity, which grew to be a, like a major player locally, both in consulting.
We had an MSSP and actually this company raised capital and expanded. We had an office in London and an office in the U S as well, started growing internationally, eventually, Sold my shares of the company. I mean, there’s, I still have great history there in love. It, it has been since sold to a Spanish company, but then I founded a company called , which was a SAS service running entirely on AWS.
There was a security service, which is basically meant to use [00:02:00] machine learning and threatened diligence to automate. The work that security analysts do on a security operation center, as far as monitoring and triaging of alerts, right? That company was later sold to Verizon. I was a CTO of that company. I had two cofounders.
I worked for a little while at Verizon at their global product leading the product management team, responsible for their detect portfolio of the managed security services for Verizon, which is. Either number two or number three in the world, as far as managed security services go, depending on who you ask, which animals.
And then I decided to be an entrepreneur again. and I had just recently founded, 10 chief security, which is a company that’s strictly focused on cloud security. Because I, I realized something flipped in my head, especially with the experience of selling a company to a company, as big as rise and going through all the due diligence they do, as far as the technology go and security wise, they were pretty thorough on their evaluation.
not that they would have a history of buying a large company that had a [00:03:00] security incident. They didn’t find out doing it. Due diligence or anything, but they were really, really cautious. I’m talking about the Yahoo deal, of course. And, and so they were really, really thorough and needle was a company of six people.
I alone basically did all the ops for AWS environment. and we. Passed without anything without any yellow flags even, and you struck me how easy it was, how much easier it was to have something that would pass the muster of that kind of scrutiny. Was so few people, because we were automating almost everything, right.
And there’s no way we could have done that with traditional technology on premises technology, where it would have been orders of magnitude more difficult and more expensive. So something flipped up on my head. And also after I went to the first screen invent saying, I think we’re going through a change here that we haven’t seen such a big shift in it.
In my opinion, since we went from [00:04:00] mainframes like Novell networks, right. With microbes. Computers. And I’m old enough to remember people that went through that transition. Right. So yeah, this really set if you’re doing security today or not focusing on cloud security, I think you’re kind of already behind.
And that was the idea behind founding Tenchi.
Ashish Rajan: [00:04:18] Oh, interesting. And I think I’m sorry I should have started off with this, but, since it’s what you call for me, the sheesh. Cheers. Oh, nice. I love it. Is it a particular kind of beer?
Alexandre Sieira: [00:04:29] Mean some resilient beer? Just like standard beards. It’s 7:00 PM here, but seems like a summer day of, no, it shouldn’t be really hot.
So cold beer.
Ashish Rajan: [00:04:38] Wait, because I don’t know of any Brazilian beers I want to know. What’s the name of his BA.
Alexandre Sieira: [00:04:42] that one is named skull. it’s not a particularly you’re good one, but if you ever come to Brazil, my friend, I’m going to show you some really good beers. We do have
Ashish Rajan: [00:04:52] some here, a lot of German
Alexandre Sieira: [00:04:54] and immigrated to Brazil, a lot of attendants and Japanese.
So one of the interesting things about Brazil is that we have. [00:05:00] Like some of the best Italian food in the world, some of the best Japanese food in the world. If you think about why Brazilian jujitsu is such a thing, and we have so many martial arts in Brazil is because we have the largest population of Japanese people outside of Japan.
It’s like actually in the city of San Paolo where I
Ashish Rajan: [00:05:15] live. I did not know that, but do we need, we definitely need to explore quite a bit of that, but maybe I’ll save it for a longer conversation. I’ve a couple of more people joining in of course, Irene, Gerald , we’ve kind of dashed on cloud security just said before we cheers.
And what is your definition of cloud security? Obviously everyone has their own version. So keen to know, what’s your version?
Alexandre Sieira: [00:05:42] I think, what’s happening is, we’re talking about it. I see security in a sense, and what’s happening is the it, foundations of it are shifting beneath our feet. As I said, of course, information security is the same since the age of the mainframes, but the way you apply it to it changes [00:06:00] as the technology changes.
Right. So you did one thing on the mainframe. And then when you went to like a NASDAQ. You know, directory, to control privileges the way you thought about how you manage privileges, the way you’ve thought about how to apply patches. It changes completely because of the way the technology works and, and cloud is changing things.
It’s not just another kind of data center. You’re not just doing the same things the same way, but you don’t own the hardware. Right, right, right. I think that’s me. or with people that do that thing where, Oh, it’s just other people’s computers. No, it’s not. You either don’t know other, how it works or how cloud works if we’re saying that.
Right. So it’s just not because the, the thing that’s really changed. In my mind. And it has a lot of interesting, consequences that are not immediately obvious unless you study the subject. There’s a lot of things that were not automateable that are now. So if you want it to have a new computer, you know, and on an on premises [00:07:00] environment, you know, we had to go from procurement.
You need to receive, the hardware has to be. You know, entered into the correct place on the data center. You need to open the ticket. So human from cabling goes there and put up the case and someone logs into a core switch and, you know, assign them an IP address or puts that Newport onto that correct V lands.
And so it will take months even. Before you could have a machine and there was no automated way of doing that. It was a sequence of steps that involved sending emails, making calls with people, opening tickets, humans, doing things. And the fact that this can now be just, you know, an to call away that you can just stand up a new instance.
And it happens in seconds, which is great
Ashish Rajan: [00:07:41] for
Alexandre Sieira: [00:07:43] agility, but it has security implications as well, because it can. Both good and bad. The control plane is what I’m getting. The automation is the cloud security vendor. API is they are a new attack surface. There are ways we can do [00:08:00] automatically now that we couldn’t before.
And so security has to protect that. Whereas before there were so many checks and balances and human processes, that if you all of a sudden, you know, started asking for, if you’re trying to buy like a hundred of the most expensive computers ever.
Ashish Rajan: [00:08:17] Yeah. What
Alexandre Sieira: [00:08:18] would require a VP approval when someone would catch it?
If you were, think about cryptocurrency miners, right? What did they do with the cloud cap to come in and just start running very expensive machines? What if that happened on the, on prem world? You know, there would be a procurement process where they get approval and at some point someone validates that and that doesn’t happen.
Ashish Rajan: [00:08:36] That’s right.
Alexandre Sieira: [00:08:37] With the cloud. So that’s the bad side of it. Yeah. But on the other hand, There’s a lot of upside, a lot of upside for security in the sense that asset inventories, there are entire companies whose sole job is to help you go into a non prem environment and try to create and maintain [00:09:00] an asset inventory, because this is hard on the cloud.
Just call the APIs. And at least you may not go into maybe what’s inside the operating system, but you know exactly what machines there are. The network subnets. It’s all there in real time. Yeah. That’s one problem completely. What went away. If you use the APIs, you can automate patch management, or even get rid of it entirely.
If you use, the shared responsibility model in your favor, in a adopt managed or serverless. Yeah, right where you don’t have to manage the operatings that’s, that’s like a complete game changer for security, right. Where you can automate steps and you can even get rid of tasks that would be like undifferentiated, heavy lifting for it.
And that create a ton of pain, like patching, how many companies get honed because they were lacking a patch. And not because they’re [00:10:00] stupid or because they’re lazy, I’m not here for victim blaming because
Ashish Rajan: [00:10:04] yeah. Right.
Alexandre Sieira: [00:10:05] Yep. Even for batching, just one quick, another quick example on how the cloud changes things dramatically.
Why do most companies fail at patching? That there’s a ton of reasons, but there’s one very practical one that I found very often, which is I don’t have a test environment. I don’t have a replica of this system. That I can stand up and safely test dispatch. And if it breaks, I, I didn’t damage anything that was in production because no one buys, you know, they don’t have a clone of their SAP infrastructure, which is really expensive as far as hardware and storage.
Yeah.
Ashish Rajan: [00:10:40] Even from a license perspective, you’re costing, like looking at a lot of costs at that point
Alexandre Sieira: [00:10:44] in the cloud. If you set that SAP server with, you know, infrastructure’s code. Oh, that’s great. I asked about a copy. Let’s put up some, some data or even replicate the production that you shouldn’t do that, but you can just replicate the [00:11:00] database, apply the patch and see if it’s still worse and then tear it down and you stop paying.
You pay like a huge sum of money to have it sitting idle there for just when you need patches to test the patches. So it’s, it’s, it’s really revolutionary in a lot of ways. They’re non-obvious right.
Ashish Rajan: [00:11:18] Yeah. And I see your point. A lot of people are not utilizing it enough as well. Cause that’s a great definition of, to the point about the digital assets and how the world has kind of a evolved from a cloud perspective, a lot of the opinions we had as security folks initially.
To your point about procurement processes that doesn’t really exist anymore, giving you access to an AWS account or any kind of account for that matter, whether it’s Azure or GCP, you just have free reigns based on the permission you have. Which is a good segue into identity management and the different kinds of identities that can exist in the challenges that come with identity.
So for, I mean, of course, I guess our audience [00:12:00] that we have is, obviously have experienced, in an, or I guess on-premise world also have experience in cloud world. So we have few people who are quite experienced and where we have a few folks who are starting off in cloud security, or sorry, starting off in security as well.
So from an identity management and AWS perspective, let us, if we can explain Lord the whole federated, how, I guess I am user, like, what is all that like what, what I usually say that like four kinds of users, but can, you know, if you feel the same and if you have another version.
Alexandre Sieira: [00:12:33] So I think the, the, the, the contrast I’d like to make with AWS and Azure really helps.
Right. And we’re very much used as it professionals, especially from the corporate world. Like, if you wanna start at that stage, but if you’re in the corporate world, Hmm. And you really used that model where you have like a windows network, essentially, you have active directory, so you kind of have a separation of systems, and there’s a separate thing place where.
The [00:13:00] directory is where the users are. The group definitions, the privileges are defined as either on the directory itself. One the relationship between the directory and the system. Right? So it depends on case by case basis. that’s not how he Ws structured because it grew organically from, from, from the bottom up.
they didn’t start with something as structured as far as I am goes. So, in AWS, each of them do as account is self contained. Everything lives inside the account. So if you’re a programmer, you can think of an account it’s kind of a namespace. It’s a, it’s a, an encapsulation, that’s all encompassing, right?
So if you’re inside of account, there’s very few exceptions where you see other accounts, everything happens inside your account. So the assets are inside the account, the users, or the identities that are going to access those assets are there. And the permissions policies you assign are all inside the account.
That’s not the case with on-prem system. If you have a typical windows network, like where you have a D servers, the main controllers, [00:14:00] users, and credentials, and typically access privileges live, and then you have like the file servers or the SAP server, the other servers that are. Using that as a reference and they can be separate and AWS they’re inside the same account.
Azure does the same thing as the, on prem stuff. So they have like the active directory tenant where you have that, that the users, groups to permissions. And then you have the subscriptions, I think would be like the closest parallel to AWS accounts. They also have resource groups and other kinds of entities, but, The same user exists outside of the subscriptions.
And then he can have privileges on several subscriptions, can have a single password log in with that user that exists on the active directory tenant in Azure. And then you can have privileges and with the same API calls, talk to things that live on different subscriptions provided you have the privileges on AWS.
You’re calling API, doing API calls. [00:15:00] As one AWS account at a time, every time you do an API call, every time you have an access key to that last call, an API that belongs to one and only one AWS account, and you’re living inside that sandbox. And, and so it really, it’s a, it’s a different way of thinking if you’re coming from an on prem world.
Right? So that requires some thought the way I really think about why IWS did this. Is to think of sharding, right? So when you think about databases, whether they’re trying to distribute the data across multiple servers, tu, tu, tu, tu tu, be able to do load balancing I’m thinking was, is did that to make their data centers and their infrastructure more scalable, right?
So if you have very little interaction between accounts, like the account is a unit where they have to keep everything. concentrated in their infrastructure, right? So something along those lines, it must make their infrastructure easier, but it’s a different mental model than we’re used to in both on premises and even other cloud providers, like a GCP with projects where they have that, the project [00:16:00] structure that again, a project would be the equivalent of an AWS account maybe, or subscriptions in Azure.
So that right off the bat, EWS is a new, in that sense, they, they did their own thing. Right, but that’s not similar to the mental models we had in the past, and they’re not using our back either, which is another thing that you would expect coming from other environments. It’s very,
Ashish Rajan: [00:16:21] if you want to get into all back as well.
Yep.
Alexandre Sieira: [00:16:23] Yeah. AWS is very identity centric, and not so much group centric like groups in AWS IAM are very limited. They’re very,
Ashish Rajan: [00:16:32] very underdeveloped
Alexandre Sieira: [00:16:34] and I wish it wasn’t. We can get into that if you want to, but, I don’t know if it should have next on their list.
Ashish Rajan: [00:16:39] No. So from your perspective, so, and it’s a start, I think that’s a great definition.
I think what’s why are you calling out the experiences as a trainer that kind of gets highlighted over here as well, because you are able to kind of. Come from a place where a lot of folks have come in from like everyone knows the actor. I mean, I guess everyone who’s been in it for some time knows that they can [00:17:00] act it Vettery account.
It’s funny because earlier when I was trying to do pen testing or in that space, the only thing people were cared about was I want to get domain admin. Right. That was, that was the thing. If you got domain admin, Oh my God. Porn. Everything’s like, I own everything, but that concept doesn’t really, we exist the same way in cloud.
It’s like three different terminology you calling, Oh, you want a root account? Okay. It says that, which is normally domain admin, still different. Cause you can have multiple organisms. I mean, Like we can go into the layer called layer of complexity, but to your point about where people have come from, and this is probably where some of the challenges come into this space as well, where people kind of still think about actors like, Oh, I’ve got a privileged user and I’ve got a regular user, that’s it.
Or I’ve probably, I’ve got some kind of a script user of some sorts. So internal from your side, I guess. If you can explain a bit more about if you have, if you’re [00:18:00] starting today as a security bus and in a cloud environment, from an identity perspective, what are, what are the kinds of questions you should be asking?
Or what should you be looking at? Like what kind of what’s the best practice. Let’s go start with that. When you talk about privileged, non privileged users.
Alexandre Sieira: [00:18:16] So let’s start with, so the first one. Things are the same everywhere. Right? So there’s some concepts that you have to maintain, right? So you will need, it’s not just about the technology.
There are processes involved, right? So you need to make sure that whatever processes you have around, how do I, well, how do I get approvals to create a new user, assign someone different privileges, change their roles, terminate their accounts. If they’re left the company, for some reason, et cetera, all of this has to continue to work.
Right. applying this privilege and need to know, and, and those things that it’s really critical, what’s changed is how you do it. And the fact that, that this is really new technology, the privileges are different. They’re more complex, [00:19:00] they’re completely new kinds of privileges of completely new kinds of services and assets.
And so your it infrastructure, your admins, your access control teams or service desks. are probably gonna make more mistakes, and are going to be more vulnerable because of the lack of knowledge. There’s a, there’s a steep learning curve, just sheer number of, I think the last time I saw like AWS, I am actions for balls.
I think it’s 7,000 or something. Right? Some of those are really dangerous. Some of those, you know, allow you to do privilege escalation, like crazy, but there are 7,000 of them who knows them. All right. So any hope someone doing a review knows everything. We haven’t extensively trained them if you haven’t automated that analysis to some degree.
Right. So I think that’s, what’s a changes, but here’s what I would recommend. I’m going to talk more about AWS, which is, was the focus of the talk and an environment I’m more familiar with. Yeah. But the thing that you [00:20:00] need to keep in mind is that we’re talking about a new attack surface, where we were used to doing access control already, and we need to leverage the existing process as much as possible.
So let’s start from there. The first thing that we’ll look into, if you are a company adopting cloud, or if you already adopted cloud, but still early days, how do I piggyback what I already have? Right. So you probably already have a corporate directory, right? You either use active directory or not. Maybe no Valley directory or something else, you use some IDP like identity provider, external identity provider, whatever you leverage that because you probably already went through the pain of creating processes and automations, or even have my am a product that’s helping you manage the workflows of people inside that directory.
And if people are terminated that that user of the directory is going to be deleted or disabled. And so you get a lot of stuff for free. So for AWS, that means you need to look into using [00:21:00] AWS SSO, which is a horrible, horrible name for the service, a single sign on. Yeah, because it’s impossible to Google it, anything about it.
If you do need that. And on every single IDP. That integrates with AWS is going to appear before the documentation of the freaking service. Right. So it’s horrible. It’s horrible. Right. So, but, but it’s an amazing service, right? And it does two things. One would you do not care about, which is it acts as like an identity provider, so you can use.
it to authenticate against other products, forget that, which you’re really interested in is using the blessed SSO to integrate to your existing directory. So if you use GCs sweet, you can have, instead of people needing to have, like I am and users inside each of the AWS account, they can log in using their G suite credentials right on the web.
They can do like a single sign on transparent, and then you assign them privileges to each AWS account. that they need to access, right? And you can do the same with [00:22:00] active directory. And when you use active directory, that that integration is even goes even further. So you can even assign privileges to active directory groups.
So when you, create a, move, a person inside active directory into a new app, into an existing active directory group that already has AWS privileges. Next time they go into the AWS as a sole link for your organization. They’re going to have those principles. So there’s a lot of, leverage you can get.
And a lot of mileage you can get out of those services. By piggybacking when your existing processes. So don’t reinvent the wheel, keep it simple. And the reason why SSO is even better ideas, because it makes a lot easier to have multiple AWS accounts, which is, I think. Another concept that we talk about a lot, the network level, which is segmentation, right?
And compartmentalization, we talk about on coding, the same thing should apply to your AWS environment. You should have, there’s this concept of [00:23:00] reducing the blast radius. So as soon as someone can escalate privileges into that account, right? For some reason you gave someone an excessive privilege, someone exploded a vulnerability, whatever, and they gain full access to that AWS account.
If you minimize the amount of systems and data into each AWS account. That the damage that that attacker can do is now contained, is reduced. So it’s continuing the blast radius. That’s the idea. So what I typically recommend to customers, so there’s this concept of a lending zone and AWS has a full service called control tower, that can help with that.
And they already propose this minimum idea of having like a security account where all the loss gets sent to the security logs, like cloud trail, et cetera. and you have a shared services account, which every other accounts can see, for the new will have the different like business systems accounts.
And I would recommend if you’re developing internal, systems, for example, to have one AWS account for system, a production system, [00:24:00] a staging system, a development. So three accounts for each system, right. At least. And then you keep them separate.
Ashish Rajan: [00:24:10] So keep the radius. I mean, I guess, well, decrease the blast radius incident by having separate accounts, just want to quickly acknowledge some of the, the comments that are flowing in.
I think I’ve got it. We’ve got a few regulars over here, so hi, I’m just Frank with Kinko’s from the high Gerald. Hi Lucas. Hi Paul. Hi, George. George mentioned an interesting point about you can still do a lot. Yeah. Using domain accounts to like say hybrid accounts. Yeah. It’s still a thing. A domain account is still pretty much can give you access to something else, especially if you have single sign on.
You can get access to our AWS account with that. Thanks for single sign. On these days, you got credentials everywhere.
Alexandre Sieira: [00:24:49] That’s the flip side of using single sign on. There’s an advantage of not having to manage multiple passwords, but the downside is once that one password is compromised, you’re screwed because the attacker [00:25:00] has access to everything right.
Which is why you should choose all of the things.
Ashish Rajan: [00:25:05] Yes.
Alexandre Sieira: [00:25:06] It’s not most of the things, all the things.
Ashish Rajan: [00:25:08] And I think it’s so interesting. I feel like nowadays, you can’t have a conversation about identity management without talking about 2FA, just the whole username, password, or username access. If you want to go, I am user or one of those users.
It’s not enough DCS. Yeah. And especially because, because we haven’t touched on cross account yet, we only spoken about different kinds of accounts. Now, if he dabbled into cross account, which I would love for you to do of Paul’s like as your app. Yeah. that is true. that is that, we spoke about Azure apps in our last podcast meter.
So it’s an interesting concept, which is very different to, Oh, it’s kind of similar to what I am used to thought, but, well, it’s an interesting concept, I guess, trying to get you with this was also the fact that it’s also the cross account aspect. Not having to [00:26:00] have a, and I am user. Yeah. If they have access to fail multiple or on a Monday, just multiple, like all your AWS accounts, sometimes people at 50 plus like.
That’s a real problem. And I think you had a great doc on this topic about the power of cross accounts. We’d love to, if you can probably dowel into that database for people who may not have heard of this before, what is cross the controversy of people who probably are coming from a, an on premise world and they’re going into the cloud space.
Where does cross account. And why does that even matter in this context?
Alexandre Sieira: [00:26:32] Of course, just before we do that, let me just drop in a little stat here, which I think is really interesting why the subject is relevant. The DBIR, the data breach investigations report that Verizon has published for the last 12 years, right?
Th th the 2020 edition mentions that 77% of the cloud breaches, they studied. involved, breached credentials, involved the misuse of credentials. So someone had hacked and obtained [00:27:00] illegal access into the account. So that’s why protecting those credentials is really important, but then let’s get to the cross account aspect.
So the, the way in which you can, there’s a lot of sensors scenarios where you need to have access to different accounts in ended up because as I said, AWS accounts are self contained. if you are separating on environment into multiple accounts, you might have a scenario where you must have account eight, acts as a resource on account big, like, so I gave an example of centralized logging, right?
So you might need just, or to save backups because you don’t have, you don’t want to have your main data and the backups living on the same account. If someone becomes, becomes the root of that account, we can delete the data and the backups, and then you’re having a really bad day. Right? So you want to have your backups on a separate account.
Right. And so you want to allow account a, to write data into, let’s say an S3 bucket of account B, right? So you need to have cross account access. and the other scenario where that is really, really being used is [00:28:00] when you talk about SAS service providers, there’s whole classes of SaaS services coming up to help you manage, monitor, or even provide security for, cloud accounts, where you have a company.
Let’s talk about CSPM for example, which was the subject of your last, issue right. Of the podcast, CSPM products, in a sense you can think about it as kind of a vulnerability scanner for the control, right? It’s looking at the way API control services, cloud services are configured and reporting bugs.
He needs to access your account. He needs to call the cloud providers, API APIs and see how things are being run and configured. On your AWS account. how has that done? There are many ways in which we can do this, right? So the simplest way you can think about it and is the parallel of using Azure apps would be, I could create an AWS IAM user, that user I would create credentials.
So an access, key ID, secret access key, and I would give them via [00:29:00] like a secure channel. Because those are really, really easy to find to your SaaS provider, right? So they would save those credentials and they would use that whenever they needed to call API. Isn’t your account. You’ll find out if you have any public history buckets, or if you have any users that don’t have to a fee enabled, things like that, that they want to alert on, they would use those credentials to call APIs, on your behalf.
And it would have whatever privileges you assigned to that IAM user and they can access your environment. The problem with that is that then what this means is that this one vendor would have to store all of the credentials of all the accounts that connects us. So if we’re talking about a large company that’s made, maybe has thousands of customers each with tens of accounts, you’re easily talking about.
Exists there exists a database somewhere where tens of thousands of valid, possibly high [00:30:00] privilege, you know, AWS credentials exists. And that just becomes like a huge beacon. And, you know, for attackers that’s a huge prize for an attack. Or if that leaks then, because we’re information, security is hard, right?
Even well, meaning well-funded competent vendors. You know, things happen. backup is leaked. someone accidentally post something somewhere. One of their ops people gets their laptop compromised. Someone gets access to the accounts where those passwords , are stored. Those keys are stored. So it’s, it’s really, really a very big risk concentrate.
Ashish Rajan: [00:30:37] Yup.
Alexandre Sieira: [00:30:38] AWS offers a different way of doing things. There is an alternative. Where the SAS vendor is not required to store secrets. It’s not required to store credentials. Right? So the way this works, and this is something that really comes up on the security certification exam for the press, by the way. So anyone thinking about taking it [00:31:00] look into this, right?
So you can’t, yeah. I need them to there’s this concept of a role and the way that I think about a role is a role is a user that has no. credentials. There’s no way you can log into the console as a, as a, as a role directly. There’s no faster that you can set, so you can log in as a role. So it was like a fake user.
and you could think about it the way you would have like a service user on a Linux machine that you D disabled the shell, you disabled a password, but you can Sue and become that, that user. Right. So the, the, the concept of roles is that you can have a fake user. You were assigning privileges to that fake user, and then you can assume that role, you can temporarily become that role.
The way this works is every time you called the assumed role API. Yeah. If the, I will return temporary credentials. That can last any where between, I think one hour and 12 hours. Yeah, that’s right. If you then start [00:32:00] calling AWS SAP. Yeah. I was with those temporary credentials, they will have all of the privileges you assigned to that role.
And you can do that inside your own account. Right. You can have inside your own accountant can create a rule. We have a user that has very limited privileges and every time they want to do something more advanced, they have to assume a role. And then they use a temporary credentials. That role gives them.
to do the more dangerous things that could be again, equivalent of requiring someone to do pseudo before they can do a system change on the next mission. Right. but the fun things is that you can now allow account a, to assume a role in account B so roles, they have a permission policy. Which, you know, once you assume the role, what can you do?
Those are the permission policy. Yeah. But he would have, what’s called a trust policy saying who can’t assume that role. So it looks more like a bucket, but it’s a resource policy in a sense saying who can assume this role, we can put there [00:33:00] another AWS account ID. And the thing is you don’t need any secrets to do that because AWS is making the trust transitive, right?
So you are authentic get into your accounts, right? And you are assessment. You are CSBM vendor. Okay. You are a Xi. CSBM right. And I configure a role in my account. Saying that I trust your account. Yep. Well, when you do assume role you call when your account, you call assume role and say the role they want you to assume is my role.
You’re going to give it an ARN. Okay. Identifier of the role that includes I account ID and the role name I created for you, AWS does all the magic. We don’t need to establish a password amongst ourselves. AWS knows that you are authenticated to your own account. They ended up, it goes to check on my accounts.
That I trust your account and that it allows the call to get through, and then you get [00:34:00] temporary credentials into my account, and then you can use those temporary credentials to start inspecting things on my account. So it’s really tricky to think about it, but it’s genius because the thing is, if I have a thousand customers, those thousand customers, each trust.
Me as a SAS vendor, right? Or that’s not confusing. You are the salesman, right? If you have a thousand customers and all of those thousand customers trust your account, you don’t need to store password for any of them. Every time you need to do something, you obtain temporary credentials, keep them only in memory and then kill that machine, those credentials, right?
Gone. They disappeared. They’re not stored anywhere that could leak. Someone would hack into your account or hacking into those worker machines that are doing the magic and keeping those things in memory and steal them, which is arguably a lot harder
Ashish Rajan: [00:34:54] to do. Yeah. I think I have an interesting scenario on this and, I’m pretty sure AWS hasn’t really [00:35:00] solved this problem yet.
No, I think for reference, we’re talking about SDS service from AWS, which is that? Yes, bro. Yeah. That’s right. So, so now. I can have that as an, I am use it as well. And what I have found amazing is the fact that when you do request an STS token, it doesn’t get recorded. Like there is no console view to the fact that, Oh, Alex has requested a session dokie sort of a new set of session from his access
Alexandre Sieira: [00:35:32] key.
So the, the cultural assumed role, it does get logged on, on cloud trail. which is what you would need. So in order to obtain temporary credentials, you would need to call some role. There’s a few versions of assumed role that worked differently. I’m describing like the main assume role you can.
Ashish Rajan: [00:35:51] Oh, yeah.
Yeah. Sorry. I meant more in terms of, say for example, Alex has requested the session requested in that session, but [00:36:00] if you have, somehow I think we said like, it’s better from Ann Arbor too. I think it’s the log. The longest period is three days or whatever the longest period is. Cause you can set that up.
What I found interesting was the fact that if Alex has requested a session token, I can see that he has requested a session token. So it would not come up as a list, say under a, under like Zander in the console,
Alexandre Sieira: [00:36:22] on the console. Yeah. You would need to go into the logs to see that.
Ashish Rajan: [00:36:25] Yeah. Yeah. Yeah. And I find that really interesting.
Yeah, because your point is it’s so multilayered because. You kind of have like a view, which is only in console. And there’s another view, which is only in CLI or I guess a bit more than CLI just by the way, which is probably a good segue into the question that came from beneath about does biometric authentication.
Is that ideal for an account access? I don’t know if it’s even possible to have a biometric authentication MFA. Can you have talking about YubiKey probably is the closest thing you can go for a hardware token. [00:37:00] Can you go for a biometric.
Alexandre Sieira: [00:37:01] It’s interesting. I’m not a huge fan of biometric myself, but I mean, if you have a second factor of authentication, you’re probably way ahead of the game.
Even if it’s just SMS, it’s way better than just using password. It’s like a huge increase. And I know every authentication method has flaws, but it’s funny to me, biometric is much more an, an identification than an authentication. measure because it’s, it’s telling the system who you are and not proving that you are, who you are, because your fingerprints is not a secret.
The government has your fingerprint, you know, that can take a picture of you up close, can have an image of your Iris. And so you’re broadcasting that, that, that information. you know, you pick up a glass and there’s your fingerprint is in there. So I think it’s, I would think about biometrics much more as a way to prevent something like password sharing, because then you have to identify [00:38:00] yourself much more than you’re proving that you are yourself to the system.
but that’s just me. I mean, if you look at them, The, like the CBK for the IC square, or if you look at, you know, people that know a lot more than I do, they consider that one of the three authentication factors. But I actually think, it’s not as strong as the other two, in my
Ashish Rajan: [00:38:19] opinion. That’s
Alexandre Sieira: [00:38:22] my opinion,
Ashish Rajan: [00:38:23] because it answers your question we need, but, definitely keen eye, by the way.
You’ve definitely made me think about biometric in a different way as well. But yeah, we’ll come back to that one, but I think it’s a really interesting differentiation that you’ve kind of called out. I do want to cover something to switching gears again, we spoke about identity. We spoke about cross account and we spoke about the fact that MFA is probably a really, really good thing.
Stress again, really a good thing.
Alexandre Sieira: [00:38:50] All of the things.
Ashish Rajan: [00:38:52] Now, if I want to manage identities now, obviously people are only cloud. Some people are [00:39:00] hybrid. Some people have single sign on. Some people don’t have single sign on. So how do, how did they, where did it start managing identities across this, like this landscape that we have kind of created for ourselves is there.
And you can go from like someone who’s cloud ready or cloud build to someone who’s hybrid. How do you manage identity across the board? Like, what’s your recommendation on that?
Alexandre Sieira: [00:39:24] My recommendation is to keep it simple. Keep it as simple as possible, not try to reinvent the wheel and, and keep things as standardized as possible, which is why you had some people well using SSO.
Some people are not people that are not, should be using SSL because that’s the best way to leverage whatever you have on prem. And extend that into the cloud and get all the processes for free. Because if not, what you have to do is to create completely separate processes, service desk, scripts, policies, et cetera, just for cloud and make sure they are consistent with everything else.
And now you have another step when someone gets [00:40:00] relieves the company that you there’s another place people need to go to turn off their account and people might forget, and then didn’t have a security incident. And so you, you want to avoid that as much as possible and in. Here’s here’s what, unless you can automate that, right?
If you want to keep things separate for some reason, then make sure you can automate that. And depending on your size, that can be even more cost effective than using SSO. I don’t know. Right. I don’t know everyone’s, situation or scenario, but, I would try to leverage what exists as much as possible and to reduce diversity as much as possible.
So for example, and there’s a lot to be said about multi-cloud. Right. Yeah. I, I tend to think that multi-cloud is a myth, what people actually have as poly cloud. Right. In the sense that you don’t have a single workload working multiple at the same time and switching magically between one another that I have.
I’ve never seen that, but you can. Oh, I use office three 65 and I don’t know my windows boxes run on. On Asher, but then the developers, when they write the code for [00:41:00] our eCommerce infrastructure, they’re running that on AWS. So each thing is running on one cloud in one cloud only. But having said that. Each cloud handles.
I am completely differently if you can standardize. And just one of them, whatever it is, I know you love GCP. You go on all the way in on Giuseppe. You love Azure. You’re going to go all in on all of those three main cloud providers are really good. and they have pros and cons depending on what you need.
try to focus as much as possible on just one and go all in on that one, because you’re going to talent people. Are the greatest bottleneck for security in general and cloud security in particular ISC square says we’re, you know, there’s 4 million unfilled positions worldwide on security, and that’s just general security.
If you think about cloud security, that’s a really tight Venn diagram because cloud talent is also pretty. A rare, right. Kind of security person that understands cloud. So good luck with that. Right. So [00:42:00] now if you need a good cloud security person for AWS and another one for Azure and another one for GCP, I mean, how much money do you have, right.
Ashish Rajan: [00:42:09] Yep. That is true.
Alexandre Sieira: [00:42:10] You want to, you don’t want to put yourself in that position as a manager, as a company, you want to minimize the amount of talent that you need. And so once you define. This is how governance is going to work for AWS, no access management logging. This is how segregation compartmentalization is going to work for AWS.
If you can stick to AWS, or if you do the same for Azure, and then you stick to Azure, if you do the same for GCP and you stick to GCP, you’re going to make your life a lot easier. Which is why companies standardize on database systems. Some companies say I’m going to just use it. Some people say it’s just going to use article whatever, because it then don’t need like a huge team of DBH.
You know, one for my SQL, one for Postgres, one for it’s crazy. Right. backup solutions for each one because they’re all different right. For cloud. So [00:43:00] don’t make your job harder. By over-complicating and over-engineering things try one thing at a time, try to standardize as much as possible. Piggyback what exists integrate with what exists as much as possible would be my recommendation.
Ashish Rajan: [00:43:14] Oh, and that’s perfect because we just got a comment from Louie. companies want one security person that knows everything. That’s so true. It’s like, they’re all looking for a magical person who basically knows all the clouds and can all solve all your problems, but it has to be one person for GCP, AWS and Azure.
Hmm. I don’t know how real this scenario is. It’s kinda like asking, So someone to have 20 years of cloud experience, like, Oh, didn’t exist 20 years ago, but 20 years experience in class, like it’s kind of one of those ones. I’ve got an interesting question from Melanie as well. She’s asking. How to manage your accounts in AWS.
What’s your recommendation on managing your accounts? NWS?
Alexandre Sieira: [00:43:58] root accounts [00:44:00] are a liability. that’s that’s my main theme here. So root accounts should be put into multiple custody scenarios or on a stored somewhere safe, like in the safe it’s it’s it’s you print out the password? No one knows the entire password.
Some persons that’s half of the password, the other person’s that’s half. Other half of this password, they never see each other’s piece of paper they’re stapled together and put that on a, on a safe, inside a break. In case of fire scenario break, in case of emergency scenario, never should use a root account for anything, unless there’s an emergency or is it a disaster?
That’s what you need to do with, with the, the root account set UFA for the root account. and you can save the seed or the QR code in the safe as well. So print the QR code for the terrific. Then delete it from Google authenticator. You only use that in case of emergency. And the other thing that you need to keep in mind is when you create new accounts through AWS organizations, [00:45:00] Right.
those accounts, they have a root user that is based off of the email address you chose when you created each account, which is what, apart from the account ID is one of the things that uniquely identifies an account on the best organizations. but it, it does not have a password setup when you create a new one they’ll bless account on AWS organizations.
It does not set a password for the root account. So what you need to do immediately after you create an account, I made the best organizations is go to the console login page to the root login page. And then you reset, like I forgot the password for that email and then set a password in the way I just described with QFA, print it out, story in the safe.
No one knows the whole thing. No one can access it as the route and everything. Everyone does everything using SSL. That’s where you want to get.
Ashish Rajan: [00:45:50] Perfect. And I think to point about, it’s funny, you mentioned that because a lot of people talk about the whole use of organization as well. And how, if you use organization, you don’t get access to the root account [00:46:00] password for all the sub accounts that you’ve created underneath organization.
So would you recommend that they should reset the password for those who would accounts as well?
Alexandre Sieira: [00:46:10] So th that’s the point. It’s not that you don’t get access. It’s not defined. It’s, it’s empty. It’s not that anyone can log in, right. Either, right? It’s not like if you just got to log in patient, put in an empty password, you can log in, but it’s not defined.
So here’s the thing who gets that email. You have to set a, a valid email address, right? For each Ruby camp. That’s probably going to a distribution list. Right for it management or whoever, right. Or even maybe finance, because they want to get the billing information and it’s company treats, you know, that email address, right.
It’s typically at this, this is not a person right. Where it should be anyways. but here’s the thing. If you don’t set a password, all our attacker needs to do is try out a few things in Mo those an email addresses could be fairly guessable, phishing emails. So they, that [00:47:00] address. Well, or send a reset, you know, and, and, and help you and go through the reset process and do social engineering in get access as the roots to any of those accounts.
So every single AWS account you created, you need to know that the AWS, the root account password is set. Yep. That’s you phase enabled, but no one actually has that on their phone. It’s like the QR code or the seed is saved somewhere on a great glass in case of fire scenario.
Ashish Rajan: [00:47:31] Oh, and by the way, just on the comment of the cloud security experience, quite a few agreeance over there from a lot of people from Gerald, Vinny, Molly, interesting going from Paula bird, bless you mean enterprise security?
I, I could do actually knows about the cloud. That’s not true as well as moving. A lot of people actually know about that. It’s so true. I do want to, I know we’re coming towards the tail end of the show as well. I did want to ask in terms of the conversations you’re having with people, what are the, some of the problem [00:48:00] areas around it?
The, or that people I’m not talking about enough in the cloud space or in AWS, I guess one of those things.
Alexandre Sieira: [00:48:09] So the, the main thing that I’m seeing is that people are minimizing and it goes to exactly that comment from Paul, that, that we see huge projects, you know, to do lift and shift. I’ve seen him. I was like medium sized banks that are two.
For example, they have this huge product going to lift and shift to. AWS or to Azure. Right. and it’s a mandate from the CTO or whatever. and they’re spending like a million, $2 million on that migration project and say, okay, what’s the training budget for that? Oh, it’s like $60,000. So it’s going to fair immediately.
I already know this isn’t going to fail
Ashish Rajan: [00:48:48] because
Alexandre Sieira: [00:48:49] no way the existing it team with no previous cloud experience has any chance. Of pulling that off the moment those consultants walk out the [00:49:00] door, this is all going to go to hell. Break immediately. Right. And the, I know it projects in general have a tendency of not meeting their budgets or deadlines.
those kinds of lift and shift projects are even worse than the average. And so the greatest bottleneck is knowledge is expertise. So one of the biggest line items for any company that’s taking cloud seriously is train people. Developers ops people, security people to give them hands-on capability, not don’t send them to certificate certificate training.
They’re focusing on just making them memorize the stuff that’s going to be asked on the exam, send them to actual practical hands on training. They’re going to do stuff. And if they’re security, people don’t want to break stuff and learn how to defend stuff. Right. It’s a huge problem. And don’t even get me started on some of the major training players out there.
Where, for example, [00:50:00] they’re showing you, teaching you how S3 works, right. And then the first thing the instructor does, the first thing. Is make the bucket public because they want to show you how can connect this stuff on the browser and not a word is said, Oh, this is dangerous. Don’t do this in real life.
This is going to be a problem. No. Oh, here, this is how this warning. You ignore it. This, you disabled this, and then you make it public this, see, now you can access the object. Okay. It’s no wonder then that most companies like 90% plus of the companies we did engagements with at Tenchi. Had public blob storage where as three buckets, that shouldn’t be public in addition, because they were poorly trained.
Ashish Rajan: [00:50:44] I think another great example of this is, you know, the AWS templates as well, that AWS gives out where you could. I think those are ready, made templates for creative WordPress app. A hosted web WordPress site uses one click template. Most of the times, [00:51:00] all those templates, what they have a, our service facing the internet.
Right. There is no concept of, you will have a private sub-net, which is just private and then there’s a load balance or any of that. It is more like straight out. It’s an easy to instance publicly facing. So you can not log in and do it because that’s what you want to do. And then you suddenly look at this, like, why would you.
Like, it doesn’t make sense. There’s just a view that people notice and then they get hag.
Alexandre Sieira: [00:51:28] It’s like an example, like an educational example, like a toy proof of concept stuff, but people use it in production because they don’t know any better and they’re understand the consequences because they haven’t been trained enough or they don’t don’t have the expertise.
and so it’s actually one of the reasons why I think she has training. we did a couple of training sessions in, in, in, in Brazil already really successful, because it’s teaching AWS from first principles, but yeah, training is delivered by security people and each step of the way. So this is the services, how you use it.
This is how you break it. This is how you protect it, [00:52:00] break it into, right. So. We do, let me show them how to explore the story. And then we show them how to protect the street. Right. And so, and that’s really, really unusual. And, and it’s, it’s a work of hate because I did the, a cloud guru that the stuff I saw, those excessive privileges.
Okay. They’re they’re training on code pipeline where you know, this machine here will be created just to deploy code on this extra bucket. So here’s what we do. Let’s just put on the machine roll here. Let’s put as three full access. Because why not? Right. Let’s just get this machine that only needs to write one file to one bucket, access to everything related to S3 in my accounts, what could possibly go wrong?
I screened every time I’ve watched the training and I’m going to do better. I’m going to do a better training, Dennis.
Ashish Rajan: [00:52:50] It’s so funny. Cause, and by the way, it’s amazing that you guys are running the training as well. Cause I saw the same gap and we’ve been able to try and to do the same with training.
it, [00:53:00] it, it’s so important. That they need to be training from security folks. Like, I guess like people like yourself, like I’m running one as well. It’s really interesting that when the training is coming from people who are developers, it’s not wrong. It’s just that it’s a different way of looking at the same thing.
Right. It’s and I feel like if you look at the AWS training or, GCP or whatever, that just go for vendor training, they don’t really focus from a. So like, for example, AWS would talk about these other services we use for security, but like, okay. But how does it really work in a, I guess, an enterprise context or how does it work really?
In like a real world scenario
Alexandre Sieira: [00:53:40] security training from AWS is focusing on their security specific products that they’re going to be talking about. IAM. They’re going to be talking about guard duty. They’re never going to be. They’re rarely going to be addressing security enough when they talk about the infrastructure stuff.
There’s very little, they say about what you’re doing and talk about [00:54:00] so on and so forth. Right? So it’s, it’s, it’s one of those things where we see people making mistakes all the time. And so I was talking about the people, right. That the knowledge they have. So that’s really important. It’s crucial. That’s like way, way above everything else is number one.
Number two, I would say is don’t lift and shift. It’s not going to work or if it does, you’re missing now, you’re getting all of the downside, but you’re getting none of the upside.
Ashish Rajan: [00:54:30] Yeah,
Alexandre Sieira: [00:54:30] it’s horrible. A horrible decision to make. Don’t set the deadline to migrate you. Should it cut the things that are worth migrating, do them one at a time.
Look at what worked and what didn’t learn as a company, and then do everything. Don’t sound that lineup going to migrate everything. That’s really not the way you want to manage your company, if you’re being responsible, in my opinion. And what does mean is typically the most frequent mistake I’ve seen is that [00:55:00] people are really used to have this one single internal metric, even when there is some segregation of V lands, internal firewalls, but they expect everything to be roundabout to everything across.
The best way you can deploy your AWS or cloud infrastructure. Don’t do that. If you follow that mental model, each AWS account is self contained, right? And so the challenge is you need to. To surpass in order to achieve that are okay. I have one, for example, antivirus server, that’s running on my, on premises data center.
Right. So how do I get an AWS account? It’s completely network separated on a network level from my corporate naturals. To still have agents that are reporting to my antivirus server. So you start looking at things like private link or even established like a specific site to site VPN, [00:56:00] but it’s really limited to just those communications.
So you start looking, but you don’t try to make it everything, a single flat network integrated with the, the corporate network. Yup. We don’t do natural segregation properly on, on premises environments. Let, let’s not carry that error over by default to cloud accounts to cloud providers because you can do it differently.
So true.
Ashish Rajan: [00:56:25] So true. Yeah. I’m just conscious of time as well. We have a few questions that have come through, one of the questions around, can you recommend how to find these good trainings? I guess I won’t pray. You recommend. Oh, I, I mean, I’ll, I’ll, I’ll let you answer it, but I think we kind of bashed, a bit, but I think it’s still good from a, if you want to start off, but we’ll go into the mindset.
Yeah.
Alexandre Sieira: [00:56:48] So, so you know, what good sources of training that I found. So for example, I personally took the Securosis trainings on, on black hat, from, from rich mogul and the team.
Ashish Rajan: [00:56:59] That was pretty [00:57:00] good.
Alexandre Sieira: [00:57:00] Yeah. They’re awesome. we’ve seen Scott Piper, this training. so he, he was planning to have, in person training with a forward cloud stack, which is like a cloud centric security conference.
He was going to have at the same day as reinforced, but then reinforcing the pattern for cloud stack was online. I think his training happened online as well. So that’s another place to go. And he does have a, I think. like in-company trainings or company specific trainings, Terry read the shell.
Ashish Rajan: [00:57:29] Oh yeah,
Alexandre Sieira: [00:57:31] she’s awesome.
She has amazing training as well. And if you don’t mind a bit, a bit of a Brazilian accent on English, as I said before are way better than we are. So.
Ashish Rajan: [00:57:42] Yeah. Yep. And I think definitely once, while reaching out to people, as I think there are only a handful of people, that are running these hundred training, but I would, yeah.
I mean, would you agree when I say you definitely need to have some kind of understanding of the cloud per se, which is kind of where HR guru or [00:58:00] these kind of folks can, I guess, fill some of that gap, but. To put that security sun on top. It’s like, we just can’t we just kind of like what people like yourself or me or Scott and other people that’s for sure.
If I start doing teaching, I guess this is what AWS services are, but this is more like, this is how you look at them. This is how you look at secret management. This is how you look at identity manager. I think that’s kind of where the difference it’s what’s like going out cause. I don’t imagine us going.
And I’m just talking about the train that I run, but I don’t imagine myself specifically trying to do training on just one service. Does that make sense? So it’s not going to be a bucket, but I don’t know if that, if you look at the same day or you look at it differently.
Alexandre Sieira: [00:58:39] No, no. So, so the, the training we have today, we have a structure of the trains we’re going to have.
The first one we have right now is called EMS infrastructure, cloud infrastructure security. So what we did was if you look at the minimum services, Every company that’s just moving into AWS country use what is the bare minimum? They need to, to do a good job [00:59:00] security wise. So we started with IAM. And so it’s a week long course.
Right. And to cut material because it would be a lot bigger, right. Two days of just, I am, because I am is the basis for everything. Right. So two days of I am, and then we go into S3 KMS. and a few things associated with the situ like systems manager, because it can help things like management path, patch, management, things like that.
And then, organizations SSO and a little bit about culturally on guard duty just to, just to preview on discourse because we were planning on releasing later this year, our, AWS, monitoring the blue team course. It’s going to be four day course that ends with a CTF with a capture, the flag. Oh, AWS specific monitoring and defense.
Ashish Rajan: [00:59:54] Having a cloud CDF has been my dream for so long. I was organizing a [01:00:00] conference over here called folks, and I designed a cloud based CTF. I wasn’t gonna be the first one. And I think it was gonna be the first one in the world, but I would like, at least I would like to think so, but we had to cancel that because the local, but I would love for someone to just create a CTF in cloud because I feel it’s so important.
but yeah. and I think it kind of goes back to what she was saying as well about the fact that she’s looking for more security focus. One I think is I’ll definitely recommend, that. cause she said she’s taken a few and she’s Gore for security later. Once I think the ones that you mentioned already, so Terry is a good person, obviously that you can go to and she, if you, in scarred, I don’t want as well.
So there’s a few people who are trying to do security related ones, quickly skimming through some of the questions Molly has asked about is AWS Cognito use widely. It seems to be used the directory kind of service to web apps. Any thoughts on Cognito?
Alexandre Sieira: [01:00:57] Yeah, Cognito is more applicable. If you [01:01:00] are developing an app, you have a mobile app.
You’re developing a web app. It’s not so much to control access into your AWS environment, which is what we were talking about more today. It’s much more, you’re an app developer, you’re building an app and you use Cognito in the same way that you would use off the Euro or other services too, to not have to implement the authentication yourself.
And you have a pre packaged implementation of, the authentication, the user storage, et cetera. It is kind of limited. I would look into alternatives. There’s a great research on some security issues with Cognito that was invite undressed, Rancho, which is an Argentinian. researcher, I can send you the link later.
Maybe you can add it to the show
Ashish Rajan: [01:01:42] notes
Alexandre Sieira: [01:01:43] where reading, it has some, some limitations. If you’re all in into AWS, it’s going to make easier life easier for you to not use a third party service, then definitely look into it, but keep in mind, that’s the use case you’re developing an app and you want to have a card needle [01:02:00] handled the authentication for you.
It’s going to work particularly well for using API gateway. and it integrates really well with API gateway. So that could be a design choice for you, but something like office zero or one of the alternatives, it’s probably going to be more flexible.
Ashish Rajan: [01:02:15] Oh, I think Paul is an active user of Cognito as well.
So he uses that for desktop solution. I think, according to the question from Melanie about how can I audit or assess I am in AWS.
Alexandre Sieira: [01:02:28] That’s a great question. there, there’s one tool that I’m. I’m going to rave about, I cannot stop talking about the still, and I was going to forgot, forget, which is clouds planning.
cloud splaining is awesome from Kinner. McQuaid, I think is in Salesforce, which is a great tool because what it does, it’s, it’s, it’s still a work in progress. Anyone’s welcome to contribute. I, if I had more time, it would be contributing already. Great tool, what it does. It’s well, there’s a specific particular command in, I [01:03:00] am a, which I forget right now, which basically dumps all of the IAM users, groups, roles, and all the privileges they have and the relationships between them all in a big Jason, what did that, it gets that, and then.
It checks all of the permissions that have been rented to users or roles and draws your attention to anything that’s dangerous. So it’s going to highlight anything that has the capabilities of leading to privilege escalation or to data exfiltration. So any, any dangerous, permissions that were granted.
And so it’s really powerful because you can automate that. You can run that once a week and just look at the report and see what’s changed and, and use that as a basis for an audit. Kale really well. So that’s one that, that really helps policy century by spot. Piper’s another one that I really liked, but it’s on the other end of the spectrum.
It’s helping you write policy. So it’s a way to simplify the way you write correct policies instead of writing them full Jason or Yammel of [01:04:00] the, IAM policy. You have a simplified thing saying I’m going to give, read privileges to SP this Esri butter, right. Privileges to just SQS queue. And it’s going to then generate because it knows which operations are reading right.
Or configuration on each service. So it makes the job a lot easier, because here’s the real problem. If people don’t understand all the permissions, they’re going to give, they’re going to try one, two, three times. There’s an action missing. Oh, what the hell? I’m just going to put asterisks, right? Might be probably generate.
Slightly over permissive policies in the sense that if you give readings, it’s going to give all of the REITs, right. but it’s a lot better than people giving up. And just with asterisk asterisk, which happens a lot in real life.
Ashish Rajan: [01:04:48] It does. And I think it’s worth calling out. Put, there are definitely some challenges by off Joe.
I think we, you touched on this earlier. There are 7,000 actions for, I am right. [01:05:00] 7,000. Like it’s not even practical to think about. And if you try, you’re trying to bring your on premise knowledge of different kinds of groups that you can come in. it, it, it, yeah, it’s like so many complexities to it, but I think there are some great tools you mentioned.
I’m gonna add that to the show notes. So I’ll take that from you. And that’s kind of like the last question from Molly, just once you, the time as well. There’s an AWS policy generator as well. It’s kind of it’s all right. I feel like still doesn’t do a great job at UI. I just, I think the UI sucks of a policy generator though, but.
I have used
Alexandre Sieira: [01:05:33] one, right? Because if you go on a SSO, there’s one generator. If you go on the console, there’s another one. So AWS is great. The technology is wonderful. They do not exactly Excel in UX and also on cross-product functionality. I think it’s the F it’s a feature. Of how they structured their organization, where each product team is kind of working [01:06:00] independently and they’re theirs.
So they have, they are very free to innovate. And so that’s why you see so many releases, a new features, and they, they evolve so fast. But at the same time, if you look at how long it takes for a new service to be supported in cloud formation, All right. Or things like that. Right. Because the teams don’t talk to each other that much because they’re running independently.
So it’s organizational choice and the console being a shared thing, I think suffers from the same problem. It’s inconsistent.
Ashish Rajan: [01:06:30] Yeah. And I think I’ve just shared the link for Molly as well. Paul just mentioned Kognito’s bi-directional so can definitely can use in both directions. just trying to think if any of missed to anything.
No, I just talk about the courses. Sweet. Right? Cool. I think we want some, most of the questions, so, but yeah. I can I, our language, we will reach out to you as well. if they have any other follow up questions. So this is towards the end of our show, and I’ve got these three fun questions that I ask people.
That’s you get to know the nontechnical side of the force as well. [01:07:00] So, so Alex, what do you spend most time on when you’re not working on cloud or technology?
Alexandre Sieira: [01:07:06] Ah, interesting. so these days, not much because I’m locked away in my house,
but before that I was, I practice I kiddo, which is a Japanese modern Japanese martial arts, you know, more like a therapy than anything else. It’s not competitive. It’s not, I’m not trying to be like us. Bad ass and then cast or anything like that, but it’s, it’s really a form of therapy and it’s something that you get better at increasingly increasingly it’s very complex, it’s cooperative.
So it’s a really great way to relax and, and, exercise. I’m a scifi fan. So I watch a lot of movies. I try to read as much as possible. And I try to contribute to conferences. I’m DMC for a resident conference. That’s going to happen next week, for example, I was at the conference stock on DEFCON, which by the way we haven’t mentioned, right?
So this whole topic of cross account access, if you go to [01:08:00] Def con cloud village, there’s a YouTube channel for that. I did a talk. But as far as non-work-related stuff, I love animals. I have five cats. I have five cats. I have there’s one. If you look at the video on cloud village for this one, yeah.
You can actually see him. Let me see. I used to be able to see him there.
Ashish Rajan: [01:08:20] Oh yeah. If I can
Alexandre Sieira: [01:08:22] actually work from his office, he was gracious enough to let me
Ashish Rajan: [01:08:25] work. Oh, I was gracious enough to allow it.
Alexandre Sieira: [01:08:28] You use it occasionally. And I love martial arts. Actually the name of the company thinks she’s a Japanese name, which means having a Nerf based on the name of a particular move.
And I kill it. That’s called , which is one way in which you can throw and opponents it’s having them take one hand of the opponent, very close to the ground and the other one very high. And the person gets unbalanced and falls. And so,
Ashish Rajan: [01:08:50] Oh, Oh, there you go. Good to know. I’ve got another couple of questions for you as well.
What is something that you’re proud of, but not on social media,
[01:09:00] Alexandre Sieira: [01:09:01] the team I was able to bring to Tenchi, the thing that makes me proudest right now, The people I was able to gather around me, if you want to be successful, you need to be surrounded with people that are way smarter, more competent than you and I still cannot believe.
I convinced that bunch of people to work with me on the company that we’re just building from. Scratch.
Ashish Rajan: [01:09:19] That is true. I can’t imagine like, yeah. I think it’s one thing to start something on your own as an individual, but then it’s another to kind of get those behind the same mission. So yeah, definitely grocery you guys, man.
Alexandre Sieira: [01:09:34] And it’s a huge responsibility as well because people are leaving their jobs and they’re, you know, they’re going to rely on the company financially.
And so it’s, it’s, I did not take that for granted, but if you look at our blog, some of the research, like the people I have, I really, really, really happy and proud of that.
Ashish Rajan: [01:09:52] That’s awesome. And I, yeah, I can’t bear to have some of those folks in the show as well. One day, final question. What’s your favorite cuisine or [01:10:00] restaurant that you can
Alexandre Sieira: [01:10:03] interesting?
I really love Italian and Spanish, cuisine. My parents are Spaniards. I’m a Spanish citizen as well, so I’ll do my own, tortilla. The web works.
Ashish Rajan: [01:10:14] Oh, nice. Oh my God. I would love to have them, but I only have like a. A very small introduction to the Spanish food. I thanks to you. I’ve got a few Mexican friends here and, they’ve introduced me to this whole new world that I didn’t know existed beyond tacos.
I’m like, how is it? Like people were not talking more about the other food span, other Spanish food apart from tacos, but yeah. Sorry. Gone. I,
Alexandre Sieira: [01:10:42] no, that’s okay. That’s okay. and, and, and Italian food as well. So we were talking about Brazil earlier, right? So I have this huge Spanish influence because my parents are Spanish and a lot of modified dishes that I ate growing up that even people in Brazil don’t know about because of the Spanish heritage.
but Italian is really huge in Brazil [01:11:00] when Brazil abolished slavery, there was a lot of, European immigration into Brazil. And so. There are regions in Brazil that people only speak German to this day. My wife is from the South of Brazil. She only started learning the country’s official language Portuguese.
When she started going to school, her father has really thick German yeah. And speaks Portuguese. And so she speaks fluent German. and so they have German food and Italians. I mean, we have a huge, huge, amount. We had a huge amount of it. How many immigrants? So the pizza in San Paolo is probably one of the best in the world outside of, you know what I mean?
And I know people from New York are going mad at me right now.
Ashish Rajan: [01:11:41] Yeah. Yeah. I was going to say like all the new Yorkers they’re going to be like, what, how can you have we have the best pizza in the world? Yeah, I think I’ll, I definitely have to say you definitely. I must say you represented Brazil quite well because towards the end, you’ve you’ve managed to have like a good tourism.
Yeah. [01:12:00] You’ve managed to get the tourism going. Up as well, like where the Italian population zone population, someones good food, amazing Baeza. That sounds perfect, man. where can people find you if they have any follow up questions and so we can define you.
Alexandre Sieira: [01:12:15] So I’m on Twitter as a Alessandra Sierra, it’s probably include the link on the show notes because my full name, full name, which is horrible.
Mistake, mistake. And adds things for security.com, actually not 10 CI’s security.com. And you’re going to find my, my email, my profile there. we have a blog with a few interesting themes. We, we posted that you’ll find my, Mike find interesting. that’s the easiest way, your friend.
Ashish Rajan: [01:12:45] Awesome. Cool.
Right. I can’t wait to have you guys have your back again, then some other foursome density as well, but thanks for joining you, man. I really appreciate you coming in.
Alexandre Sieira: [01:12:54] Thank you for inviting me. It was a great pleasure.