Tag Archives: AWS

Barbarians Inside the Gates: AWS Security Roadshow

AWS Security Roadshow, Tysons Corner, VA (5/23/2017)

I attended the AWS Security Roadshow yesterday in Tysons Corner, VA (5/23/2017).  Members of the AWS Technical Services Team delivered various briefings and answered one-on-questions regarding best practices for securing one’s AWS Cloud-Based Software Solutions.  One of my biggest take-a-ways was the idea of ‘DevSecOps’.

The software development life cycle (SDLC) is typically a process balanced by two competing forces: Development and Operational Staff.  The Development Staff is typically motivated by the imperative to deliver quality code quickly and often, while the Operations Staff is typically motivated by the imperative to keep the Production Environment running and stable, with as few changes as possible.  AWS are encouraging users of their platform to include a third competing component in the typical SDLC: Security Staff.

Security Staff, the ‘Sec’ in the term ‘DevSecOps’, are motivated by the imperative to keep the bad guys away from Enterprise Data, promising to make the balancing act between Development and Operational imperatives even more contentious, albeit a necessary contention at that.  Security Engineers need to be integral components of any Enterprise Software Engineer Team, and they need to be driving Security concerns and architectural decisions from the very beginning of the SDLC.  Computer Security is not a quality gate, but an integral part of the SDLC.

Security Inconsistencies

While overall I am impressed by AWS’ focus on Cloud Security, and their desire to ensure that AWS customers practice ‘Safe OpSec’ (Safe Operational Security, for you AFN Fans) on their platform, I have noticed a few inconsistencies in the overall security messaging:

Practicing Safe OpSec Costs More

Keeping technical assets secure in the AWS Cloud costs more.  For example, if you want to keep your Lambda function safe from the wily internet behind a Virtual Public Cloud (VPC), the VPC is going to cost you.  Moreover, if your Lambda function, running safely on your VPC subnet, needs to access the public network for anything, like to access SES to send out an email notification, your VPC will need to be attached to a NAT to forward internet bound requests out through an Internet Gateway.  The NAT/Gateway implementation is also going to cost you.  So, in reality (and this may matter quite a bit to bootstrapped startups using AWS), it will cost a customer significantly more to secure their cloud-based solution than not.

Even Ehrlich Bachman and his ‘See Food’ startup express angst over AWS charges…

Penetration Testing Can Get You In Trouble

The AWS Staff encouraged participants at this particular Road Show gathering to automate security testing, and penetration testing in particular, into the CI/CD code build and deployment pipeline.  However, penetration testing, in someone else’s cloud infrastructure, can land you in hot water.  You need to be sure to read the law of the land on this issue, and request permission to pen-test from AWS (https://aws.amazon.com/security/penetration-testing/).  From a newbie customer’s perspective, these instructions seem a bit ominous and could deter folks from even bothering.

Alexa Skill Security

I asked one AWS Engineer some questions about Alexa Security and how Alexa might be securely utilized in the Enterprise.  The engineer I asked was not an Alexa engineer, so agreed to forward my question to the Alexa Engineering Staff.  I have not heard anything back yet on my questions, but I suspect IT security and Alexa Skills have yet to meet one another.

Think Like A Barbarian

I am impressed that AWS is concerned enough about sharing security concerns with their customers that they are traveling around the United States to help ensure that IT security remains a primary concern.  AWS have a vested interest in customers who are well educated on AWS Cloud services and security best practices.  Their message is clear: when deploying applications to the AWS infrastructure, think like a Black Hat and use AWS services and best practices to help protect your assets.  As more and more organizations move to AWS, IT Security becomes increasingly important for the growing universe of AWS Cloud Customers.

EDM Love

When I was in 6th grade, I discovered one of my Dad’s records (what the heck is a ‘record’?) called ‘Switched-On Bach’. I gave it a listen and was ABSOLUTELY mesmerized. I had never heard anything like it! The album was full of J.S. Bach music played on a Moog Synthesizer by Wendy Carlos. According to Wikipedia, this album placed in the top 10 on the US Billboard 200 between 1969 and 1972! The combination of old school Classical Music being played on a high tech instrument like the Moog Synthesizer was a blissful combination to me.

Years later I fell in love with the movie, ‘Tron’. The Tron soundtrack was authored and played by my idle from the ‘Switched-On Bach’ days, Wendy Carlos. It was about this time (I was a freshman in High School), that I started to get what an awesome combination computers and music made.

Since then, I’ve tinkered with digital music. I’ve written a few goofy songs. I’ve tried my hand at producing a few songs on Garage Band. I’ve dreamed of becoming a DJ, even talked to a few DJs about how to go about it. But I’ve never pursued this passion much further than that. I’ve been called a ‘fart in a frying pan’ because I chase alot of different dreams. I do need a bit of focus in my life…Anyway, two years ago I took my girlfriend to U Street in DC once to try to get a feel for the DJ scene in Washington DC. The main DJ was Afrika Bambaattaa, one of my faves in High School. We had an awesome time, but the vibe wasn’t really what I was looking for. U Street is no Ushuaia.

One thing on my bucket list is to party in Ibiza

Fast forward to 2016. Never mind how old I am now. Not important. This past November, I had the privilege of attending a Martin Garrix performance in Las Vegas with my girlfriend. We were blown away by the richness of the bass, the visual sensations, and the overall experience. The Martin Garrix performance was at the AWS re:Invent 2016 Cloud Conference at the re:Play party. I felt I had been reconnected with my childhood fascination with computers and music. It was SENSATIONAL!!!

AWS re:Play Party 2016

Fast forward to today. Where is the EDM scene? Where are the best DJs in the world? Where can we go to hear them and experience the vibe? Turns out one of the best EDM DJ experiences in the world is in Boom, Brussels at Tomorrowland. So guess where we are going this July?!?!?! Headliners currently include most of my favorites, including Martin Garrix, Armin van Buuren, Afrojack, Kaskade, Steve Aoki, etc. I’m hoping that David Guetta, Dmitri Vegas and Like Mike are also there for the Weekend 2 performances – BE THERE OR BE SQUARE!! Tickets have already sold out. We are so stoked!!!!

If you are going to Boom this summer, drop me a line.

Building A Startup On AWS

Let’s Dance

Building on the knowledge learned from my previous two blog posts on my following of the Wild Rydes AWS Serverless Computing Tutorials, ( Wild Rydes Part I and Part Deux), I decided to put some of that information to use in my own work at www.nautilustracker.com.

I’ve been working on some mobile apps and a back-end platform supporting my trans-Atlantic Ocean Rowing attempt last year with my girlfriend, Cindy. I’d like to turn some of the things I’ve developed thus far into a Software as a Service (SaaS) for other people to easily use on similar adventures. To that end, I wanted to quickly create a responsive website to put out some information about my future offerings, including the ability to allow interested parties to contact me by providing their email address and a contact message in a simple contact form.

Know Your Limitations. Build On the Shoulders of Giants

I know I do not have great web design skills. Web Design is just not my focus. But I needed to create a nice looking website for my startup landing page. What to do? I did some quick searches and found lots of free Bootstrap templates I could use for my purposes. Over the course of an afternoon I grabbed a free Bootstrap Template that I liked, cut-in some of my own images, and modified the html to create the menus and sections I wanted in my landing page. I brought in some of the JavaScript from the Wild Rydes tutorial I was working through to connect my Contact Form to my DynamoDB database running in my AWS Account. After I had a look-and-feel I was going for, and the functionality was working ok for the Contact Form, it was simply a matter of uploading my web site assets to my S3 bucket:

> aws s3 sync . s3://www.nautilustracker.com

Stop Daddy

I had previously registered my Domain Name (nautilustracker.com) with GoDaddy last year. Now I wanted to move the DNS Registrar to AWS. This turned out to be very easy. Once I followed the documented steps to move a domain to AWS, I only had to add an A Record to point to the domain to my S3 Bucket containing website artifacts. I will point this A Record to a CloudFront endpoint soon.

Lipstick On A Pig

Now that the landing page is up, there is a mountain of work to do. The next step is to get email working for my domain using AWS SES so I can use that domain email to register as an organization in the Apple iOS Developer Program.

AWS Serveless Computing Example: Wild Rydes Part I

I’ve been working through a tutorial I started in a session I took at AWS re:Invent 2016.  I did not finish the tutorial in class so I started working on it again after getting home from the conference.  The tutorial is on GitHub if you care to follow along.

Admittedly, I’m not the sharpest knife in the drawer(but I am made of the hardest, most persistent steel…they call me, ‘Blue Steel’ – said in my best Ben Stiller voice).  It took me a while to figure out why I could not get the AWS Javascript SDK to allow unauthorized users, vis-a-vis AWS Cognito, to access my DynamoDB Email Table.  Here are some errors and things I learned troubleshooting this:

The latest Firefox browser seems to give better clues about why things are not working in the Developer Console than Google Chrome.  Using Google Chrome, I kept seeing an error like, “Missing Credentials In Config”, and was really confused what exactly that meant.  I was following the tutorial exactly, as far as I could tell, so I could not discern whether this error was from a code change I made or an AWS configuration problem?  Then I looked at my website in Firefox, using the Firefox Developer Console, and could see a little bit better what was going on.

Here’s my main error as seen in the Google Chrome Developer Console:

And here’s the same error as reported by Firefox Developer Console:

Ahh!  So a ‘ResourceNotFoundException’ is being thrown.  Now I could see that my Javascript code probably wasn’t the problem and that my Cognito/IAM Role Configuration might be the culprit.

After further investigation..a day (or so) later…I discovered a simple typo in my DynamoDB Table Name:

The table name should have been ‘Wildrydes_Emails’.  Seriously?!?!  Yes, I’m an idiot (but one made of ‘Blue Steel’…).  Once that was corrected, I was finally able to get my unauthenticated Cognito Role to access my DynamoDB Table.

There is still work to be done in this tutorial, and I’ll blog about any issues I overcome as I encounter them.  My work is being hosted in my AWS account on Cloudfront, so feel free to check it out and submit your email to my DynamoDB database.  Let’s get this startup rolling!

http://d39nkefhhvszkn.cloudfront.net/

'Out of the Box' Rubik

Infrastructure As Code

I recently read this article and listened to the 2015 AWS re:Invent session on the same.  This discussion really resonated with me.  I’m excited to try to automate everything, including infrastructure deployments, in my future development projects.  I like the idea of using automated testing frameworks, such as serverspec, for testing infrastructure deployments.

My three big take-aways from the video:

  1. If it’s not automated, it’s not done.
  2. If it moves, measure it.
  3. if its’ not monitored, it doesn’t exist.

My Path to AWS Certified Solution Architect – Associate

On December 1st, 2016, I took and passed the AWS Certified Solutions Architect – Associate Exam.  I took the exam at the AWS re:Invent Conference in Las Vegas, and by ‘passed’, I mean by the skin of my teeth!  But to me, passing is all that matters and I achieved that objective.  Here are some notes on how I prepared for this certification exam:

  • I tried to use AWS Services as much as possible.  I signed up for a free for one year account and started deploying some small applications I had written to EC2.  Initially, I ran MySQL on one of my EC2 instances, but when I discovered RDS, I learned that RDS is an easier and more cost effective approach to using an RDBMS in the cloud.  Aurora and DynamoDB are some other excellent options for cloud-based databases.
  • I bought the Official Study Guide for this certification and started studying it and working through the exercises in the book about two months prior to my exam.  As I am now done with this book, I am happy to mail it the first request for free as long as you agree to pay for shipping.  I have marked my copy up pretty good, however, and I’ve circled all of the answers to the practice test questions in ink.
  • I paid $20 to take the AWS Practice Exam.  I failed it with a 50% score and almost ended up re-scheduling the real exam.  I decided, however, to double-down on my studying and to stick my original plan.  This is one gamble of mine that actually paid off.
  • I attended the 2016 AWS re:Invent Conference in Las Vegas and participated in the Monday Night Hackathon.  Here I quickly learned how to deploy REST services on AWS Lambda using the API Gateway service.  I also learned a bit more about DynamoDB in the process.  The Hackathon helped to focus my understanding of some services, and the re:Invent Conference helped to broaden my understanding of many others.
  • I took my certification exam on Wednesday Night of the conference at 8pm in the Venetian Hotel.  I thought I would be the only one taking an exam at that time of night, but there were at least 15 other folks in the examination room with me.

Here are some of my associated exam expenses along the way:

  • The Official Study Guide on Amazon.com: $57
  • Scheduling the Certification Exam: $150
  • Practice Exam: $20
  • AWS re:Invent 2016 Conference: $1600
  • Travel and Lodging at Las Vegas (me, girlfriend and kids): $750
  • Estimated Exam Focused Time Investment: 2 months
  • Estimated Total Investment: $2,577

AWS re:Invent Conference

So was my investment in this certification worth it?  One thing I learned at the re:Invent conference in Vegas is that if you want to win big, you have to bet big.  I think this investmAWS Solutions Architect Associate Certification Study Guideent was a pretty big bet as far as certifications and technical focus are concerned.  I don’t think attending the re:Invent conference was necessary in passing the certification exam, however, but I do think it was necessary in trying to accurately gauge the viability of the AWS Cloud Platform in the coming years.  Participating in the Hackathon was a great way to get focused on approaches to deploying solutions to the AWS Cloud in a team environment.  AWS re:InventAttending the AWS re:Invent conference helped me to broaden my perception of the sheer breadth of AWS Cloud offerings, not to mention the insight I received in learning about some of the innovative ways companies are using AWS Cloud now.  I witnessed over 30,000 conference participants, from all over the world, attending sessions from 8am to 8pm non-stop, learning as much as they could about the AWS platform.  I, too, drank the cool-aid and truly believe AWS Cloud is a secure, cost effective, highly elastic, high performance platform for all types of software applications.  And I don’t see any other cloud company as a close competitor to Amazon right now, nor may we ever.  Amazon has built their Cloud Platform from lessons learned being the largest E-Commerce Platform in the world.  I feel like I’ve made a safe bet.

AWS re:Play Party

Financial costs aside, the re:Play Party at the end of the AWS conference was truly amazing!  There were drinks (lots of drinks), t-shirts, amazing, amazing food, retro video games, mechanical bull riding, foosball, etc. etc. Time to re:Play I’m sure there was even more stuff, I just couldn’t take it all in.  Then there was the headline performance by DJ Martin Garrix, which was radical.  I took my girlfriend to the party and we had an amazing time.  It was an amazing week in Las Vegas, which ended with a quick family jaunt to the Grand Canyon, but I’ll save that for another blog post.

Foosball

Collecting Energy Price Data

I’m not sure why exactly, but I am particularly interested in fluctuating energy costs, particularly the costs associated with putting gas in my car.  I remember that Regular Unleaded Gas (or Petrol for you Europeans) was $.99 a gallon when I started driving around 1985 in the arid South West of San Antonio, TX.  Of course gas is more expensive today, but I’m often surprised how relatively cheap gas prices remain for a gallon of Regular Unleaded.  I feel fairly confident that it’s just a matter of time before all energy costs, Regular Unleaded Gas not excluded, will rapidly increase.  Energy is a limited resource yet the global population continues to grow.

Anyway, I wrote a python script (adapted from a Perl script I wrote to do the same a few years ago) to grab the current National Average Price for Regular Unleaded Gas.  My script runs automatically each morning to collect the daily price of Regular Unleaded Gas and dumps it into a MySQL database I have running on AWS.

Here’s a graph snapshot of the data I’ve collected so far (click to enlarge).

Graph the GasHere’s the table of the data I’ve collected so far:

+—-+———————+————+——–+——+——-+——+
| id | rec_create_dt | price_date | price | year | month | day |
+—-+———————+————+——–+——+——-+——+
| 1 | 2016-07-25 01:53:08 | 2016-07-24 | $2.165 | 2016 | 7 | 24 |
| 2 | 2016-07-25 09:46:16 | 2016-07-25 | $2.161 | 2016 | 7 | 25 |
| 7 | 2016-07-26 11:11:50 | 2016-07-26 | $2.154 | 2016 | 7 | 26 |
| 8 | 2016-07-27 06:00:16 | 2016-07-27 | $2.154 | 2016 | 7 | 27 |
| 9 | 2016-07-28 06:00:22 | 2016-07-28 | $2.148 | 2016 | 7 | 28 |
| 10 | 2016-07-29 06:00:21 | 2016-07-29 | $2.142 | 2016 | 7 | 29 |
| 11 | 2016-07-30 06:00:22 | 2016-07-30 | $2.139 | 2016 | 7 | 30 |
| 12 | 2016-07-31 09:30:22 | 2016-07-31 | $2.135 | 2016 | 7 | 31 |
| 13 | 2016-08-01 09:30:22 | 2016-08-01 | $2.132 | 2016 | 8 | 1 |
| 14 | 2016-08-02 09:30:23 | 2016-08-02 | $2.126 | 2016 | 8 | 2 |
| 15 | 2016-08-03 09:30:23 | 2016-08-03 | $2.120 | 2016 | 8 | 3 |
| 16 | 2016-08-04 09:30:23 | 2016-08-04 | $2.116 | 2016 | 8 | 4 |
| 17 | 2016-08-05 09:30:23 | 2016-08-05 | $2.120 | 2016 | 8 | 5 |
| 18 | 2016-08-06 09:30:23 | 2016-08-06 | $2.124 | 2016 | 8 | 6 |
| 19 | 2016-08-07 09:30:24 | 2016-08-07 | $2.123 | 2016 | 8 | 7 |
| 20 | 2016-08-08 09:30:23 | 2016-08-08 | $2.123 | 2016 | 8 | 8 |
| 21 | 2016-08-09 09:30:24 | 2016-08-09 | $2.124 | 2016 | 8 | 9 |
| 22 | 2016-08-10 09:30:24 | 2016-08-10 | $2.127 | 2016 | 8 | 10 |
| 23 | 2016-08-11 09:30:25 | 2016-08-11 | $2.130 | 2016 | 8 | 11 |
| 24 | 2016-08-12 09:30:25 | 2016-08-12 | $2.129 | 2016 | 8 | 12 |
| 25 | 2016-08-13 09:30:21 | 2016-08-13 | $2.127 | 2016 | 8 | 13 |
| 26 | 2016-08-14 09:30:26 | 2016-08-14 | $2.125 | 2016 | 8 | 14 |
| 27 | 2016-08-15 09:30:26 | 2016-08-15 | $2.124 | 2016 | 8 | 15 |
| 28 | 2016-08-16 09:30:26 | 2016-08-16 | $2.125 | 2016 | 8 | 16 |
| 29 | 2016-08-17 09:30:27 | 2016-08-17 | $2.132 | 2016 | 8 | 17 |
| 30 | 2016-08-18 09:30:26 | 2016-08-18 | $2.135 | 2016 | 8 | 18 |
| 31 | 2016-08-19 09:30:27 | 2016-08-19 | $2.141 | 2016 | 8 | 19 |
| 32 | 2016-08-20 09:30:23 | 2016-08-20 | $2.152 | 2016 | 8 | 20 |
| 33 | 2016-08-21 09:30:28 | 2016-08-21 | $2.158 | 2016 | 8 | 21 |
+—-+———————+————+——–+——+——-+——+