CLOSE your admin ports 22 and 3389 to “” 

One of the best things you can do to protect your AWS instances is to ensure your users NEVER use the default ‘launch-wizard’ Security Group that leverages “” for your administrative access over ports 22 or 3389.  Not using the AWS defualt Security Group is a ‘top recommended’ practice by pretty much every Cloud Security vendor our there. It makes sense . .  this default setting by AWS opens your servers up to the whole entire world, CHINA, Russia, etc…  And with all of the automated brute force scripts the bad guys are using, your instances don’t stand a chance.

AWS provides some way of mitigating this via AWS config and gives some examples. I found AWS config to be too restrictive with regards to custom Security Groups, meaning that with AWS config, you have your “compliant” Security Groups which default to a standard; and if Security Groups don’t match compliant groups, then ( …some action can be taken .e.g, notify via SNS or Lambda ). Although ideal in a perfect world, this scenario does not match every use case cleanly.  There are also some other ways of dealing with this, closer to the source too that I will explore soon.

For now, for a “bolts and braces” approach, you may just want to not allow Security Groups which permit traffic to the entire world “”  over 3389 or 22. Just doing this one thing is HUGE!!!  Until AWS gets rid of this as the DEFAULT option for ‘launch-wizard’, your users will launch instances with this group. So I have a script . . .

In this script, using boto 2.x library,  can be run on an EC2 instance, which will list and remediate the groups and replace the quad zero with an IP of your choice! Lambda no longer supports the older boto libraries, so  this particular script can be run as a cron on AWS Linux, launched with an IAM role like the following:

One of my peer developers re-wrote my script using BOTO3, so it would work with Lambda, but …. that script is not mine and I do not have permission to share it here. Having said that, I do plan to follow up and write a new one not based on his code. Even if my script does not work for your use case, the point here is . . . CLOSE your admin ports 22 and 3389 to “” 



Posted in Uncategorized | Leave a comment

2018 AWS Security Specialty Exam: Updated July 2018

Finally, it’s here! I’ve compiled a list of resources and videos to help you study!

AWS Certified Security – Specialty Exam


Official Exam Guide

First, here is the pdf of the  AWS Exam Guide for the  SCS-C01

Now, here is my resource collection:

AWS Certified Security – Specialty Course from

It’s the course for the new exam, Ryan and Team have updated this course for the new 2018 Exam! Founder Ryan Kroonenburg – Ryan sat the beta of this exam on Jan 15th in London. He made this video giving general exam experience feedback


Next, I think this Exam will hit every corner of the AWS Universe, which means diving deep into the AWS Security and Compliance Whitepapers

Out of those, The Well Architected Framework – Security Pillar would be the one to know like the back of your hand.

Re:Invent 2017 Security Vids

After that, the AWS RE:Invent 2017  IAM Policy Ninja Video is an incredible resource and to be sure, I will watch (and practice) this multiple times over the next several weeks. And other RE:Invent 2017 Security Vids:

AWS Philosophy of Security
Architecting Security and Governance Across Multiple-Accounts
Security Anti-Patterns: Mistakes to Avoid
Best Practices for Managing Security Operations on AWS
AWS Security State of the Union
Compliance and Top Security Threats in the Cloud
Incident Response in the Cloud
Five New Security Automation Improvements You Can Make by Using CloudWatch Events and AWS Config Rules
Using AWS Lambda as a Security Team
 CloudTrail to Enhance Governance and Compliance of Ama

Now the AWS recomended Training for the SCS-C01 BETA exam:

AWS Security Fundamentals e-course
Online Resources for AWS Security

Exam Topic Specific Resources SCS-C01

Domain 1: Incident Response

RE:Invent Video: Incident Response in the Cloud

1.1 Given an AWS abuse notice, evaluate the suspected compromised instance or exposed access keys.

I received a notification that my AWS resources or account may be compromised. What should I do?

1.2 Verify that the Incident Response plan includes relevant AWS services

Building a Cloud-Specific Incident Response Plan

1.3 Evaluate configuration of automated alerting and execute possible remediation of security-related incidents and emerging issues

How to Remediate Amazon Inspector Security Findings Automatically
How to Detect and Automatically Remediate Unintended Permissions in Amazon S3 Object ACLs with CloudWatch Events

Domain 2: Logging and Monitoring

2.1 Design and implement security monitoring and alerting.

Designing Centralized Logging
CloudWatch Logging Agent
How to Monitor Host-Based Intrusion Detection System Alerts on Amazon EC2 Instances
How to Receive Alerts When Your IAM Configuration Changes
SID341 – Using AWS CloudTrail Logs for Scalable, Automated Anomaly Detection

2.2 Troubleshoot security monitoring and alerting.

Troubleshoot SNS Deliveries
Troubleshoot SES Notifications

2.3 Design and implement a logging solution.

Logging Whitepaper
How to Monitor and Visualize Failed SSH Access Attempts to Amazon EC2 Linux Instances

2.4 Troubleshoot logging solutions

Troubleshooting CloudWatch Events

Domain 3: Infrastructure Security

3.1 Design edge security on AWS.

AWS Shield
Protect Dynamic Content using Shield and Route53
Serving Private Content Through CloudFront
SID342 – Protect Your Web Applications from Common Attack Vectors Using AWS WAF
SID401 – Let’s Dive Deep Together: Advancing Web Application Security

3.2 Design and implement a secure network infrastructure.

Setting Up an AWS VPN Connection – Amazon Virtual Private Cloud
VPN Connections – Amazon Virtual Private Cloud – AWS Documentation
Well Architected Framework – Security Pillar
EC2 Systems Manager

3.3 Troubleshoot a secure network infrastructure.

Troubleshooting – Amazon Virtual Private Cloud – AWS Documentation
Troubleshoot Connecting to an Instance in a VPC – AWS –
Troubleshooting AWS Direct Connect – AWS Documentation
VPN Tunnel Troubleshooting – AWS –

3.4 Design and implement host-based security

IDS and IPS for EC2 Instances
How to Monitor Host-Based Intrusion Detection System Alerts on Amazon EC2 Instances
Amazon Inspector – Security Assessment Service

Domain 4: Identity and Access Management

4.1 Design and implement a scalable authorization and authentication system to access AWS resources.




AWS Identity and Access Management (IAM) Documentation
IAM Best Practices – AWS Identity and Access Management
Enabling SAML 2.0 Federated Users to Access the AWS Management …
SID337 – Best Practices for Managing Access to AWS Resources Using IAM Roles
AWS Cognito
SID344 – Soup to Nuts: Identity Federation for AWS
S3 Bucket Policy Examples

4.2 Troubleshoot an authorization and authentication system to access AWS resources.

Troubleshooting IAM – AWS Identity and Access Management
Troubleshooting IAM Roles – AWS Identity and Access Management
Troubleshoot IAM Policies – AWS Identity and Access Management
Troubleshooting Amazon EC2 and IAM – AWS Identity and Access …
Troubleshooting Amazon S3 and IAM – AWS Identity and Access …

Domain 5: Data Protection

5.1 Design and implement key management and use.

AWS Encryption SDK
AWS Key Management Service Concepts – AWS Documentation
RE:Invent Video – Best Practices for Implementing KMS
Whitepaper – Best Practices for KMS
SID345 – AWS Encryption SDK: The Busy Engineer’s Guide to Client-Side Encryption
Amazon Macie

5.2 Troubleshoot key management.

Verifying and Troubleshooting KMS Key Permissions – AWS .
Determining Access to an AWS KMS Customer Master Key – AWS Key …
Limits – AWS Key Management Service – AWS Documentation
Troubleshooting Key Signing Errors

5.3 Design and implement a data encryption solution for data at rest and data in transit.

How to Protect Data at Rest with Amazon EC2 … – AWS –
Encrypting Amazon RDS Resources – AWS Documentation
Encrypting Data at Rest ( non AWS BLOG )
Amazon Certificate Manager 
How to Encrypt and Decrypt Your Data with the AWS Encryption CLI
How to Address the PCI DSS Requirements for Data Encryption in Transit Using Amazon VPC
Architecture for HIPAA Compliance on AWS

The Full List of the Security, Compliance, and Identity Sessions, Workshops, and Chalk Talks at AWS re:Invent 2017

Based on Founder Ryan Kroonenburg’s Feeback on the Exam, I’ve added some more study links:

Cloud HSM FAQs
Cloud HSM AWS Documentation
Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3)
Protecting Data Using Client-Side Encryption in S3
IAM Policies and Bucket Policies and ACLs! Oh, My!
Posted in AWS, AWS Certified Solutions Architect, Cloud Security, Cyber Security | Leave a comment

Know yourself – The Power of an accurate Security Inventory

With all of the security product blitz and focus on the newest and most shiny cool thing, there is one fundamental Security practice that must not be forgotten. It’s not sexy, you won’t find flashy posts about it with cool photobucket images of hackers in hoodies or shiny bank vault doors floating in the clouds.

This fundamental practice is keeping an accurate inventory of all of your assets. Simply put, you cannot defend what you don’t know you have. This falls clearly at the center of  of the Sun Tzu – Art of War philosophy of ‘Know Yourself’.

The concept of an Accurate Inventory is not just a list of servers and OS’s  -‘Accurate Inventory’ means…, well  – everything! What SSL certificates do your company own and when do they expire? What domain names does your company own? Do you have an accurate inventory of all your WAN and Internet circuits? Any older stuff, like ISDN, POTS lines, modems?  What about a comprehensive list of all 3rd party services to which your employees have accounts? Do you know all of your company’s non-RFC-1918 v4 and v6 addresses? BGP AS numbers? Do you have ALL of your company’s egress points and ingress points mapped out?

By mapping and documenting all of your assets, you can better defend them, you can see your company how the enemy sees your company, because you KNOW they are inventorying all of your company’s assets they can see. A strong inventory allows you to build the proper controls around the areas that need the most protection, whether that is a vulnerable server facing the internet, an old dialback-up POTs line or an extra internet circuit at a branch office –

It takes more than vendor products and cool dashboards to have a good Security Operations practice. Know yourself!

This is dedicated to my friends I saw Friday evening expressed their support and kindness. Thanks, guys!

Posted in Uncategorized | Leave a comment

us-central-1 ? A new AWS Central Region in Colorado?

From time to time I see jobs pop up on my LinkedIn that are targeted to me by machine intelligence looking at my profile and probably some secret LinkedIn algorithm sauce. The one below one caught my eye for a few reasons (and applying is NOT one of them, so if my boss is reading this – don’t freak out ), First, the job below hints at the possibility of a new  AWS DataCenter in Colorado,  as the job is a Data Center Technician with location ‘Denver’.  AWS needs central region in the United States and Colorado is a great place for that. Another possibility, maybe not a public region, is the Data Center could be for govcloud, since Government Clearance is mentioned? A possibility that all AWS Data Center Techs need this clearance regardless? The other obvious, less likely alternative is they are recruiting talent here in Denver for another region or govcloud.

The second part about the job description that caught my eye is how much training is needed for this role! You have to train for 6 -12 months before relocation to your permanent ‘data center’. It is no wonder AWS is leading the field in Cloud Services if they are investing THAT MUCH TIME in training their Data Center Techs. Spectacular.


Posted in AWS | Leave a comment

Why I let my CheckPoint CCSA Expire
























CheckPoint won’t stop emailing me about my expired Certification!  This is the third email I have received from them in 90 days. I wonder how many I will get . . . ?  The email inspired me to write this quick blog on why consciously I chose to let it expire after working so hard to get it .

At the time I certified, I was working for a company that had CheckPoint Firewalls deployed everywhere and I did the certification as a means to add to my knowledge as well as add the most value to my employer at that time – you know,  be the best I could be for them. I liked working on their Firewalls; and as a stand-alone product, CheckPoint Firewalls are solid.

Today, it is not just that I do not work for that employer anymore, but the world has changed. Taking the lengthy hours/days/weeks/months to study and specialize in a single vendor’s hardware-box solution does not seem to make sense to me. The concept of a single Firewall deployed at the choke-point of a network seems to be an Architecture that is fading into the past. Although CheckPoint does now have a Cloud SaaS Solution , the latest CCSA exam appears to still focus on R80 of GAIA and CheckPoint hardware Gateways.  I am certain CheckPoint hardware is still used by many of the Fortune 500 – 100 and the hardware will remain significant for at least a few more years.  CheckPoint, like many hardware vendors, are trying hard to get their footprint in the Cloud and stay relevant.

Looking at CheckPoint’s main website, it’s hard to tell what they are trying to be now or where their focus is, other than the “all-things-to-all-people” approach.  The CheckPoint  Training and Certification site definitely indicates they are still focused on their hardware…. and specialized hardware does not appear to align with the direction in which the Security industry is  presently unfolding. Combine that with the fact that CCSA Certification books and training material is notoriously hard to find and the official training courses are too expensive, I felt that it was simply not worth the effort to renew my CheckPoint CCSA Certification.



Posted in CheckPoint | Leave a comment

AWS Guard Duty Automation: Using Lambda to shut down a compromised instance

After getting a working CloudWatch Rule that would actually generate SNS events for GuardDuty all medium and high alerts – the work was not done. SNS by itself is not enough, still requires a human to go in and do something [stop the compromised instance].

AWS gives us the grand opportunity to automate so much of this!  I looked around for examples to see if anyone had done this and found some bits and pieces on the web and got a nice python 2.7 script working; one where I was actually able to a repeat a successful result again and again and again.

Here is the Lambda function on my GitHub that will parse the instance-id from the GuardDuty CloudWatch Rule and then initiate a stop on that instance.  Furthermore, it will tag the instance by modifying the Name value like so:


So, if you use it with my CloudWatch Rule for only alerting on Medium and High events, you can have high confidence that it will only stop actual compromised instances; and not ones that are just being port scanned. 🙂 Be sure to add both SNS and the Lambda function as TARGETS to the CloudWatch Rule!

This way, your automated security is working for you 24/7 and your remediation time of a compromised instance will usually be < 5 min! + you’ll get an email or text.

TESTING – You can test the script like so: Spin up an instance and then grab the instance-id. Get the JSON text of a sample GuardDuty event. In Lambda, in [ Configure TEST events ] in the event template, you can pick [ CloudWatch Logs ] and then you paste in your sample Guard Duty Event into the text box, but replace the ‘instance-id’ field with the instance-id of the instance you just spun up. Replace the region data as well if you are operating in a different region than the sample alert, then click TEST.

I hope this helps you!

Posted in AWS, Lambda, Uncategorized | Leave a comment

Passed AWS Solutions Architect Pro Exam!

Very happy to share!   Obliviously, no specifics can be shared due to the exam NDA, but I can recommend topics you should study and give my thoughts here.  I also had an ‘event’ in the middle of the exam where the testing computer I was on somehow disconnected form the internet and stopped me cold in my tracks half way through, but I’ll talk about that more later.

To study for this, to start – I consider myself blessed to currently be doing a lot of work in AWS now,  and get hours of hands-on everyday in my current role.

As always, a HUGE shout-out to Ryan Kroonenburg and the AWS Professional course. By far the BEST training material out there!  Material is spot on! Repetition is key, and Ryan is great to listen to just about anywhere.

I used published talks on AWS ReInvent 2017 from YouTube. I leveraged vBooks PDF reader on my iphone to help me listen to all of the AWS WhitePapers.

It felt like I was hit particularly hard on OpsWorks, VPC Direct Connect Routing, Storage, IAM and DR. The exam seemed outdated, for instance, there were questions about IDS/ IPS configuration that did not mention GuardDuty, which was announced six months ago… or the new EC2 instance types..

The Architect Professional Exam does a good job of measuring knowledge; but I found some of the quality of the questions to be in need of work. I get they can’t be straight forward, but as an Architect in real life, choosing appropriate solutions for customers doesn’t match well some of the incomplete and intentionally illusive question material I had to navigate today. What I am saying is that, although the exam does a good job testing knowledge of which solutions are used where / or which not to use ( anti-patterns ), the exam does not really test how well you can actually put this stuff together and make it work. That’s a gap in my mind.

AWS itself is in a unique position to disrupt the multiple choice question (MCQ) format and allow the exam taker to be tested on actual skill because AWS does not rely on hardware. Think about it… what if you could actually use AWS during the exam to build something?  I believe the interview process for a Solutions Architect at AWS already incorporates this kind of thing… Candidates are given instructions to build a small DataCenter in AWS with some config specifics – and then you show them the outcome.  Why not have the exam mirror more of a hands-on style like this proctored exam center and you have instructions and a time limit? MCQ makes sense for the Associate level, but I think AWS can do great things here and really up the bar!

Ok – now I’ll tell you about the scary thing that happened in the middle of my exam. I was about half-way through, contemplating possible answers to a question when  all of the sudden, (without any interaction from me),  the screen went white and a little box popped up saying that this computer had lost connection to the internet. Only option was an exit button. I went and got the proctor and he actually had to exit the exam and re-start it…, ( a total of about five minutes ) but… the state of the exam was saved! When I got back in, I was right where I left off!! Although I was happy,  I was thrown off a little by this, and found myself rushing through the second half of the exam in case it happened again. Got back in the groove, slowed down a bit and finished! So, kudos to AWS for ensuring their Exams save state during the test. ( highly durable 🙂  )

Last thought, Recommend picking up practice questions where you can. I actually bought the AWS practice questions from AWS training site and found that it only allowed me to do a single attempt, 40 questions.  Not a great value – but all practice questions help.

If I think of anything else, I’ll update this page. I hope something here was useful to you!


Posted in Uncategorized | Leave a comment