Cloud Security @ Netflix

•

4 likes•1,814 views

Jason Chan presented on adapting security practices for modern cloud-native software environments. He discussed how Netflix leverages AWS services like IAM, security groups, and CloudTrail to securely manage access, inventory assets, and monitor configuration changes at scale. Chan also emphasized the importance of visibility through discovery, risk prioritization, and multi-layer security testing integrated into the development pipeline. Monitoring configurations and detecting anomalies was highlighted as important for cloud security.

Cloud&Security&@&Ne0lix
Adap%ng(Security(for(Modern(So4ware
Jason&Chan
chan@ne'lix.com.:.@chanjbs
Sea$le&AWS&Architects&&&Engineers

Me
Current:(Ne*lix(Security
Product,)app,)ops,)infra,)corp,)fraud,)privacy,)abuse,)IR
Previous:
Infosec(@(VMware,(consul2ng:(@stake,(iSEC(Partners

14m$users$in$1+$year
150m%photos
3"engineers

14m$users$in$1+$year
150m%photos
3"engineers
$1B$acquisi+on$by$FB

Create&a&user&account
Inventory)your)systems

Create&a&user&account
Inventory)your)systems
Update'a'firewall'config

Create&a&user&account
Inventory)your)systems
Update'a'firewall'config
Make%a%forensic%image

Create&a&user&account
Inventory)your)systems
Update'a'firewall'config
Make%a%forensic%image
Disable(a(MFA(token

CreateUser()
DescribeInstances()
AuthorizeSecurityGroupIngress()
CreateSnapshot()
Deac%vateMFADevice()

Open%ELB%Example
1. Dump'list'of'ELBs'with'listeners
2. Connect'to'ELBs'from'arbitrary'Internet'IP
3. Evaluate'status'code'(200/300'or'403)
4. Compare'results'against'expected
5. Fix'anomalies,'educate'engineers,'and'update'expected'(manual)'

Knowing'the'Environment'/'Takeaways
Tailor'discovery'to'rate'of'change
Think&about&normaliza0on&of&discovery&data

Risk%Priori)za)on%-%Takeaways
What%is%measurable?%(objec3vely)
Use$as$an$input,$not$law

Mul$%Layer+Security+Tes$ng+%+Takeaways
What%conversa-ons%can%you%avoid?
Is#there#a#pyramid#you#can#leverage?

${ "Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accessKeyId": "EXAMPLE_KEY_ID", "accountId": "123456789012", "userName": "Alice" }, "eventTime": "2014-03-06T21:22:54Z", "eventSource": "ec2.amazonaws.com", "eventName": "StartInstances", "awsRegion": "us-west-2", "sourceIPAddress": "205.251.233.176", "userAgent": "ec2-api-tools 1.6.12.2", "requestParameters": { "instancesSet": { "items": [{ "instanceId": "i-ebeaf9e2" }] } },$

"responseElements": {
"instancesSet": {
"items": [{
"instanceId": "i-ebeaf9e2",
"currentState": {
"code": 0,
"name": "pending"
},
"previousState": {
"code": 80,
"name": "stopped"
}
}]
}
}
},
... additional entries ...
]
}

Trusted(Advisor
Checks'config'vs.'best'prac3ces

What%instance%has%a%given%public%IP?
$ curl "http://edda/api/v2/view/instances;publicIpAddress=1.2.3.4;_since=0"
["i-0123456789","i-012345678a","i-012345678b"]

What%is%the%most%recent%change%to%a%security%
group?
$ curl "http://edda/api/v2/aws/securityGroups/sg-0123456789;_diff;_all;_limit=2"

$$ curl "http://edda/api/v2/aws/securityGroups/sg-0123456789;_diff;_all;_limit=2" --- /api/v2/aws.securityGroups/sg-0123456789;_pp;_at=1351040779810 +++ /api/v2/aws.securityGroups/sg-0123456789;_pp;_at=1351044093504 @@ -1,33 +1,33 @@ { "class" : "com.amazonaws.services.ec2.model.SecurityGroup", "description" : "App1", "groupId" : "sg-0123456789", "groupName" : "app1-frontend", "ipPermissions" : [ { "class" : "com.amazonaws.services.ec2.model.IpPermission", "fromPort" : 80, "ipProtocol" : "tcp", "ipRanges" : [ "10.10.1.1/32", "10.10.1.2/32", + "10.10.1.3/32", - "10.10.1.4/32" ], "toPort" : 80, "userIdGroupPairs" : [ ] } ], "ipPermissionsEgress" : [ ], "ownerId" : "2345678912345", "tags" : [ ], "vpcId" : null }$

Configura)on*Monitoring*.*Takeaways
Config&changes&have&a&con-nuum&of&safety
Find%ways%to%observe%and%differen1ate

AWS$Security$Resources
h"p://&ny.cc/awssecurity

What's hot

Amazon Web Services Security

Jason Chan

Jason Chan gave a presentation on AWS security at SAINTCON 2014. He began with an overview of typical AWS setups and then focused on three main areas: shared responsibility between AWS and customers, access controls and permissions, and account segregation. For each area, he provided tips on best practices as well as potential security traps to avoid. He also discussed tools for monitoring AWS security configurations and activity, such as CloudTrail, Trusted Advisor, and the Edda service created at Netflix.

대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016

Amazon Web Services Korea

1. The document demonstrates how to use various AWS services like Kinesis, Redshift, Elasticsearch to analyze streaming game log data. 2. It shows setting up an EC2 instance to generate logs, creating a Kinesis stream to ingest the logs, and building Redshift tables to run queries on the logs. 3. The document also explores loading the logs from Kinesis into Elasticsearch for search and linking Kinesis and Redshift with Kinesis Analytics for real-time SQL queries on streams.

(SEC202) Closing the Gap: Moving Critical, Regulated Workloads to AWS | AWS r...

Amazon Web Services

AWS provides a number of tools and processes to help you decide when and how to move audited, regulated, and critical business data to the cloud. In this session, we answer the following questions: when is it time for you to make this significant move? When will you be ready to address industry best practices for control (including third-party audits, access control configurations, incident response, data sovereignty, and encryption). We discuss how some highly regulated AWS customers have addressed the challenges that legacy regulatory requirements present to partners, vendors, and customers in migrating to the AWS Cloud. Finally, we cover general trends we're seeing in several regulated industries leveraging AWS and the trends we're seeing from the regulators themselves who audit and accept AWS control environments.

(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014

Amazon Web Services

This document summarizes a talk on building AWS partner applications using IAM roles. It discusses using the AssumeRole API to access AWS resources across accounts with temporary credentials instead of long-term access keys. It also covers using an external ID parameter to prevent confused deputy attacks by verifying the account being accessed belongs to the user. The document provides code samples and recommends architectures that use least privilege and isolate privileged instances.

(DEV306) Building Cross-Platform Applications Using the AWS SDK for JavaScrip...

Amazon Web Services

JavaScript is the ubiquitous runtime for browser code, and the popularity of Node.js as a server-side platform continues to grow. The AWS SDKs for Node.js and JavaScript in the Browser enable you to call AWS services from either platform. In this talk, we demonstrate the portability of the SDK by building a Node.js web app and then porting the code to run as a browser extension. In the process, you'll learn about a number of the productivity features included in these SDKs.

Security Day IAM Recommended Practices

Amazon Web Services

The document provides best practices for using AWS Identity and Access Management (IAM) to control access to AWS resources. It recommends 10 steps for basic user and permission management including creating individual users, granting least privilege, using groups, and restricting privileged access. It also recommends steps for credential management like rotating credentials regularly and enabling multi-factor authentication. The document discusses using IAM roles to delegate access and share permissions across accounts or with EC2 instances. It provides examples of when to use IAM users versus federated users and AWS access keys versus passwords.

(SEC316) Harden Your Architecture w/ Security Incident Response Simulations

Amazon Web Services

Using Security Incident Response Simulations (SIRS--also commonly called IR Game Days) regularly keeps your first responders in practice and ready to engage in real events. SIRS help you identify and close security gaps in your platform, and application layers then validate your ability to respond. In this session, we will share a straightforward method for conducting SIRS. Then AWS enterprise customers will take the stage to share their experience running joint SIRS with AWS on their AWS architectures. Learn about detection, containment, data preservation, security controls, and more.

AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...

Amazon Web Services

It is critical to maintain strong identity and access policy to prevent unexpected access to your resources for whatever applications you are running on AWS. It is equally important to track and alert on changes being made to your AWS resources. In this webinar, you will learn about the different ways you can use AWS Identity and Access Management (IAM) to control access to your AWS services and integrate your existing authentication system with AWS IAM. We will cover how you can deploy and control your AWS infrastructure using code templates, including change management policies with AWS CloudFormation. In addition, we will explore different options for managing both your AWS access logs and your Amazon Elastic Compute Cloud (EC2) system logs using Amazon CloudWatch Logs. We will also cover how to use these logs to implement an audit and compliance validation process using services such as AWS Config, AWS CloudTrail, and Amazon Inspector. Learning Objectives: • Understand the AWS Shared Responsibility Model. • Understand AWS account and identity management options and configuration. • Learn the concept of infrastructure as code and change management using CloudFormation. • Learn how to audit and log your AWS service usage. • Learn about AWS services to add automatic compliance checks to your AWS infrastructure. Who Should Attend: • IT administrators, architects, and security engineers, or anyone interested in controlling access to AWS resources, deploying infrastructure on AWS, or performing compliance checks on their infrastructure

AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...

Amazon Web Services

Customers using AWS resources such as EC2 instances, EC2 Security Groups and RDS instances would like to track changes made to such resources and who made those changes. In this session, customers will learn about gaining visibility into user activity in their account and aggregating logs across multiple accounts into a single bucket. Customers will also learn about how they can use the user activity logs to meet the logging guidelines/requirements of different compliance standards. AWS Advanced Technology Partners Splunk/Sumologic (exact partners TBD) will demonstrate applications for analyzing user activity within an AWS account.

AWS APAC Webinar Week - Securing Your Business on AWS

Amazon Web Services

Become an IAM Policy Ninja

Amazon Web Services

This document provides an overview of becoming an expert at using IAM policies to control access to AWS resources. It discusses the key components of IAM policies including principals, actions, resources, and conditions. It also covers best practices for authoring, testing, and debugging policies. The document demonstrates how to create a policy that allows launching EC2 instances in specific regions and of specific types. It also shows how to decode the EC2 authorization message to help debug access issues.

Crypto Options in AWS

Amazon Web Services

This document discusses encryption options available in AWS. It begins by describing the cryptographic concepts of keys, algorithms, and data, as well as encryption in transit versus encryption at rest. It then provides details on encryption options for network infrastructure, VPC gateways, regions, availability zones, and elastic instances. Encryption at rest options for S3, EBS, Redshift, RDS, and other services are also covered. The document concludes by discussing the AWS Key Management Service and how various SafeNet products integrate with AWS services to provide encryption.

Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...

Amazon Web Services

AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...

Amazon Web Services

Are you interested in learning how to control access to your AWS resources? Have you ever wondered how to best scope down permissions to achieve least privilege permissions access control? If your answer to these questions is "yes," this session is for you. We take an in-depth look at the AWS Identity and Access Management (IAM) policy language. We start with the basics of the policy language and how to create and attach policies to IAM users, groups, and roles. As we dive deeper, we explore policy variables, conditions, and other tools to help you author least privilege policies. Throughout the session, we cover some common use cases, such as granting a user secure access to an Amazon S3 bucket or to launch an Amazon EC2 instance of a specific type.

(DVO304) AWS CloudFormation Best Practices

Amazon Web Services

"AWS CloudFormation lets you model, provision, and update a collection of AWS resources with JSON templates. You can manage your Infrastructure as Code and deploy stacks from a single Amazon EC2 instance to multi-tier applications. In this session, we will explore CloudFormation best practices in planning and provisioning your AWS infrastructure. We will cover recent product updates that will help users to make the most of this service and demonstrate new features. This session will benefit both new and experienced users of CloudFormation. If you are new to AWS CloudFormation, get up to speed for this session by completing the Working with CloudFormation lab in the self-paced Labs Lounge. "

AWS January 2016 Webinar Series - Managing your Infrastructure as Code

Amazon Web Services

In this session, you will learn how you can provision, configure, and manage your infrastructure using code and treat it just like your application code. We will discuss the AWS services that enable these practices (AWS CloudFormation, AWS OpsWorks, and AWS CodeDeploy) and that allow you to control everything from Amazon VPCs and AWS Identity and Access Management to the configuration of individual applications on a single host. We’ll also talk about on-going management, how to best update your resources, and which tools are best suited for AWS resource management and host-based configuration management. Learning Objectives: Understand Infrastructure as Code Understand the AWS services that help you manage your infrastructure as code Discover best practices for managing your AWS infrastructure, host configuration, and applications Who Should Attend: DevOps Engineers, IT Professionals, Systems Administrators, Architects, Operations Professionals, Developers

Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017

Amazon Web Services

Are you interested in becoming an expert in managing access to your AWS resources? Have you ever wondered how to best scope down permissions for least privilege access? Do you have multiple AWS accounts and need to know how to manage access to resources centrally? In this session, we take an in-depth look at AWS Identity and Access Management (IAM) and AWS Organizations. You will learn how to quickly create IAM policies to manage fine-grained access to your resources. Throughout the session, we will cover common use cases, such as how to grant a user access to an Amazon S3 bucket or permissions to launch an Amazon EC2 instance of a specific type. You will also learn how to create and use Service Control Policies (SCPs) through Organizations to manage AWS service use across all your accounts centrally.

Containers and the Evolution of Computing

Amazon Web Services

Increasingly, developers are breaking their applications apart into smaller components and distributing them across a pool of compute resources. Docker is fast becoming a core component of these architectures, but going from a single or a small number of containers to a distributed application is not trivial. In this session we will talk about some of the core architectural principles underlying the Amazon EC2 Container (ECS) and how they are designed to help you scale your applications and run them in production. We will talk about how containers can be used as the foundation for new computing primitives and how these are being used by our customers for increased agility and productivity.

(SEC404) Incident Response in the Cloud | AWS re:Invent 2014

Amazon Web Services

This document discusses Amazon Web Services (AWS) security configuration and tools. It provides AWS configuration options like Amazon S3, EC2, VPC, IAM, RDS and Elastic Beanstalk. It also discusses security groups, users, credentials and accessing AWS resources. The document shares links to AWS security documentation and best practices. It includes a demonstration of using forensic tools like Volatility on a Linux EC2 instance memory capture to analyze processes, network configuration and loaded kernel modules.

Security and Compliance

Amazon Web Services

This document discusses security and compliance when using AWS. It makes three main points: 1. AWS and customers share responsibility for security, with AWS managing security of the cloud infrastructure and customers responsible for security in their use of AWS services. 2. AWS provides security tools and features that customers can use to protect their cloud resources and data. Customers can architect for security and follow security best practices. 3. AWS offers certifications and assurance programs to help customers meet various compliance standards and regulations.

What's hot (20)

Amazon Web Services Security

대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016

(SEC202) Closing the Gap: Moving Critical, Regulated Workloads to AWS | AWS r...

(SEC403) Building AWS Partner Applications Using IAM Roles | AWS re:Invent 2014

(DEV306) Building Cross-Platform Applications Using the AWS SDK for JavaScrip...

Security Day IAM Recommended Practices

(SEC316) Harden Your Architecture w/ Security Incident Response Simulations

AWS March 2016 Webinar Series - Best Practices for Managing Security Operatio...

AWS CloudTrail to Track AWS Resources in Your Account (SEC207) | AWS re:Inven...

AWS APAC Webinar Week - Securing Your Business on AWS

Become an IAM Policy Ninja

Crypto Options in AWS

Top 10 AWS Identity and Access Management (IAM) Best Practices (SEC301) | AWS...

AWS re:Invent 2016: Become an AWS IAM Policy Ninja in 60 Minutes or Less (SAC...

(DVO304) AWS CloudFormation Best Practices

AWS January 2016 Webinar Series - Managing your Infrastructure as Code

Becoming an AWS Policy Ninja using AWS IAM - AWS Summit Tel Aviv 2017

Containers and the Evolution of Computing

(SEC404) Incident Response in the Cloud | AWS re:Invent 2014

Security and Compliance

Viewers also liked

Practical Security Automation

Jason Chan

This document discusses various techniques for improving security automation and visibility, including discovering and inventorying assets, prioritizing risks, performing multi-layer security testing, monitoring configurations, discovering and handling security intelligence, and refining security signals and response. Key recommendations include tailoring discovery to the rate of change, considering data normalization, using risk prioritization as an input not a law, avoiding certain conversations, leveraging security testing pyramids, recognizing a continuum of configuration safety, developing an intelligence taxonomy, and starting small with signal refinement and response automation.

Careers in Security

Jason Chan

Jason Chan leads the cloud security team at Netflix and previously worked in security at large tech companies and startups. The document discusses trends in security hiring, including an increasing demand for security professionals at companies to build their own teams, security vendors, startups, and consulting firms. It describes the types of work in security including defensive and offensive roles, and provides an overview of the security organization and roles at Netflix.

The Psychology of Security Automation

Jason Chan

The document discusses opportunities for automating security processes to improve relationships between developers and security teams. It describes developer-facing tools like Lemur for SSL certificate management. It also discusses tools for developer-security collaboration like Rollie Pollie for permissions management in AWS via chatops. Internal security automation tools like Dirty Laundry are discussed that use a Unix-like approach to run security scans and analyses. The takeaways emphasize leveraging the development ecosystem, learning from shared history, using engineering-native workflows, and integrating security ubiquitously while improving other characteristics.

Splitting the Check on Compliance and Security

Jason Chan

1) Developers prioritize speed and innovation while auditors focus on compliance and predictability. The resolution is adopting tools like Spinnaker that provide traceability in development pipelines to satisfy both groups. 2) Tools like Penguin allow continuous monitoring of application security risks across microservices rather than one-time assessments. 3) Compartmentalization through practices like tokenization and microservices limits the impact of breaches by restricting access on a need-to-know basis.

Defending Netflix from Abuse

Jason Chan

1. Jason Chan is the Engineering Director of Cloud Security at Netflix, which has over 86 million members streaming over 125 million hours of content per day across 190 countries. 2. Netflix faces abuse in the form of account takeovers and free trial fraud, where adversaries try to obtain accounts without paying in order to resell them or use them as bait. 3. Netflix employs various controls including device fingerprinting, payments validation, account behavior analysis, and credential checking to detect and disable fraudulent accounts within the free trial period to reduce opportunities for abuse.

Practical Cloud Security

Jason Chan

The document discusses Netflix's move to cloud computing using Amazon Web Services. It outlines Netflix's model-driven deployment architecture in the cloud, including using ephemeral nodes, dynamic scaling, orchestration over manual steps, and making environments easy to clone. It also discusses Netflix's build and deployment process involving continuous integration, binary repositories, and application-specific packages and configurations.

Resilience and Compliance at Speed and Scale

Jason Chan

The document discusses Netflix's approach to resilience and compliance at scale through automation. It describes common traditional controls like change approval boards and centralized deployments that don't work for Netflix given its culture of freedom and responsibility and need for rapid innovation. Netflix uses automated "Simian Army" monkeys like Chaos Monkey that cause random failures to test resilience. It also uses tools giving visibility into who made changes and their testing/approval to achieve compliance objectives in a decentralized way without slowing innovation.

From Gates to Guardrails: Alternate Approaches to Product Security

Jason Chan

1. Jason Chan, an engineering director at Netflix, gave a presentation about product security approaches at Netflix. 2. Netflix has an agile development culture with over 200 daily production pushes across 1000+ supported devices in 40 countries. This results in a need for security approaches that can handle Netflix's scale and speed. 3. Netflix employs approaches like visibility into security-related data, automation through over 1000 tests, and an immutable server pattern to enable security in their fast-paced, cloud-based environment.

Viewers also liked (8)

Practical Security Automation

Careers in Security

The Psychology of Security Automation

Splitting the Check on Compliance and Security

Defending Netflix from Abuse

Practical Cloud Security

Resilience and Compliance at Speed and Scale

From Gates to Guardrails: Alternate Approaches to Product Security

Similar to Cloud Security @ Netflix

Secure Coding For Java - Une introduction

Sebastien Gioria

The document provides an introduction to secure coding in Java. It discusses the Open Web Application Security Project (OWASP) and its mission to improve software security. It then covers 10 simple principles for writing secure code, such as input validation, output encoding, and parameterized queries. Examples of SQL injection and LDAP injection vulnerabilities are shown, along with ways to avoid them through parameterization and input sanitization. The importance of using security mechanisms from trusted libraries rather than reimplementing them is also stressed.

Amazon Web Services for PHP Developers

Jeremy Lindblom

Amazon Web Services and the AWS SDK for PHP continue to put more power into the hands of PHP developers to build robust and scalable web applications. With version 2 of the SDK, developers now have an even more powerful library for interacting with AWS built on top of existing open source software like the Guzzle HTTP framework and the Symfony 2 Event Dispatcher. In this session you will learn about Amazon Web Services, how to use the AWS SDK for PHP, and how you can easily deploy and scale your applications to the cloud with AWS services, including AWS Elastic Beanstalk.

Elasticsearch sur Azure : Make sense of your (BIG) data !

Microsoft

The document is a presentation about using Elasticsearch on Azure. It introduces Elasticsearch and its features like scalability, plug and play functionality, and REST/JSON interface. It demonstrates how to deploy Elasticsearch on Azure by using unicast discovery across virtual machines or by using an Azure cloud plugin. It also shows how to scale out Elasticsearch on Azure by starting additional nodes and discusses using Elasticsearch to analyze big data on Azure.

Elasticsearch in 15 Minutes

Karel Minarik

The document provides an overview of using Elasticsearch. It demonstrates how to install Elasticsearch, index and update documents, perform searches, add nodes to the cluster, and configure shards and clusters. It also covers JSON and HTTP usage, different search types (terms, phrases, wildcards), filtering and boosting searches, and the JSON query DSL. Faceted searching is demonstrated using terms and terms_stats facets. Advanced topics like mapping, analyzing, and features above the basic search capabilities are also briefly mentioned.

Asterisk, HTML5 and NodeJS; a world of endless possibilities

Dan Jenkins

This document discusses using NodeJS and HTML5 to build real-time applications that integrate with Asterisk. It describes how Holiday Extras built a customer relationship management system using these technologies to allow customer lookups and call control directly from a web browser. Code examples are provided to connect a NodeJS server to Asterisk via AMI and send commands. This allows actions like making calls between SIP extensions to be triggered by clicking buttons in an HTML page.

AWS IoT Core Workshop (IOT305-R1) - AWS re:Invent 2018

Amazon Web Services

Get hands on with the main components of AWS IoT Core. You will learn how to connect and manage your devices, secure device connections and data, process and act upon device data, and read and set device state at any time. You will see how the Device Gateway serves as the entry point for IoT devices connecting to AWS. The Device Gateway supports the MQTT, WebSockets, and HTTP 1.1 protocols. You will work with the high throughput Message Broker to securely transmit messages to and from all of your IoT devices and applications. The flexible nature of the Message Broker’s topic structure allows you to send messages to, or receive messages from, as many devices as you would like. It supports messaging patterns ranging from one-to-one command and control messaging, to one-to-one million (or more!) broadcast notification systems. You will set up the Registry to track device attributes and metadata and create a persistent, virtual version of each device known as the Device Shadow. Finally, you will explore the Rules Engine to author rules within the management console or write rules using a SQL-like syntax. Join us if you are a cloud architect, device engineer, software developer, or firmware engineer.

Grokking Engineering - Data Analytics Infrastructure at Viki - Huy Nguyen

Huy Nguyen

This document outlines Viki's analytics infrastructure, including data collection, storage, processing, and visualization. It discusses collecting behavioral data from various sources and storing it in Hadoop. Data is centralized, cleaned, transformed, and loaded into a PostgreSQL data warehouse for analysis. Real-time data is processed using Apache Storm and visualized on dashboards and alerts. Technologies used include Ruby, Python, Java, Hadoop, Hive, and Amazon Redshift for analytics and PostgreSQL, MongoDB, and Redis for transactional data.

Getting Started with AWS IoT - IOT203 - re:Invent 2017

Amazon Web Services

In this workshop, we explore features and functions of the AWS IoT service. We start out by covering the AWS ecosystem as it relates to IoT. Next, we cover the AWS IoT service in greater detail, review some best practices for IoT solutions, and look at some common architectural patterns. With this foundation in place, we explore the AWS IoT service hands on with an IoT device and accompanying lab exercises. To get the most out of this workshop you need to have an AWS account created before the workshop begins. You should also bring a laptop so you can connect to the IoT device and perform the workshop lab exercises.

IOT203_Getting Started with AWS IoT

Amazon Web Services

Micro app-framework - NodeLive Boston

Michael Dawson

This document describes a framework for building and launching micro-apps using Node.js, Electron, and Cordova. It discusses using Node.js to build single-page apps and a server, and leveraging Electron and Cordova to package the apps for desktop and mobile respectively. Code samples show how to configure, authenticate, and launch multiple micro-apps from a single interface on different platforms.

Micro app-framework

Michael Dawson

This document describes a framework for building and launching micro-apps using Node.js, Electron, and Cordova. It discusses using Node.js to build single-page apps and a server, and leveraging Electron and Cordova to deploy the apps as desktop and mobile applications respectively. Code samples are provided for configuring, building, and launching multiple micro-apps from a single application window on different platforms.

The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...

Thoughtworks

The document describes an enterprise architecture for a telecoms service provider that was struggling with scalability and system resilience issues. A previous consultancy had proposed a complex and expensive solution, but ThoughtWorks was tasked with delivering the same capabilities more cheaply. They prioritized building a storage manager service to offload storage responsibilities from the integration database. This improved performance and allowed other parts of the system to be simplified, delivering business value by resolving customers' issues.

Rapid Infrastructure Provisioning

Uchit Vyas ☁

This is the story of a company that had 10s of customers and were facing severe scaling issues. They approached us. They had a good product predicting a few hundred customers within 6 months. VCs went to them. Infrastructure scaling was the only unknown; funding for software-defined data centers. We introduced Terraform for infrastructure creation, Chef for OS hardening, and then Packer for supporting AWS as well as VSphere. Then, after a few more weeks, when there was a need for faster response from the data center, we went into Serf to immediately trigger chef-clients and then to Consul for service monitoring. Want to describe this journey. Finally, we did the same exact thing in at a Fortune 500 customer to replace 15 year-old scripts. We will also cover sleek ways of dealing with provisioning in different Availability Zones across various AWS regions with Terraform.

[Coscup 2012] JavascriptMVC

Alive Kuo

This document discusses JavascriptMVC, an alternative Javascript MVC framework to BackboneJS. It provides an overview of JavascriptMVC's features such as MIT licensing, clear documentation, and providing an almost total solution for building web applications. Potential pros include the licensing, documentation, and comprehensive features. Potential cons include it being less well known and having fewer online resources than BackboneJS in Taiwan. Examples of how it handles classes, CSS, data loading/validation, and views are also provided.

Running Vue Storefront in production (PWA Magento webshop)

Vendic Magento, PWA & Marketing

A Progressive Web Application has a lot of advantages compared to a traditional website. A PWA is user-friendly, increases customer loyalty and conversions. Curious how PWA looks like in real-life?. Curious how PWA looks like in real-life? Check out Dutch’s first PWA (Vue Storefront + Magento 2) webshop, a scoop in e-commerce land! Vendic presents Meubelplaats.nl A webshop in need of renovation, with a back-end that didn’t meet the requirements and demands of Meubelplaats. They trusted Vendic to develop their new webshop as a PWA. And behold! A smarter, faster website with the look & feel of an app, but with a powerful Magento 2 engine.

What Is Happening At The Edge

Amazon Web Services

This document discusses how IT architectures are evolving to optimize for edge computing needs like latency, bandwidth, and connectivity. It introduces Amazon Web Services edge services like AWS Lambda, AWS Greengrass, AWS IoT, and Amazon CloudFront that allow distributing compute and custom logic closer to end users and devices. These services enable developing and running applications offline on IoT gateways and responding to local events in real-time while also connecting devices securely to the cloud.

fog or: How I Learned to Stop Worrying and Love the Cloud

Wesley Beary

Re:inventing EC2 Instance Launches with Launch Templates - SRV335 - Chicago A...

Amazon Web Services

Launch templates enable you to define a configuration, persist it, and reuse it later across many Amazon EC2 offerings and API operations. In this chalk talk, we investigate launch templates, and we address their various scenarios and use cases. We also explore how to use them with Amazon EC2 RunInstances, Spot Fleet, and automatic scaling API operations. With launch templates, we are truly reinventing Amazon EC2. Come join us and learn how you can benefit from launch templates.

Crossing the Bridge: Connecting Rails and your Front-end Framework

Daniel Spector

1. The document discusses integrating front-end frameworks like Angular, Ember, and React with Rails by constructing JSON APIs, preloading data to avoid loading screens, and server-side rendering for SEO and performance. 2. It provides code examples for building a TODO application with each framework, including using ngResource and factories in Angular, Ember conventions like Ember Data, and building isolated React components. 3. Server-side rendering is highlighted as the future for isomorphic JavaScript, providing benefits like prerendering on initial page load.

Prompt engineering for iOS developers (How LLMs and GenAI work)

Andrey Volobuev

Similar to Cloud Security @ Netflix (20)

Secure Coding For Java - Une introduction

Amazon Web Services for PHP Developers

Elasticsearch sur Azure : Make sense of your (BIG) data !

Elasticsearch in 15 Minutes

Asterisk, HTML5 and NodeJS; a world of endless possibilities

AWS IoT Core Workshop (IOT305-R1) - AWS re:Invent 2018

Grokking Engineering - Data Analytics Infrastructure at Viki - Huy Nguyen

Getting Started with AWS IoT - IOT203 - re:Invent 2017

IOT203_Getting Started with AWS IoT

Micro app-framework - NodeLive Boston

Micro app-framework

The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...

Rapid Infrastructure Provisioning

[Coscup 2012] JavascriptMVC

Running Vue Storefront in production (PWA Magento webshop)

What Is Happening At The Edge

fog or: How I Learned to Stop Worrying and Love the Cloud

Re:inventing EC2 Instance Launches with Launch Templates - SRV335 - Chicago A...

Crossing the Bridge: Connecting Rails and your Front-end Framework

Prompt engineering for iOS developers (How LLMs and GenAI work)

More from Jason Chan

Resilience and Security @ Scale: Lessons Learned

Jason Chan

This document discusses Netflix's approach to security and resilience at scale. It notes that Netflix has moved nearly 99% of its operations to the cloud to gain availability and agility. Some key points: - Netflix relies heavily on automation rather than committees to evaluate architecture changes and standardized deployments. - The "Simian Army" includes tools like Chaos Monkey that cause intentional failures to test resilience, and Conformity Monkey to ensure adherence to patterns. - Security practices have adapted to the new environment, emphasizing integration, making secure options easy, and trusting but verifying controls. Base AMIs are tested like other packages.

Cloud Application Security: Lessons Learned

Jason Chan

Netflix provides concise summaries of its cloud application security practices: 1. Netflix emphasizes integrating security controls into its engineering processes and tools to make security practices easy and self-service. 2. Netflix focuses on making secure options the easiest options by building security features directly into common tools like its cryptographic library and single sign-on system. 3. Netflix balances trust and verification through automated security tools that monitor configurations and detect vulnerabilities, notifying engineers of any issues found.

Cloud Application Security: Lessons Learned

Jason Chan

Netflix runs nearly all of its services on AWS and has adapted its security practices to fit its cloud-native architecture and DevOps model. Key aspects of Netflix's approach include integrating security tools into the development workflow, making secure options easy to use through self-service tools, and employing automated verification tools to monitor configurations while still trusting developers. This balance of empowering developers while verifying their work helps security scale alongside Netflix's dynamic cloud environment.

Real World Cloud Application Security

Jason Chan

This document summarizes Jason Chan's presentation on real world cloud application security lessons learned from running large scale systems at Netflix. Some key points include: - Netflix has migrated nearly 99% of its infrastructure to the public cloud to take advantage of scalability and reduce costs of "undifferentiated heavy lifting". - Netflix uses autoscaling to dynamically scale the number of systems based on load, allowing servers to match load requirements and reducing costs. - Netflix developed a deployment pipeline to easily deploy code and configuration changes across thousands of systems without making changes to existing systems. - Security practices had to adapt to the cloud model, including managing vulnerabilities at the base AMI level, integrating security tools into the development pipeline, and standard

AWS Security: A Practitioner's Perspective

Jason Chan

This document summarizes a presentation given by Jason Chan on AWS security from a practitioner's perspective. The presentation covered AWS credentials and identifiers, AWS services, actions and resources, and controlling network traffic. It provided an overview of AWS security and some recommendations, but did not aim to be a comprehensive security guide or primer on general cloud security issues.

Cloud Security at Netflix

Jason Chan

Jason Chan is a cloud security architect at Netflix who discussed Netflix's approach to cloud security. Some key points include: (1) Netflix has developed a "cloud appropriate" security model that embraces automation, self-service, and tooling; (2) The cloud presents both security challenges around shared responsibility and advantages around visibility; and (3) Netflix's Security Monkey framework automates security monitoring and analysis through APIs. Regulatory compliance is also addressed through segmentation, access control, and leveraging tooling for auditability.

Virtualization: Security and IT Audit Perspectives

Jason Chan

More from Jason Chan (7)

Resilience and Security @ Scale: Lessons Learned

Cloud Application Security: Lessons Learned

Real World Cloud Application Security

AWS Security: A Practitioner's Perspective

Cloud Security at Netflix

Virtualization: Security and IT Audit Perspectives

Recently uploaded

Verti - EMEA Insurer Innovation Award 2024

The Digital Insurer

What's Next Web Development Trends to Watch.pdf

SeasiaInfotech2

How RPA Help in the Transportation and Logistics Industry.pptx

SynapseIndia

Calgary MuleSoft Meetup APM and IDP .pptx

ishalveerrandhawa1

this resume for sadika shaikh bca student

SadikaShaikh7

HTTP Adaptive Streaming – Quo Vadis (2024)

Alpen-Adria-Universität

Video traffic on the Internet is constantly growing; networked multimedia applications consume a predominant share of the available Internet bandwidth. A major technical breakthrough and enabler in multimedia systems research and of industrial networked multimedia services certainly was the HTTP Adaptive Streaming (HAS) technique. This resulted in the standardization of MPEG Dynamic Adaptive Streaming over HTTP (MPEG-DASH) which, together with HTTP Live Streaming (HLS), is widely used for multimedia delivery in today’s networks. Existing challenges in multimedia systems research deal with the trade-off between (i) the ever-increasing content complexity, (ii) various requirements with respect to time (most importantly, latency), and (iii) quality of experience (QoE). Optimizing towards one aspect usually negatively impacts at least one of the other two aspects if not both. This situation sets the stage for our research work in the ATHENA Christian Doppler (CD) Laboratory (Adaptive Streaming over HTTP and Emerging Networked Multimedia Services; https://athena.itec.aau.at/), jointly funded by public sources and industry. In this talk, we will present selected novel approaches and research results of the first year of the ATHENA CD Lab’s operation. We will highlight HAS-related research on (i) multimedia content provisioning (machine learning for video encoding); (ii) multimedia content delivery (support of edge processing and virtualized network functions for video networking); (iii) multimedia content consumption and end-to-end aspects (player-triggered segment retransmissions to improve video playout quality); and (iv) novel QoE investigations (adaptive point cloud streaming). We will also put the work into the context of international multimedia systems research.

Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches

Earley Information Science

In this follow-up session on knowledge and prompt engineering, we will explore structured prompting, chain of thought prompting, iterative prompting, prompt optimization, emotional language prompts, and the inclusion of user signals and industry-specific data to enhance LLM performance. Join EIS Founder & CEO Seth Earley and special guest Nick Usborne, Copywriter, Trainer, and Speaker, as they delve into these methodologies to improve AI-driven knowledge processes for employees and customers alike.

Cookies program to display the information though cookie creation

shanthidl1

Details of description part II: Describing images in practice - Tech Forum 2024

BookNet Canada

This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator. Link to presentation recording and transcript: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/ Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.

Performance Budgets for the Real World by Tammy Everts

ScyllaDB

Performance budgets have been around for more than ten years. Over those years, we’ve learned a lot about what works, what doesn’t, and what we need to improve. In this session, Tammy revisits old assumptions about performance budgets and offers some new best practices. Topics include: • Understanding performance budgets vs. performance goals • Aligning budgets with user experience • Pros and cons of Core Web Vitals • How to stay on top of your budgets to fight regressions

Implementations of Fused Deposition Modeling in real world

Emerging Tech

The presentation showcases the diverse real-world applications of Fused Deposition Modeling (FDM) across multiple industries: 1. **Manufacturing**: FDM is utilized in manufacturing for rapid prototyping, creating custom tools and fixtures, and producing functional end-use parts. Companies leverage its cost-effectiveness and flexibility to streamline production processes. 2. **Medical**: In the medical field, FDM is used to create patient-specific anatomical models, surgical guides, and prosthetics. Its ability to produce precise and biocompatible parts supports advancements in personalized healthcare solutions. 3. **Education**: FDM plays a crucial role in education by enabling students to learn about design and engineering through hands-on 3D printing projects. It promotes innovation and practical skill development in STEM disciplines. 4. **Science**: Researchers use FDM to prototype equipment for scientific experiments, build custom laboratory tools, and create models for visualization and testing purposes. It facilitates rapid iteration and customization in scientific endeavors. 5. **Automotive**: Automotive manufacturers employ FDM for prototyping vehicle components, tooling for assembly lines, and customized parts. It speeds up the design validation process and enhances efficiency in automotive engineering. 6. **Consumer Electronics**: FDM is utilized in consumer electronics for designing and prototyping product enclosures, casings, and internal components. It enables rapid iteration and customization to meet evolving consumer demands. 7. **Robotics**: Robotics engineers leverage FDM to prototype robot parts, create lightweight and durable components, and customize robot designs for specific applications. It supports innovation and optimization in robotic systems. 8. **Aerospace**: In aerospace, FDM is used to manufacture lightweight parts, complex geometries, and prototypes of aircraft components. It contributes to cost reduction, faster production cycles, and weight savings in aerospace engineering. 9. **Architecture**: Architects utilize FDM for creating detailed architectural models, prototypes of building components, and intricate designs. It aids in visualizing concepts, testing structural integrity, and communicating design ideas effectively. Each industry example demonstrates how FDM enhances innovation, accelerates product development, and addresses specific challenges through advanced manufacturing capabilities.

STKI Israeli Market Study 2024 final v1

Dr. Jimmy Schwarzkopf

Quantum Communications Q&A with Gemini LLM

Vijayananda Mohire

Blockchain and Cyber Defense Strategies in new genre times

anupriti

Explore robust defense strategies at the intersection of blockchain technology and cybersecurity. This presentation delves into proactive measures and innovative approaches to safeguarding blockchain networks against evolving cyber threats. Discover how secure blockchain implementations can enhance resilience, protect data integrity, and ensure trust in digital transactions. Gain insights into cutting-edge security protocols and best practices essential for mitigating risks in the blockchain ecosystem.

@Call @Girls Pune 0000000000 Riya Khan Beautiful Girl any Time

amitchopra0215

The Increasing Use of the National Research Platform by the CSU Campuses

Larry Smarr

UiPath Community Day Kraków: Devs4Devs Conference

UiPathCommunity

We are honored to launch and host this event for our UiPath Polish Community, with the help of our partners - Proservartner! We certainly hope we have managed to spike your interest in the subjects to be presented and the incredible networking opportunities at hand, too! Check out our proposed agenda below 👇👇 08:30 ☕ Welcome coffee (30') 09:00 Opening note/ Intro to UiPath Community (10') Cristina Vidu, Global Manager, Marketing Community @UiPath Dawid Kot, Digital Transformation Lead @Proservartner 09:10 Cloud migration - Proservartner & DOVISTA case study (30') Marcin Drozdowski, Automation CoE Manager @DOVISTA Pawel Kamiński, RPA developer @DOVISTA Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner 09:40 From bottlenecks to breakthroughs: Citizen Development in action (25') Pawel Poplawski, Director, Improvement and Automation @McCormick & Company Michał Cieślak, Senior Manager, Automation Programs @McCormick & Company 10:05 Next-level bots: API integration in UiPath Studio (30') Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner 10:35 ☕ Coffee Break (15') 10:50 Document Understanding with my RPA Companion (45') Ewa Gruszka, Enterprise Sales Specialist, AI & ML @UiPath 11:35 Power up your Robots: GenAI and GPT in REFramework (45') Krzysztof Karaszewski, Global RPA Product Manager 12:20 🍕 Lunch Break (1hr) 13:20 From Concept to Quality: UiPath Test Suite for AI-powered Knowledge Bots (30') Kamil Miśko, UiPath MVP, Senior RPA Developer @Zurich Insurance 13:50 Communications Mining - focus on AI capabilities (30') Thomasz Wierzbicki, Business Analyst @Office Samurai 14:20 Polish MVP panel: Insights on MVP award achievements and career profiling

Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops

Mydbops

This presentation, delivered at the Postgres Bangalore (PGBLR) Meetup-2 on June 29th, 2024, dives deep into connection pooling for PostgreSQL databases. Aakash M, a PostgreSQL Tech Lead at Mydbops, explores the challenges of managing numerous connections and explains how connection pooling optimizes performance and resource utilization. Key Takeaways: * Understand why connection pooling is essential for high-traffic applications * Explore various connection poolers available for PostgreSQL, including pgbouncer * Learn the configuration options and functionalities of pgbouncer * Discover best practices for monitoring and troubleshooting connection pooling setups * Gain insights into real-world use cases and considerations for production environments This presentation is ideal for: * Database administrators (DBAs) * Developers working with PostgreSQL * DevOps engineers * Anyone interested in optimizing PostgreSQL performance Contact info@mydbops.com for PostgreSQL Managed, Consulting and Remote DBA Services

What Not to Document and Why_ (North Bay Python 2024)

Margaret Fero

We’re hopefully all on board with writing documentation for our projects. However, especially with the rise of supply-chain attacks, there are some aspects of our projects that we really shouldn’t document, and should instead remediate as vulnerabilities. If we do document these aspects of a project, it may help someone compromise the project itself or our users. In this talk, you will learn why some aspects of documentation may help attackers more than users, how to recognize those aspects in your own projects, and what to do when you encounter such an issue. These are slides as presented at North Bay Python 2024, with one minor modification to add the URL of a tweet screenshotted in the presentation.

Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...

Erasmo Purificato

Recently uploaded (20)

Verti - EMEA Insurer Innovation Award 2024

What's Next Web Development Trends to Watch.pdf

How RPA Help in the Transportation and Logistics Industry.pptx

Calgary MuleSoft Meetup APM and IDP .pptx

this resume for sadika shaikh bca student

HTTP Adaptive Streaming – Quo Vadis (2024)

Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches

Cookies program to display the information though cookie creation

Details of description part II: Describing images in practice - Tech Forum 2024

Performance Budgets for the Real World by Tammy Everts

Implementations of Fused Deposition Modeling in real world

STKI Israeli Market Study 2024 final v1

Quantum Communications Q&A with Gemini LLM

Blockchain and Cyber Defense Strategies in new genre times

@Call @Girls Pune 0000000000 Riya Khan Beautiful Girl any Time

The Increasing Use of the National Research Platform by the CSU Campuses

UiPath Community Day Kraków: Devs4Devs Conference

Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - Mydbops

What Not to Document and Why_ (North Bay Python 2024)

Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...

Cloud Security @ Netflix

1. Cloud&Security&@&Ne0lix Adap%ng(Security(for(Modern(So4ware Jason&Chan chan@ne'lix.com.:.@chanjbs Sea$le&AWS&Architects&&&Engineers

3. Me Current:(Ne*lix(Security Product,)app,)ops,)infra,)corp,)fraud,)privacy,)abuse,)IR Previous: Infosec(@(VMware,(consul2ng:(@stake,(iSEC(Partners

6. 14m$users$in$1+$year

7. 14m$users$in$1+$year 150m%photos

8. 14m$users$in$1+$year 150m%photos 3"engineers

9. 14m$users$in$1+$year 150m%photos 3"engineers $1B$acquisi+on$by$FB

11. So#.#.#.

12. idea%+%cloud%=%profit!

15. So#.#.#.

17. Goal:&Cloud&&&AWS&benefits,&securely

18. Typically,)how)do)you:

19. Create&a&user&account

20. Create&a&user&account Inventory)your)systems

21. Create&a&user&account Inventory)your)systems Update'a'firewall'config

22. Create&a&user&account Inventory)your)systems Update'a'firewall'config Make%a%forensic%image

23. Create&a&user&account Inventory)your)systems Update'a'firewall'config Make%a%forensic%image Disable(a(MFA(token

24. In#AWS#.#.#.

25. CreateUser() DescribeInstances() AuthorizeSecurityGroupIngress() CreateSnapshot() Deac%vateMFADevice()

29. So#ware,)now

30. Agile

31. Microservices

32. Immutable) Infrastructure

33. DevOps/NoOps

34. So#.#.#.#what#about#security?

41. Visibility Knowing'the'Environment

43. Discover

44. Discover Inventory

45. Discover Inventory Test

46. Discover Inventory Test Report

48. Open%ELB%Example 1. Dump'list'of'ELBs'with'listeners 2. Connect'to'ELBs'from'arbitrary'Internet'IP 3. Evaluate'status'code'(200/300'or'403) 4. Compare'results'against'expected 5. Fix'anomalies,'educate'engineers,'and'update'expected'(manual)'

49. Knowing'the'Environment'/'Takeaways Tailor'discovery'to'rate'of'change Think&about&normaliza0on&of&discovery&data

50. Visibility Risk%Priori)za)on

52. Connec&vity+ Analysis+via+Ne1lix+ OSS

56. Risk%Priori)za)on%-%Takeaways What%is%measurable?%(objec3vely) Use$as$an$input,$not$law

57. Visibility Mul$%Layer+Security+Tes$ng

58. Deconstruc*ng,security,tes*ng

61. Ne#lix'Deployment'Pipeline

63. Integrated)tes+ng)for)CI/CD

66. Mul$%Layer+Security+Tes$ng+%+Takeaways What%conversa-ons%can%you%avoid? Is#there#a#pyramid#you#can#leverage?

67. Visibility Configura)on*Monitoring

69. AWS$Op'ons

70. Bill$as$IDS AWS$Billing$Alerts

72. CloudTrail Logging&of&API&calls

74. { "Records": [{ "eventVersion": "1.0", "userIdentity": { "type": "IAMUser", "principalId": "EX_PRINCIPAL_ID", "arn": "arn:aws:iam::123456789012:user/Alice", "accessKeyId": "EXAMPLE_KEY_ID", "accountId": "123456789012", "userName": "Alice" }, "eventTime": "2014-03-06T21:22:54Z", "eventSource": "ec2.amazonaws.com", "eventName": "StartInstances", "awsRegion": "us-west-2", "sourceIPAddress": "205.251.233.176", "userAgent": "ec2-api-tools 1.6.12.2", "requestParameters": { "instancesSet": { "items": [{ "instanceId": "i-ebeaf9e2" }] } },

75. "responseElements": { "instancesSet": { "items": [{ "instanceId": "i-ebeaf9e2", "currentState": { "code": 0, "name": "pending" }, "previousState": { "code": 80, "name": "stopped" } }] } } }, ... additional entries ... ] }

76. Trusted(Advisor Checks'config'vs.'best'prac3ces

79. Shameless(Plug(Sec-on(of(the(Talk

80. Edda AWS$config$history

81. What%instance%has%a%given%public%IP? $ curl "http://edda/api/v2/view/instances;publicIpAddress=1.2.3.4;_since=0" ["i-0123456789","i-012345678a","i-012345678b"]

82. What%is%the%most%recent%change%to%a%security% group? $ curl "http://edda/api/v2/aws/securityGroups/sg-0123456789;_diff;_all;_limit=2"

83. $ curl "http://edda/api/v2/aws/securityGroups/sg-0123456789;_diff;_all;_limit=2" --- /api/v2/aws.securityGroups/sg-0123456789;_pp;_at=1351040779810 +++ /api/v2/aws.securityGroups/sg-0123456789;_pp;_at=1351044093504 @@ -1,33 +1,33 @@ { "class" : "com.amazonaws.services.ec2.model.SecurityGroup", "description" : "App1", "groupId" : "sg-0123456789", "groupName" : "app1-frontend", "ipPermissions" : [ { "class" : "com.amazonaws.services.ec2.model.IpPermission", "fromPort" : 80, "ipProtocol" : "tcp", "ipRanges" : [ "10.10.1.1/32", "10.10.1.2/32", + "10.10.1.3/32", - "10.10.1.4/32" ], "toPort" : 80, "userIdGroupPairs" : [ ] } ], "ipPermissionsEgress" : [ ], "ownerId" : "2345678912345", "tags" : [ ], "vpcId" : null }

84. Security)Monkey

86. Configura)on*Monitoring*.*Takeaways Config&changes&have&a&con-nuum&of&safety Find%ways%to%observe%and%differen1ate

87. Conclusions

91. AWS$Security$Resources h"p://&ny.cc/awssecurity

92. Thank&you! chan@ne'lix.com.:.@chanjbs