CNSCon 2024 Lightning Talk: Don’t Make Me Impersonate My Identity
•
0 likes•79 views
Identities are a crucial part of running workloads on Kubernetes. How do you ensure Pods can securely access Cloud resources? In this lightning talk, you will learn how large Cloud providers work together to share Identity Provider responsibilities in order to federate identities in multi-cloud environments.
Report
Share
Report
Share
Download to read offline
Recommended
NahamConEU2022.pdf
1. The document discusses security misconfigurations that can occur when using Amazon Cognito for user authentication.
2. It describes how an unauthenticated user could potentially access AWS services by fetching temporary credentials from an identity pool if the unauthenticated role is not disabled.
3. It also explains how an attacker could bypass authentication by enabling user signup if that API action is not disabled for applications that do not require signup.
4. Additional misconfigurations discussed include privilege escalation through writable user attributes, and updating a user's email attribute before verification which could allow bypassing authorization checks.
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
Developing mobile apps can be complex and time-consuming. Learn how to simplify mobile identity management and data synchronization across devices. In addition, learn how to follow security best practices to give your app access to the resources it needs to provide a great user experience without hard-coding security credentials. We will cover how to easily and securely onboard users as anonymous guests using public login providers like Amazon, Facebook, Twitter, or your own user identity system. We are very excited to have Twitter representatives join us on stage for a deep dive on authenticating users with Twitter and Digits, which enables users to sign in with their phone numbers.
Attacking and Defending Kubernetes - Nithin Jois
This document provides an overview of attacking and defending Kubernetes clusters. It begins with introductions to containers, container orchestration with Kubernetes, and Kubernetes architecture and components. It then discusses the Kubernetes threat model and common attack vectors such as compromising nodes, pods, and secrets. The document outlines Kubernetes authentication and authorization methods like RBAC and discusses admission controllers. It covers securing Kubernetes with practices like pod security policies and network policies. Finally, it notes some limitations and gotchas regarding secrets management in Kubernetes.
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Identity management for cloud deployed applications can be a challenge. Often users will want to leverage an existing social network or corporate identity. Now we have to worry about dealing with multiple APIs, any updates to those APIs, or the addition of new identity providers. Windows Azure Access Control Services offers a better way! ACS allows for federated user authentication via popular social networks and Active Directory. In this session we’ll provide a crash course in claims as they relate to identity management. We’ll discuss why claims are important and how to add additional claims beyond what is provided by the identity providers. We'll also take a look at Windows Azure Active Directory and see how to manage corporate identities in the cloud.
Federation
This document discusses federated access to AWS resources using temporary security credentials. It describes how users from other identity stores can be provided access to AWS resources without needing AWS credentials. Common use cases include delegating access to other AWS accounts or federating with corporate directories. Sessions are generated by AWS Security Token Service and include temporary credentials. Multiple methods are covered, including getting sessions via GetSessionToken or GetFederationToken APIs or by assuming roles. Demos show federating access to the AWS console and CLI using Active Directory credentials.
Federation
This document discusses federated access to AWS resources using temporary security credentials. It describes how federation works by allowing users in other AWS accounts or identity stores to access resources in your AWS account through the use of sessions. Common use cases for federation include delegating access to other AWS accounts or teams and federating with corporate directories. The document then demonstrates how to request and use sessions to access AWS through the console and CLI using SAML and web identity federation.
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass. The slides used during the class with links to the commands, scripts and setup information.
These slides are to be used with the masterclass video recording on YouTube -
Hands on exercises are highly recommended to get the most out of this class!
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
This document discusses how HashiCorp Vault and Puppet can be used together to dynamically manage SSL/TLS certificates across platforms. Vault's PKI secrets engine is used to sign certificates while Puppet distributes the certificates and keys to servers and configures services to use the certificates. On Linux, Puppet writes certificates to the filesystem and reloads services. On Windows, a Puppet function is used to embed certificates in the catalog so their thumbprints can be retrieved and used to configure services in the certificate store. This dynamic duo of Vault and Puppet enables centralized signing of certificates, auto-renewal, cross-platform distribution, and integration with services.
Recommended
NahamConEU2022.pdf
1. The document discusses security misconfigurations that can occur when using Amazon Cognito for user authentication.
2. It describes how an unauthenticated user could potentially access AWS services by fetching temporary credentials from an identity pool if the unauthenticated role is not disabled.
3. It also explains how an attacker could bypass authentication by enabling user signup if that API action is not disabled for applications that do not require signup.
4. Additional misconfigurations discussed include privilege escalation through writable user attributes, and updating a user's email attribute before verification which could allow bypassing authorization checks.
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
Developing mobile apps can be complex and time-consuming. Learn how to simplify mobile identity management and data synchronization across devices. In addition, learn how to follow security best practices to give your app access to the resources it needs to provide a great user experience without hard-coding security credentials. We will cover how to easily and securely onboard users as anonymous guests using public login providers like Amazon, Facebook, Twitter, or your own user identity system. We are very excited to have Twitter representatives join us on stage for a deep dive on authenticating users with Twitter and Digits, which enables users to sign in with their phone numbers.
Attacking and Defending Kubernetes - Nithin Jois
This document provides an overview of attacking and defending Kubernetes clusters. It begins with introductions to containers, container orchestration with Kubernetes, and Kubernetes architecture and components. It then discusses the Kubernetes threat model and common attack vectors such as compromising nodes, pods, and secrets. The document outlines Kubernetes authentication and authorization methods like RBAC and discusses admission controllers. It covers securing Kubernetes with practices like pod security policies and network policies. Finally, it notes some limitations and gotchas regarding secrets management in Kubernetes.
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Identity management for cloud deployed applications can be a challenge. Often users will want to leverage an existing social network or corporate identity. Now we have to worry about dealing with multiple APIs, any updates to those APIs, or the addition of new identity providers. Windows Azure Access Control Services offers a better way! ACS allows for federated user authentication via popular social networks and Active Directory. In this session we’ll provide a crash course in claims as they relate to identity management. We’ll discuss why claims are important and how to add additional claims beyond what is provided by the identity providers. We'll also take a look at Windows Azure Active Directory and see how to manage corporate identities in the cloud.
Federation
This document discusses federated access to AWS resources using temporary security credentials. It describes how users from other identity stores can be provided access to AWS resources without needing AWS credentials. Common use cases include delegating access to other AWS accounts or federating with corporate directories. Sessions are generated by AWS Security Token Service and include temporary credentials. Multiple methods are covered, including getting sessions via GetSessionToken or GetFederationToken APIs or by assuming roles. Demos show federating access to the AWS console and CLI using Active Directory credentials.
Federation
This document discusses federated access to AWS resources using temporary security credentials. It describes how federation works by allowing users in other AWS accounts or identity stores to access resources in your AWS account through the use of sessions. Common use cases for federation include delegating access to other AWS accounts or teams and federating with corporate directories. The document then demonstrates how to request and use sessions to access AWS through the console and CLI using SAML and web identity federation.
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass. The slides used during the class with links to the commands, scripts and setup information.
These slides are to be used with the masterclass video recording on YouTube -
Hands on exercises are highly recommended to get the most out of this class!
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
This document discusses how HashiCorp Vault and Puppet can be used together to dynamically manage SSL/TLS certificates across platforms. Vault's PKI secrets engine is used to sign certificates while Puppet distributes the certificates and keys to servers and configures services to use the certificates. On Linux, Puppet writes certificates to the filesystem and reloads services. On Windows, a Puppet function is used to embed certificates in the catalog so their thumbprints can be retrieved and used to configure services in the certificate store. This dynamic duo of Vault and Puppet enables centralized signing of certificates, auto-renewal, cross-platform distribution, and integration with services.
Consolidating Infrastructure with Azure Kubernetes Service
In this session, see how Tailwind Traders took a containerized application and deployed it to Azure Kubernetes Service (AKS). You’ll walk away with a deep understanding of major Kubernetes concepts and how to put it all to use with industry standard tooling.
SharePoint 2010,
Claims-Based Identity, Facebook, and the Cloud
This document provides information about Danny Jessee, a senior software engineer with 8 years of SharePoint development experience. It includes his credentials, contact information, and topics he can present on, such as features of secure applications, SharePoint 2010 authentication options, claims terminology and technology overview. It also lists some demos he can provide, including setting up a new SharePoint 2010 web application, integrating Facebook authentication using Azure AppFabric ACS, and further integrating Facebook data into SharePoint using the Facebook C# SDK.
Overview of secret management solutions and architecture
The document provides an overview of secret management solutions and architectures. It discusses what secrets are and why secret management is important. Some key points:
- Secrets include authentication credentials, API keys, passwords, and certificates that need access control. As services increase, so do secrets.
- An ideal secret management solution provides security, encryption, access control, auditing, ease of use, and integration with other tools.
- Version control systems and orchestration tools like Kubernetes can be used for secrets but have limitations compared to dedicated secret management solutions.
- AWS offers Parameter Store, Secrets Manager, and KMS for secret management. Parameter Store is generally recommended, while Secrets Manager is better for database
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
Amazon API Gateway is a fully managed service that makes it easy for developers to create, deploy, secure, and monitor APIs at any scale. In this presentation, you’ll find out how to quickly declare an API interface and connect it with code running on AWS Lambda. Amazon API Gateway handles all of the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management. We will demonstrate how to build an API that uses AWS Identity and Access Management (IAM) for authorization and Amazon Cognito to retrieve temporary credentials for your API calls. We will write the AWS Lambda function code in Java and build an iOS sample application in Objective C.
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
The document discusses securing serverless applications using Amazon API Gateway, AWS Lambda, and Amazon Cognito. It describes how to build a basic 3-tier web app that is fully serverless, add authentication with Amazon Cognito by integrating with Cognito user pools, and implement authorization using AWS Identity and Access Management (IAM) by leveraging Cognito. Key benefits mentioned are that AWS Lambda and API Gateway provide automatic scaling with no infrastructure to manage, while security is improved by making use of IAM through Cognito.
Building Powerful IoT Apps with AWS IoT and Websockets
Presentation given during Start Up Day Hong Kong on September 15, 2017 within the Architecture track
Deploying Compliant Kubernetes: Real World Edge Cases
This document discusses Lola's deployment of compliant Kubernetes to meet PCI DSS requirements. Lola stores credit card details on behalf of users but does not directly process payments, requiring Level 1 PCI compliance. It outlines how Lola uses technologies like TLS encryption with Ingress controllers, IAM authentication for Kubernetes, and Prometheus for cluster monitoring to meet requirements for firewalls, encryption, secure systems, and access control. The document advises engaging auditors technically rather than treating Kubernetes as a black box, and leveraging open source tools and communities for pre-built applications to simplify compliance tasks like authentication, monitoring, and logging.
Deep Dive on Amazon Cognito - DevDay Austin 2017
Amazon Cognito is a service that provides authentication, authorization, and user management for web and mobile applications. It allows for user sign-up, sign-in, access control, account recovery, and integration with social identity providers. Cognito User Pools provides built-in user directory and authentication services, while Cognito Identity Pools enables the generation of temporary AWS credentials for application access. Sample use cases include business to consumer apps, business to employee apps, and IoT applications.
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
This work is part of the open source testbed setup for Cloud interoperability & portability. Cloud Security Workgroup will further review and generate complete working set as we move along. This is part I of the effort.
Amazon Cognito Deep Dive
by Fritz Kunstler, Sr. AWS Security Consultant AWS
Join us for four days of security and compliance sessions and hands-on labs led by our AWS security pros during AWS Security Week at the San Francisco Loft. Join us for all four days, or pick just the days that are most relevant to you. We'll open on Monday with Security 101 day, followed by sessions Tuesday on Identity and Access Management, our popular Threat Detection and Remediation day Wednesday will feature an updated GuardDuty lab, and we'll end Thursday with Incident Response sessions, labs, and a talk by Netflix on their new open source IR tool. This week will also feature Dome9 as a sponsor, and you can hear them speak and present a hands-on workshop Monday during Security 101 day.
How to implement authorization in your backend with AWS IAM
AWS Dev Day Kyiv 2019
Track: Backend & Architecture
Session: ""How to implement authorization in your backend with AWS IAM""
Speaker: Stas Ivaschenko, AWS solutions architect at Provectus
Level: 400
Video: https://www.youtube.com/watch?v=4Jje_WJ4V7Q
AWS Dev Day is a free, full-day technical event where new developers will learn about some of the hottest topics in cloud computing, and experienced developers can dive deep on newer AWS services.
Provectus has organized AWS Dev Day Kyiv in close collaboration with Amazon Web Services: 800+ participants, 18 sessions, 3 tracks, a really AWSome Day!
Now, together with Zeo Alliance, we're building and nurturing AWS User Group Ukraine — join us on Facebook to stay updated about cloud technologies and AWS services: https://www.facebook.com/groups/AWSUserGroupUkraine
"
K8s hard-way on DigitalOcean
CloudYuga presented at Kubernetes meetup in Banglaore on 22nd Dec'18. In this we covered how to setup a Kubernetes cluster from scratch on DigitalOcean. Full tutorial can be accessed at https://pilot.cloudyuga.guru/ .
Fiware cloud developers week brussels
- The FIWARE Lab provides cloud hosting and infrastructure as a service capabilities including compute, network, storage, and PaaS functionality.
- It utilizes OpenStack for core infrastructure services including compute (Nova), networking (Neutron), storage (Cinder, Swift), and identity (Keystone).
- The PaaS Manager allows users to define templates called Blueprints to deploy multi-tier applications and software stacks across the virtual infrastructure in an automated manner.
Lamdba micro service using Amazon Api Gateway
Detailed, step by step process on how to set up a web application using Amazon Cognito, Amazon API Gateway, and Lambda.
Certification authority
This document discusses certificate authorities (CAs) and provides an example scenario for securing a web server using a CA. It defines a CA as an entity that issues digital certificates for use by other parties in public key infrastructure schemes. There are commercial CAs, as well as CAs run by institutions and governments. The document then describes the process a CA goes through to issue a certificate and how users can verify certificates. It provides a list of common CAs. Finally, it presents a scenario where a web server obtains a server certificate from a CA to secure its SSL port, and clients can obtain client certificates from the CA's website to access the secure site.
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 2
This document summarizes a webinar about integrating Azure Active Directory B2C (AAD B2C) with applications using the Microsoft Authentication Libraries (MSAL). It discusses how MSAL can be used to acquire tokens to call protected APIs and validate tokens in web APIs and applications. It provides an overview of using MSAL in .NET Core web apps to sign users in with AAD B2C, redeem authorization codes to acquire tokens, and implement token caching for silent authentication. The document demonstrates how to build a .NET Core web app that signs users in with AAD B2C using MSAL.
DEVNET-1120 Intercloud Fabric - AWS and Azure Account Setup and Utilization
The document provides an agenda and overview for a session on setting up accounts with Intercloud Fabric on AWS and Azure. It discusses the steps required to set up accounts on each platform, including creating credentials, configuring policies and permissions, and connecting Intercloud Fabric. The conclusion encourages participants to ask questions and provides information on related sessions at Cisco Live.
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
- Understand user identity and federation principles and practices
- Learn how Amazon Cognito works with federated identity providers
- See how to use Amazon Cognito to add the forms for user Sign-up and Sign-in to an application
Aws(sdk)
The document discusses how to use various AWS services like Cognito, S3, Lambda, and API Gateway from an iOS application using the AWS SDK for iOS. It provides code snippets for creating an identity pool in Cognito, storing and retrieving data from Cognito Sync, uploading files to S3, invoking Lambda functions, and generating an iOS SDK for a API Gateway API.
Introduction to Amazon EKS - KubeCon 2018
Amazon EKS (Elastic Kubernetes Service) is a managed service that makes it easy to run Kubernetes on AWS. It handles provisioning and managing control plane resources so users can focus on applications. EKS provides a native Kubernetes experience while integrating seamlessly with other AWS services to eliminate undifferentiated heavy lifting. The EKS team actively contributes to the open source Kubernetes project.
KubeCon NA'22 Lightning Talk: Where did all my IPs go?
Kubernetes cluster planning requires quite a few things to get started. What about IPs? Common IP management hurdles with Kubernetes clusters include IP assignments when building a cluster and challenges faced when deploying in a multi-faceted environment. Kubernetes Admins often need to use IP addressing handed out by Network Admins juggling other non-k8s workload IP assignments and IP exhaustion. In this talk, Cynthia will discuss new and existing KEPs that SIG-network has implemented to help mitigate IP challenges. Such features include discontiguous cluster CIDRs and the journey to IPv6. Cynthia will also discuss how the best practices for Kubernetes IP management are changing with these new capabilities to help scale and grow instead of rebuild.
https://sched.co/184sj
Kernel advantages for Istio realized with Cilium
Istio brings a myriad of options to provide routing rules, encryption, and monitoring for microservices, typically in container environments. Cilium provides accelerated network security using a modern kernel technology called BPF. Put the two together and what do you get? A distributed security solution enabling microservices traffic management, security, and monitoring while enforcing policy as close to the microservices as possible.
Cynthia Thomas and Romain Lenglet discuss the architectural and performance benefits of using Cilium with Istio and provide a demo of this BPF-based, Linux kernel technology. Cilium provides an API-aware security solution that can make a decision on every single microservice flow, with the ability to enforce protocols such as HTTP, Kafka, and gRPC. By addressing security policy at the API layer, you can enforce policy efficiently with kernel capabilities while reducing the attack surface in a microservices deployment.
More Related Content
Similar to CNSCon 2024 Lightning Talk: Don’t Make Me Impersonate My Identity
Consolidating Infrastructure with Azure Kubernetes Service
In this session, see how Tailwind Traders took a containerized application and deployed it to Azure Kubernetes Service (AKS). You’ll walk away with a deep understanding of major Kubernetes concepts and how to put it all to use with industry standard tooling.
SharePoint 2010,
Claims-Based Identity, Facebook, and the Cloud
This document provides information about Danny Jessee, a senior software engineer with 8 years of SharePoint development experience. It includes his credentials, contact information, and topics he can present on, such as features of secure applications, SharePoint 2010 authentication options, claims terminology and technology overview. It also lists some demos he can provide, including setting up a new SharePoint 2010 web application, integrating Facebook authentication using Azure AppFabric ACS, and further integrating Facebook data into SharePoint using the Facebook C# SDK.
Overview of secret management solutions and architecture
The document provides an overview of secret management solutions and architectures. It discusses what secrets are and why secret management is important. Some key points:
- Secrets include authentication credentials, API keys, passwords, and certificates that need access control. As services increase, so do secrets.
- An ideal secret management solution provides security, encryption, access control, auditing, ease of use, and integration with other tools.
- Version control systems and orchestration tools like Kubernetes can be used for secrets but have limitations compared to dedicated secret management solutions.
- AWS offers Parameter Store, Secrets Manager, and KMS for secret management. Parameter Store is generally recommended, while Secrets Manager is better for database
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
Amazon API Gateway is a fully managed service that makes it easy for developers to create, deploy, secure, and monitor APIs at any scale. In this presentation, you’ll find out how to quickly declare an API interface and connect it with code running on AWS Lambda. Amazon API Gateway handles all of the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management. We will demonstrate how to build an API that uses AWS Identity and Access Management (IAM) for authorization and Amazon Cognito to retrieve temporary credentials for your API calls. We will write the AWS Lambda function code in Java and build an iOS sample application in Objective C.
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
The document discusses securing serverless applications using Amazon API Gateway, AWS Lambda, and Amazon Cognito. It describes how to build a basic 3-tier web app that is fully serverless, add authentication with Amazon Cognito by integrating with Cognito user pools, and implement authorization using AWS Identity and Access Management (IAM) by leveraging Cognito. Key benefits mentioned are that AWS Lambda and API Gateway provide automatic scaling with no infrastructure to manage, while security is improved by making use of IAM through Cognito.
Building Powerful IoT Apps with AWS IoT and Websockets
Presentation given during Start Up Day Hong Kong on September 15, 2017 within the Architecture track
Deploying Compliant Kubernetes: Real World Edge Cases
This document discusses Lola's deployment of compliant Kubernetes to meet PCI DSS requirements. Lola stores credit card details on behalf of users but does not directly process payments, requiring Level 1 PCI compliance. It outlines how Lola uses technologies like TLS encryption with Ingress controllers, IAM authentication for Kubernetes, and Prometheus for cluster monitoring to meet requirements for firewalls, encryption, secure systems, and access control. The document advises engaging auditors technically rather than treating Kubernetes as a black box, and leveraging open source tools and communities for pre-built applications to simplify compliance tasks like authentication, monitoring, and logging.
Deep Dive on Amazon Cognito - DevDay Austin 2017
Amazon Cognito is a service that provides authentication, authorization, and user management for web and mobile applications. It allows for user sign-up, sign-in, access control, account recovery, and integration with social identity providers. Cognito User Pools provides built-in user directory and authentication services, while Cognito Identity Pools enables the generation of temporary AWS credentials for application access. Sample use cases include business to consumer apps, business to employee apps, and IoT applications.
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
This work is part of the open source testbed setup for Cloud interoperability & portability. Cloud Security Workgroup will further review and generate complete working set as we move along. This is part I of the effort.
Amazon Cognito Deep Dive
by Fritz Kunstler, Sr. AWS Security Consultant AWS
Join us for four days of security and compliance sessions and hands-on labs led by our AWS security pros during AWS Security Week at the San Francisco Loft. Join us for all four days, or pick just the days that are most relevant to you. We'll open on Monday with Security 101 day, followed by sessions Tuesday on Identity and Access Management, our popular Threat Detection and Remediation day Wednesday will feature an updated GuardDuty lab, and we'll end Thursday with Incident Response sessions, labs, and a talk by Netflix on their new open source IR tool. This week will also feature Dome9 as a sponsor, and you can hear them speak and present a hands-on workshop Monday during Security 101 day.
How to implement authorization in your backend with AWS IAM
AWS Dev Day Kyiv 2019
Track: Backend & Architecture
Session: ""How to implement authorization in your backend with AWS IAM""
Speaker: Stas Ivaschenko, AWS solutions architect at Provectus
Level: 400
Video: https://www.youtube.com/watch?v=4Jje_WJ4V7Q
AWS Dev Day is a free, full-day technical event where new developers will learn about some of the hottest topics in cloud computing, and experienced developers can dive deep on newer AWS services.
Provectus has organized AWS Dev Day Kyiv in close collaboration with Amazon Web Services: 800+ participants, 18 sessions, 3 tracks, a really AWSome Day!
Now, together with Zeo Alliance, we're building and nurturing AWS User Group Ukraine — join us on Facebook to stay updated about cloud technologies and AWS services: https://www.facebook.com/groups/AWSUserGroupUkraine
"
K8s hard-way on DigitalOcean
CloudYuga presented at Kubernetes meetup in Banglaore on 22nd Dec'18. In this we covered how to setup a Kubernetes cluster from scratch on DigitalOcean. Full tutorial can be accessed at https://pilot.cloudyuga.guru/ .
Fiware cloud developers week brussels
- The FIWARE Lab provides cloud hosting and infrastructure as a service capabilities including compute, network, storage, and PaaS functionality.
- It utilizes OpenStack for core infrastructure services including compute (Nova), networking (Neutron), storage (Cinder, Swift), and identity (Keystone).
- The PaaS Manager allows users to define templates called Blueprints to deploy multi-tier applications and software stacks across the virtual infrastructure in an automated manner.
Lamdba micro service using Amazon Api Gateway
Detailed, step by step process on how to set up a web application using Amazon Cognito, Amazon API Gateway, and Lambda.
Certification authority
This document discusses certificate authorities (CAs) and provides an example scenario for securing a web server using a CA. It defines a CA as an entity that issues digital certificates for use by other parties in public key infrastructure schemes. There are commercial CAs, as well as CAs run by institutions and governments. The document then describes the process a CA goes through to issue a certificate and how users can verify certificates. It provides a list of common CAs. Finally, it presents a scenario where a web server obtains a server certificate from a CA to secure its SSL port, and clients can obtain client certificates from the CA's website to access the secure site.
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 2
This document summarizes a webinar about integrating Azure Active Directory B2C (AAD B2C) with applications using the Microsoft Authentication Libraries (MSAL). It discusses how MSAL can be used to acquire tokens to call protected APIs and validate tokens in web APIs and applications. It provides an overview of using MSAL in .NET Core web apps to sign users in with AAD B2C, redeem authorization codes to acquire tokens, and implement token caching for silent authentication. The document demonstrates how to build a .NET Core web app that signs users in with AAD B2C using MSAL.
DEVNET-1120 Intercloud Fabric - AWS and Azure Account Setup and Utilization
The document provides an agenda and overview for a session on setting up accounts with Intercloud Fabric on AWS and Azure. It discusses the steps required to set up accounts on each platform, including creating credentials, configuring policies and permissions, and connecting Intercloud Fabric. The conclusion encourages participants to ask questions and provides information on related sessions at Cisco Live.
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
- Understand user identity and federation principles and practices
- Learn how Amazon Cognito works with federated identity providers
- See how to use Amazon Cognito to add the forms for user Sign-up and Sign-in to an application
Aws(sdk)
The document discusses how to use various AWS services like Cognito, S3, Lambda, and API Gateway from an iOS application using the AWS SDK for iOS. It provides code snippets for creating an identity pool in Cognito, storing and retrieving data from Cognito Sync, uploading files to S3, invoking Lambda functions, and generating an iOS SDK for a API Gateway API.
Introduction to Amazon EKS - KubeCon 2018
Amazon EKS (Elastic Kubernetes Service) is a managed service that makes it easy to run Kubernetes on AWS. It handles provisioning and managing control plane resources so users can focus on applications. EKS provides a native Kubernetes experience while integrating seamlessly with other AWS services to eliminate undifferentiated heavy lifting. The EKS team actively contributes to the open source Kubernetes project.
Similar to CNSCon 2024 Lightning Talk: Don’t Make Me Impersonate My Identity (20)
Consolidating Infrastructure with Azure Kubernetes Service
Consolidating Infrastructure with Azure Kubernetes Service
SharePoint 2010,
Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010,
Claims-Based Identity, Facebook, and the Cloud
Overview of secret management solutions and architecture
Overview of secret management solutions and architecture
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Building Powerful IoT Apps with AWS IoT and Websockets
Building Powerful IoT Apps with AWS IoT and Websockets
Deploying Compliant Kubernetes: Real World Edge Cases
Deploying Compliant Kubernetes: Real World Edge Cases
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
How to implement authorization in your backend with AWS IAM
How to implement authorization in your backend with AWS IAM
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 2
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 2
DEVNET-1120 Intercloud Fabric - AWS and Azure Account Setup and Utilization
DEVNET-1120 Intercloud Fabric - AWS and Azure Account Setup and Utilization
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
More from Cynthia Thomas
KubeCon NA'22 Lightning Talk: Where did all my IPs go?
Kubernetes cluster planning requires quite a few things to get started. What about IPs? Common IP management hurdles with Kubernetes clusters include IP assignments when building a cluster and challenges faced when deploying in a multi-faceted environment. Kubernetes Admins often need to use IP addressing handed out by Network Admins juggling other non-k8s workload IP assignments and IP exhaustion. In this talk, Cynthia will discuss new and existing KEPs that SIG-network has implemented to help mitigate IP challenges. Such features include discontiguous cluster CIDRs and the journey to IPv6. Cynthia will also discuss how the best practices for Kubernetes IP management are changing with these new capabilities to help scale and grow instead of rebuild.
https://sched.co/184sj
Kernel advantages for Istio realized with Cilium
Istio brings a myriad of options to provide routing rules, encryption, and monitoring for microservices, typically in container environments. Cilium provides accelerated network security using a modern kernel technology called BPF. Put the two together and what do you get? A distributed security solution enabling microservices traffic management, security, and monitoring while enforcing policy as close to the microservices as possible.
Cynthia Thomas and Romain Lenglet discuss the architectural and performance benefits of using Cilium with Istio and provide a demo of this BPF-based, Linux kernel technology. Cilium provides an API-aware security solution that can make a decision on every single microservice flow, with the ability to enforce protocols such as HTTP, Kafka, and gRPC. By addressing security policy at the API layer, you can enforce policy efficiently with kernel capabilities while reducing the attack surface in a microservices deployment.
Cilium:: Application-Aware Microservices via BPF
Intro to Cilium Microservices Security with Kubernetes Integration
Open Source Cilium website: cilium.io
GH: github.com/cilium/cilium
Join our Slack! cilium.herokuapp.com
Follow us on Twitter!
@ciliumproject
@_techcet_
Cilium: Seattle Kubernetes MeetUp Dec 2017
BPF (Berkeley Packet Filter) is becoming the fastest growing technology in the Linux kernel and is revolutionizing networking, security and tracing. At the same time, the rise of container-based orchestration platforms such as Kubernetes is creating demand for routing, load-balancing & security infrastructure that is highly scalable, application-aware, and resilient.
This talk introduces the open source project Cilium - a modern networking and security platform for microservices. Cilium is built on top of BPF and provides Linux native networking and security services with application protocol awareness. Cilium works hand in hand with application proxies such as Envoy and the services management orchestration layer Istio to provide infrastructure services in a transparent manner and with minimal overhead. This talk will discuss the challenges of exposing services via APIs and the solution that Cilium provides to enforce least privilege security.
Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF
We have introduced Cilium at DockerCon US 2017 this year. Cilium provides application-aware network connectivity, security, and load-balancing for containers. This talk will follow up on the introduction and deep dive into recent kernel developments that address two fundamental questions: How can I provide application-aware security and routing efficiently without overhead embedded into every service? How can container hosts protect themselves from internal and external DDoS attacks? The solutions include:
kproxy: a kernel-based socket proxy which allows for application-aware routing and security enforcement with minimal overhead.
XDP: A lightning-fast packet processing datapath using BPF. The technology is intended for DDoS mitigation, load-balancing, and forwarding.
This talk will deep dive into these exciting technologies and show how Cilium makes BPF and these kernel features available on Linux for your Docker containers.
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
This session offers techniques for securing Docker containers and hosts using open source network virtualization technologies to implement microsegmentation. Come learn real tips and tricks that you can apply to keep your production environment secure.
Midokura @ OpenStack Seattle
Neutron: Past, Present, and Future
Midokura presents at the OpenStack Seattle MeetUp
March 2nd, 2015
Hosted by Blue Box Group
What's the deal with Neutron?
A look at the project’s progression from Nova-Network to Neutron and Beyond. We will recall the early stages of Nova-Networking and how the functionality evolved to what is Neutron networking today. We will discuss previous default Neutron plugin implementation issues and current solutions with the now open-source SDN solution, MidoNet.
CloudKC: Evolution of Network Virtualization
This document discusses the evolution of network virtualization. It begins with an overview of using VLANs for network virtualization, which provides L2 isolation but has limitations around scalability and management. OpenFlow is presented as an early approach that uses a centralized controller but has performance impacts. The document then introduces network overlays using software-defined networking as a more advanced approach, allowing network services to be decoupled from physical network hardware for improved scalability, agility and fault tolerance. It provides an overview of using the Midokura network virtualization platform with OpenStack Neutron for network automation and management.
From Nova-Network to Neutron and Beyond: A Look at OpenStack Networking
This document provides an overview of the evolution of network virtualization and OpenStack networking. It describes how networking started with manually configured VLANs, moved to OpenFlow which required programming flows, and then to network overlays using software defined networking. It outlines the requirements for network virtualization. It also details the evolution of OpenStack networking from Nova network to Quantum/Neutron, including the transition to using overlays and supporting plugins. Key features of Neutron are summarized, as well as upcoming features planned for future OpenStack releases.
More from Cynthia Thomas (10)
KubeCon NA'22 Lightning Talk: Where did all my IPs go?
KubeCon NA'22 Lightning Talk: Where did all my IPs go?
Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF
Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
From Nova-Network to Neutron and Beyond: A Look at OpenStack Networking
From Nova-Network to Neutron and Beyond: A Look at OpenStack Networking
Recently uploaded
An Introduction to All Data Enterprise Integration
Are you spending more time wrestling with your data than actually using it? You’re not alone. For many organizations, managing data from various sources can feel like an uphill battle. But what if you could turn that around and make your data work for you effortlessly? That’s where FME comes in.
We’ve designed FME to tackle these exact issues, transforming your data chaos into a streamlined, efficient process. Join us for an introduction to All Data Enterprise Integration and discover how FME can be your game-changer.
During this webinar, you’ll learn:
- Why Data Integration Matters: How FME can streamline your data process.
- The Role of Spatial Data: Why spatial data is crucial for your organization.
- Connecting & Viewing Data: See how FME connects to your data sources, with a flash demo to showcase.
- Transforming Your Data: Find out how FME can transform your data to fit your needs. We’ll bring this process to life with a demo leveraging both geometry and attribute validation.
- Automating Your Workflows: Learn how FME can save you time and money with automation.
Don’t miss this chance to learn how FME can bring your data integration strategy to life, making your workflows more efficient and saving you valuable time and resources. Join us and take the first step toward a more integrated, efficient, data-driven future!
“Efficiency Unleashed: The Next-gen NXP i.MX 95 Applications Processor for Em...
“Efficiency Unleashed: The Next-gen NXP i.MX 95 Applications Processor for Em...Edge AI and Vision Alliance
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/efficiency-unleashed-the-next-gen-nxp-i-mx-95-applications-processor-for-embedded-vision-a-presentation-from-nxp-semiconductors/
James Prior, Senior Product Manager at NXP Semiconductors, presents the “Efficiency Unleashed: The Next-gen NXP i.MX 95 Applications Processor for Embedded Vision” tutorial at the May 2024 Embedded Vision Summit.
Machine vision is the most obvious way to help humans live better, enabling hundreds of applications spanning security, monitoring, inspection and more. Modern edge processors need private on-device and scalable hybrid machine learning capabilities to offer enough longevity to stay relevant in industrial and commercial IoT markets. In this talk, Prior presents the upcoming i.MX 95 family of applications processors.
The i.MX 95 features a new, self-developed neural processing unit from NXP—the eIQ Neutron NPU. Designed to scale from today’s conventional neural networks to tomorrow’s transformer-based models, the eIQ Neutron NPU scalable architecture delivers edge AI capabilities at high efficiency with award-winning tools, combined with chip-level security and privacy features. The i.MX 95 applications processor family features powerful processing and vision capabilities combined with safety, security and expandable high-speed interfaces.Brightwell ILC Futures workshop David Sinclair presentation
As part of our futures focused project with Brightwell we organised a workshop involving thought leaders and experts which was held in April 2024. Introducing the session David Sinclair gave the attached presentation.
For the project we want to:
- explore how technology and innovation will drive the way we live
- look at how we ourselves will change e.g families; digital exclusion
What we then want to do is use this to highlight how services in the future may need to adapt.
e.g. If we are all online in 20 years, will we need to offer telephone-based services. And if we aren’t offering telephone services what will the alternative be?
Summer24-ReleaseOverviewDeck - Stephen Stanley 27 June 2024.pdf
This slide deck is a deep dive the Salesforce latest release - Summer 24, by the famous Stephen Stanley. He has examined the release notes very carefully, and summarised them for the Wellington Salesforce user group, virtual meeting June 27 2024.
Call Girls Kochi 💯Call Us 🔝 7426014248 🔝 Independent Kochi Escorts Service Av...
Call Girls Kochi 💯Call Us 🔝 7426014248 🔝 Independent Kochi Escorts Service Available
Kubernetes Cloud Native Indonesia Meetup - June 2024
Kubernetes Cloud Native Indonesia Meetup - June 2024
ThousandEyes New Product Features and Release Highlights: June 2024
Presented by Brian Tobia and Chris Villemez
Day 4 - Excel Automation and Data Manipulation
👉 Check out our full 'Africa Series - Automation Student Developers (EN)' page to register for the full program: https://bit.ly/Africa_Automation_Student_Developers
In this fourth session, we shall learn how to automate Excel-related tasks and manipulate data using UiPath Studio.
📕 Detailed agenda:
About Excel Automation and Excel Activities
About Data Manipulation and Data Conversion
About Strings and String Manipulation
💻 Extra training through UiPath Academy:
Excel Automation with the Modern Experience in Studio
Data Manipulation with Strings in Studio
👉 Register here for our upcoming Session 5/ June 25: Making Your RPA Journey Continuous and Beneficial: https://community.uipath.com/events/details/uipath-lagos-presents-session-5-making-your-automation-journey-continuous-and-beneficial/
Churchgate Call Girls 👑VIP — Mumbai ☎️ 9910780858 🎀Niamh@ Churchgate Call Gi...
Churchgate Call Girls 👑VIP — Mumbai ☎️ 9910780858 🎀Niamh@ Churchgate Call Girls Near Me @ Sexy Call Girls in Delhi
Dev Dives: Mining your data with AI-powered Continuous Discovery
Want to learn how AI and Continuous Discovery can uncover impactful automation opportunities? Watch this webinar to find out more about UiPath Discovery products!
Watch this session and:
👉 See the power of UiPath Discovery products, including Process Mining, Task Mining, Communications Mining, and Automation Hub
👉 Watch the demo of how to leverage system data, desktop data, or unstructured communications data to gain deeper understanding of existing processes
👉 Learn how you can benefit from each of the discovery products as an Automation Developer
🗣 Speakers:
Jyoti Raghav, Principal Technical Enablement Engineer @UiPath
Anja le Clercq, Principal Technical Enablement Engineer @UiPath
⏩ Register for our upcoming Dev Dives July session: Boosting Tester Productivity with Coded Automation and Autopilot™
👉 Link: https://bit.ly/Dev_Dives_July
This session was streamed live on June 27, 2024.
Check out all our upcoming Dev Dives 2024 sessions at:
🚩 https://bit.ly/Dev_Dives_2024
Getting Started Using the National Research Platform
SoX Monthly Workshop
Remote Presentation
September 29, 2023
Balancing Compaction Principles and Practices
Compaction is a crucial component for preventing storage consumption from exploding. In this session, we’ll talk about why compaction is required and its principles of operation, the main compaction strategies available for use, when they should be used, and how they can be configured. Finally, we’ll present new compaction features recently introduced in ScyllaDB Enterprise and ScyllaDB Cloud.
Chapter 5 - Managing Test Activities V4.0
Test Management as Chapter 5 of ISTQB Foundation. Topics covered are Test Organization, Test Planning and Estimation, Test Monitoring and Control, Test Execution Schedule, Test Strategy, Risk Management, Defect Management
Multimodal Retrieval Augmented Generation (RAG) with Milvus
We've seen an influx of powerful multimodal capabilities in many LLMs. In this talk, we'll vectorize a dataset of images and texts into the same embedding space, store them in Milvus, retrieve all relevant data using multilingual texts and/or images and input multimodal data as context into GPT-4o.
Call Girls Firozabad ☎️ +91-7426014248 😍 Firozabad Call Girl Beauty Girls Fir...
Call Girls Firozabad ☎️ +91-7426014248 😍 Firozabad Call Girl Beauty Girls Firozabad Escort
Chapter 6 - Test Tools Considerations V4.0
Tool Support for Testing as Chapter 6 of ISTQB Foundation 2018. Topics covered are Tool Benefits, Test Tool Classification, Benefits of Test Automation and Risk of Test Automation
Leveraging AI for Software Developer Productivity.pptx
Supercharge your software development productivity with our latest webinar! Discover the powerful capabilities of AI tools like GitHub Copilot and ChatGPT 4.X. We'll show you how these tools can automate tedious tasks, generate complete syntax, and enhance code documentation and debugging.
In this talk, you'll learn how to:
- Efficiently create GitHub Actions scripts
- Convert shell scripts
- Develop Roslyn Analyzers
- Visualize code with Mermaid diagrams
And these are just a few examples from a vast universe of possibilities!
Packed with practical examples and demos, this presentation offers invaluable insights into optimizing your development process. Don't miss the opportunity to improve your coding efficiency and productivity with AI-driven solutions.
Recently uploaded (20)
An Introduction to All Data Enterprise Integration
An Introduction to All Data Enterprise Integration
“Efficiency Unleashed: The Next-gen NXP i.MX 95 Applications Processor for Em...
“Efficiency Unleashed: The Next-gen NXP i.MX 95 Applications Processor for Em...
Brightwell ILC Futures workshop David Sinclair presentation
Brightwell ILC Futures workshop David Sinclair presentation
Summer24-ReleaseOverviewDeck - Stephen Stanley 27 June 2024.pdf
Summer24-ReleaseOverviewDeck - Stephen Stanley 27 June 2024.pdf
Call Girls Kochi 💯Call Us 🔝 7426014248 🔝 Independent Kochi Escorts Service Av...
Call Girls Kochi 💯Call Us 🔝 7426014248 🔝 Independent Kochi Escorts Service Av...
Kubernetes Cloud Native Indonesia Meetup - June 2024
Kubernetes Cloud Native Indonesia Meetup - June 2024
ThousandEyes New Product Features and Release Highlights: June 2024
ThousandEyes New Product Features and Release Highlights: June 2024
Supplier Sourcing Presentation - Gay De La Cruz.pdf
Supplier Sourcing Presentation - Gay De La Cruz.pdf
Churchgate Call Girls 👑VIP — Mumbai ☎️ 9910780858 🎀Niamh@ Churchgate Call Gi...
Churchgate Call Girls 👑VIP — Mumbai ☎️ 9910780858 🎀Niamh@ Churchgate Call Gi...
Dev Dives: Mining your data with AI-powered Continuous Discovery
Dev Dives: Mining your data with AI-powered Continuous Discovery
Getting Started Using the National Research Platform
Getting Started Using the National Research Platform
Multimodal Retrieval Augmented Generation (RAG) with Milvus
Multimodal Retrieval Augmented Generation (RAG) with Milvus
Call Girls Firozabad ☎️ +91-7426014248 😍 Firozabad Call Girl Beauty Girls Fir...
Call Girls Firozabad ☎️ +91-7426014248 😍 Firozabad Call Girl Beauty Girls Fir...
Leveraging AI for Software Developer Productivity.pptx
Leveraging AI for Software Developer Productivity.pptx
CNSCon 2024 Lightning Talk: Don’t Make Me Impersonate My Identity
- 1. Don’t Make Me Impersonate My Identity Lightning Talk Cynthia Thomas linkedin.com/in/cynthia-thomas, @_techcet_ GKE Security, Google Cloud
- 2. Kubernetes Pods and their identities - In Kubernetes, Pods are given a distinct identity within a Kubernetes cluster - How? Through a Service Account: typically an account type for non-humans - Pods are always given Service Accounts by default or configured
- 3. How to get Pods to talk to Cloud Resources Options: 1. Export credentials and mount as a Kubernetes secret in the Pod at runtime 2. Use the worker node/VM identity credential 3. Use Workload Identity Federation
- 4. Cloud provider K8s Cluster K8s Worker Nodes K8s Worker Nodes K8s Worker Nodes Namespace foo Pod Pod K8s Control Plane kube-API server Workload Identity Federation at work Step 2: Secured communication Cloud IAM Cloud API Step 1: Trust Established Blog: Kubernetes token support for OIDC
- 5. Before After Create Kubernetes namespace Create Kubernetes namespace Create Kubernetes Service Account (KSA) Create Kubernetes Service Account (KSA) Create Google Service Account Not needed Configure KSA to impersonate GSA Not needed Annotate KSA with the GSA so GKE knows the link Not needed Bind role to Google Service Account (GSA) Bind role directly to KSA SA Impersonation Just say no to impersonation
- 6. - Dont worry about managing secrets - Dont worry about identity impersonation - Federate identities - supports OIDC/SAML and now X.509 certificates with SPIFFE Don’t make me impersonate my identity Be more secure with Workload Identity Federation!