Writing secure AWS IAM policies for applications is hard. Auditing them and ensuring the Principle of Least Privilege is applied is equally difficult. So much so that the solution involves big data. Yet, in our consulting experience, poorly written IAM Policies create serious security risks that fly under the radar of most security teams. As a result, this blog post walks you through the process of writing and maintaining secure IAM policies that make both developer and security teams’ work easier by automating the process and helping you address the #5 ranked OWASP Top 10 Web Application Security Risk.
“A full 80% of data breaches are caused by silly mistakes by those responsible for managing secrets,” according to Rashmi Jha, Microsoft program manager as quoted by InfoSecurity. Clearly, managing secrets is vital and is oft-cited as a leading IT security challenge. So, although we have access to great tools for managing secrets and configurations when developing applications for the cloud, getting secrets management right is important. As a result, we’ll share in this article best practices for managing application secrets. While we use Amazon ECS and AWS Secrets Manager as our example, these best practices can be applied to other services as well.
If you are an HPC administrator and you’ve recently been asked to look at how you can take advantage of AWS, you may have opened an account and been overwhelmed with options. There are a LOT of choices available when you log in to AWS. On the one hand, that’s exciting because there are likely some things there that you don’t have available in your on-premises datacenter. On the other hand, it can be intimidating and time-consuming to narrow down your choices into something that will meet your technical and budgetary needs. Not to be alarmist, but a wrong choice could lead to unnecessary cost overruns or scalability issues. This guide is meant to help you cut to the chase on some key options.
We all know that a proper testing framework accelerates a team’s productivity and efficiency. And, testing serverless is no different; a proper testing framework to ensure accuracy and reliability is vital as if the serverless architecture fails, the business can suffer any number of consequences that impact reputation, customer satisfaction, revenue and more. In addition, remediating issues can be resource-intensive. As a result, in today’s blog, we’ll share the steps we took to integrate Jenkins with a serverless testing framework to improve visibility and ease administration of Ansible Playbooks at Flux7. Following these steps, you, too, can grow visibility and decrease administrative overhead while lowering remediation costs.
Engineers are understandably attracted to serverless as it allows them to execute code in response to events without the complexity of building and maintaining infrastructure. In a previous article, we shared how a serverless framework allows you to develop, deploy, test, secure and monitor any number of serverless applications with increased agility and a lower cost of ownership. While we compared different models and gave a high-level overview of serverless with example use cases, in today’s article, we’ll highlight how Flux7 implemented an AWS serverless framework for one of its customers with best practices.
Experts agree that the biggest security threat comes from inside the business. While reports of breaches from insider threats range from Security Intelligence’s 75% to 60% in an IBM survey, the overarching point is clear: intentionally or unintentionally employees present the biggest security risk. Identity and Access Management (IAM) helps address this threat by applying the principle of least privilege, keeping the business safe by allowing internal employees, external customers, and business partners access to only those resources necessary to perform their function.
Amazon Web Services (AWS) Elastic Beanstalk (EB) is a service to deploy your code. This easy-to-use service works as a Platform as a Service (PaaS). It supports familiar web applications, such as PHP, Node.js, Ruby, Python, Java and .Net. You can simply choose your software stack and upload your code. AWS will take care of the provisioning of the environment, deploying the code, load balancing, auto scaling, and health monitoring. At the end of the process, it prints a url used to access the application.
Every day in the world of modern technology, high availability has become the key requirement of any layer in technology. Message broker software has become a significant component of most stacks. In this article, we will present a RabbitMQ tutorial: how to create highly available message queues using RabbitMQ. RabbitMQ is an open-source message broker software (also called message-oriented middleware) that implements the Advanced Message Queuing Protocol (AMQP). RabbitMQ server is written in the Erlang programming language.
For assured success, it is important to monitor your systems for ongoing operational efficiency, security, and compliance with internal policies. In June we shared with you our Enterprise DevOps Framework in which inspectors, like logs, play a critical role in analyzing services in the pipeline and landing zone to ensure compliance with operational, security, and regulatory requirements.
As AWS experts, we often get asked how different technologies can work with AWS. Most recently we had a customer ask us how to use Azure Active Directory (AD) to manage user authentication to access the AWS console. While we don’t often discuss hybrid cloud technologies in this blog, we thought we’d share with you how we configured Azure AD to manage access to the AWS console.
Amazon Web Service (AWS) Elastic Load Balancing (ELB) is widely used to build highly available and highly scalable architectures. Nowadays, ELB is as common as EC2 is for many customers using AWS. And, Elastic Load Balancing supports the following protocols: HTTP, HTTPs, TCP and TCPs.
In the last post, as part of our on-going Docker Tutorial Series, we discussed Docker Hub and Docker Registry API. In today’s post, let’s delve into Docker Remote API. Docker Remote API Docker Remote API is a REST API that replaces the remote command line interface — rcli. For the purpose of this tutorial, we have used cURL which is a command line tool that handles url manipulations. It helps make requests, get and send data, and retrieve information.
Throughout our Docker Tutorial Series, we have discussed many significant Docker components and commands. In today’s series installment, we dig deeper into Docker and uncover Docker APIs.
In an earlier post for the Docker Tutorial Series, we discussed the first 15 Docker commands. We shared some hands-on experience in how they are used and what they do. In this post, we will talk about another 15 Docker commands, leading us to a more practical experience using Docker.
Docker Security Security is taken seriously when dealing with open source accountability. And it’s no different when developers embrace using Docker, by building applications locally right up to production deployments. A big responsibility that comes with being deployed in so many places is a serious focus on the security of Docker as a project and a platform. As a result, we’ve decided to discuss in part 5 of our Docker Tutorial Series, the key areas of security Docker focuses on and why they matter to overall Docker Security.
In the previous Docker Tutorial Series post, we discussed the importance of DockerFile and provided a list of DockerFile commands that makes the automation of image creation easier. In this post, let’s talk about a significant Docker component: Docker Registry. This is the central registry for all repositories, public and private, and their workflows.
In our last Docker tutorial series post, we shared the 15 commands that got us onboard with Docker. This set of Docker commands are steps to manually create images. That is to basically help create images, as well as commit, search, pull and push images. But why opt for the long tedious way of creating images when it can all be automated. So, let’s automate! Docker offers us the automation solution as DockerFile. In this post, we will discuss what a Dockerfile is, what it is capable of doing, and some basic DockerFile syntax.
In part one of our Docker Tutorial Series, we learned about the basics of Docker. We examined how it works and how it’s installed. In this post, let’s now learn the 15 Docker commands and get some hands-on experience in how they are used and what they do.
Docker, the new trending containerization technique, is winning hearts with its lightweight, portable, “build once, configure once and run anywhere” functionalities. This is part one of Flux7’s Docker tutorial series. As we move forward, together, we will learn and evaluate how Docker makes a difference, and how it can be put to the best use. Let’s learn Docker and nail it in less than six to seven weeks.
In a previous blog article, we discussed how to install and use a single-node in OpenStack. In this post, we will discuss how to install multi-nodes in OpenStack.
OpenStack is highly configurable meeting different needs by providing numerous storage and networking options. The first step to design your own architecture is to choose whether to use a single node or multi-node configuration.
As we at Flux7 Labs AWS partners work on deployments for our customers, many ask questions about basic AWS security issues, including those addressed by using Virtual Private Clouds (VPCs). So in this post, we provide a guide for setting up and using VPCs in order to help guide your AWS setup. This AWS VPC tutorial is based on our experience from using VPN in AWS deployments both for Flux7 Labs’ internal systems and for our customers’ systems. VyScale, our cost- and performance-management solution, is an excellent tool for setting up systems inside of VPCs.
Ganglia is a distributed and highly-scalable cluster monitoring tool based on a hierarchical model that supports a federation of clusters. Ganglia is easy to use, to install and to customize. It allows monitoring of memory, disk, CPU usage and other aspects of vital cluster health, and makes that information available for offline analysis.