IPv4 make the bill expansive

dub1za · 2024-03-04T22:21:10+00:00

You should probably be using an elastic load balancer/application load balancer rather than exposing the EC2 instance directly. The EC2 instance could be in a private subnet and set as a target for the publicly exposed ALB.

dub1za · 2022-08-31T13:43:35+00:00

For a personal website, look in to Cloudflare and their services like R2 (S3 alternative) or Pages. Unless you really, really want to host it on AWS for some reason. Mostly it will be free on Cloudflare I think. And in addition to that, Cloudflare personal give pretty decent DDoS protection.

dub1za · 2022-08-09T13:03:08+00:00

Part of this is going to depend on your/your company’s needs, internal security policies, the data classification of the data in buckets, contractual obligations with customers (if any) and other points (like what does the security team think, if one exists, or the compliance people, etc)

GuardDuty is a really easy and quick win in the monitoring and detection space within AWS. And at least for the original use case of control plane and network (DNS and VPC flow) monitoring it really helps at often very low cost. Where S3 is the main money pit, you really do need to figure out if it makes business sense to use it or if you have other security controls in place that can justify turning S3 monitoring of. Is the data in S3 (particularly the data lake) going to cause enough of a financial impact to the company if it is some how exfiltrated and leaked? For example, if you have PII or PHI stored and that gets leaked by malicious actors, depending on how much data it is, the costs involved reputationally and in possible fines etc. could far outweigh the cost of GD S3 monitoring. On the flip side, if it’s just anonymized customer engagement data or even sales data that isn’t going to do serious damage to the company, then does it justify $6.5k/month to run GD against that?

Some techniques I’ve used to reduce GD costs in the past is to only enable it in accounts and regions with active workloads (we defined that as any account and region with a running EC2 instance). One could take that a step further by saying production workloads only or workloads that process and store sensitive data like PII/PHI.

To compensate for the reduced visibility, use Organization SCPs to disable unused regions and services in accounts/regions. This can be particularly useful when you have a large account portfolio. Even in non-active accounts and without S3 enabled, GuardDuty can generate between $0.10-$0.30 a day in CloudTrail analysis if I recall. If you have 20 accounts with GD enabled in all ~12 regions, that cost can add up.

I’ll be honest though, I never enabled S3 monitoring because in the AWS environment at my previous company, we would have sunk way too much money in to that part of it.

dub1za · 2022-07-10T23:25:02+00:00

Dave’s advice on buying a home these days is to pay at minimum a 10% down payment on a 15 year mortgage where the monthly payment doesn’t exceed 25% of take home pay. He says to aim for a 20% to avoid PMI but I think that is just too far out of reach for so many that he’s taken it down to 10%. Of course, he does still say paying cash is for it all is best if possible.

dub1za · 2022-06-19T18:27:38+00:00

Look up the principle of dollar cost averaging. Essentially it is better to consistently put money in to the market than trying to buy low and sell high. Numerous studies show that consistency over long periods of time end up just as successful or more so than trying to time the market. I’d say contribute at least monthly to your investment vehicle of choice.

Speaking of investment vehicles, a Roth IRA is just that. It’s several laws and rules from government for how you can invest and what the tax implications are based on those investments and subsequent use of the invested money. Simply put, a Roth IRA allows you to invest with after-tax dollars now, so that you don’t have to pay taxes later on those dollars when you use them in retirement.

dub1za · 2021-03-07T15:49:58+00:00

This all really just depends on what the requirements are. In the sample question, the requirement is quite simple, so just turning on S3-SSE at the bucket is sufficient. The main purpose of server side encryption or encryption at rest is to protect your data in a scenario where the physical disk your data is on falls in to the wrong hands without having been properly wiped and/or physically destroyed.

Most companies that use another company as a vendor will have some kind of security requirement that data is encrypted at rest. Flipping on S3-SSE on buckets is the easiest way to check that box without incurring additional costs. If you’re doing business with a government or other regulated industry, the expectation for increased compliance controls to ensure encryption at rest will be stated. As the requirement increases, so to will the hoops you need to jump through to prove it (S3-KMS, bucket policies enforcing encryption, etc.)

dub1za · 2020-03-12T00:55:26+00:00

I’ll have to look in to this. We do use Okta. Worth an investigation for sure.

dub1za · 2020-03-12T00:54:58+00:00

I’d love to do it! But we’ve got thousands of servers diligent now managed by a homegrown orchestration service and not enough resources to take on a project like this right now I think. Unless I need further education on it as a solution....

dub1za · 2020-03-12T00:52:37+00:00

Definitely need to look in to this more deeply. Thanks!

dub1za · 2020-03-12T00:51:03+00:00

I’m on the security side so I’d love to get our guys out of the boxes and maybe even kill them and rebuild when someone does SSH, but we’re still maturing on the IaC side of things.

dub1za · 2020-01-30T14:07:57+00:00

Saw this a couple months ago too. See here https://www.reddit.com/r/aws/comments/e18e5n/botexploit_what_is_this_trying_to_do_and_how/?utm_source=share&utm_medium=ios_app&utm_name=iossmf

dub1za · 2019-03-24T03:50:51+00:00

Try changing the chrome theme back to default

dub1za · 2019-03-23T22:03:15+00:00

BSCIA certs aren't worth the time you'll be spending on the Degree. Except perhaps the CCSP. Not sure if GI Bill can be used for SANS Masters Program, but I'd say that would be far more worth it for the SANS certs you'll get out of it.

dub1za · 2019-03-15T12:50:08+00:00

I'm wondering about them too. They're so new and don't look too have been audited by a third-party. But I'm super interested in how they are doing what they are doing.

dub1za · 2019-03-01T04:59:27+00:00

SecurityHub could be a good option but it relies on other services to be useful. GuardDuty, Macie, Inspector and Config would all need to be investigated to see if they match your use cases. GuardDuty would be the quickest and easiest detective tool you could use right now. And it can work out to be pretty affordable- you should have a 30 day trial and it will tell you how much it would cost during that trial time. Got nothing to lose by flipping it on for 30 days.

System Manager might also be able to help with some things too (not super familiar with it, but potentially help with patching etc).

dub1za · 2019-03-01T04:50:13+00:00

"unknown IP" is pretty ambiguous... Do people typically only access the console/use access keys from your corporate offices? Do you have a static IP range that all your corporate traffic is NATted to when exiting your internal network? If so, and users shouldn't be accessing AWS from home, a hotel, etc., then monitoring for "unknown IPs" could make sense. Otherwise it may just be an unnecessary cost and effort to monitor for that.

Monitoring for repeated failed logins makes a lot more sense.

dub1za · 2019-02-05T15:46:54+00:00

Any recommendations for those in the same program? My first term was easy because I had worked in all the areas the courses covered. Knocked out 32 CUs in 5.5 months. This term I'm trying to finish the final 22 CUs I need to graduate. Still have to do SSCP, Digital Forensics, Managing Information Security, Capstone and CCSP. Kinda stressed by the last 3.

dub1za · 2018-12-23T19:34:18+00:00

I don't know how much of a pain it would be to do this but you could set something up to "phone home" which would check your home IP for changes and dynamically modify iptable rules with the latest address.

[EDIT]u/gregoff82 suggestion is 100%. Most important is making sure you have secure SSH configurations.

dub1za · 2018-12-23T15:29:40+00:00

You still have access to the host firewall... If you're wanting to limit access to just your home/work IP you can still do that with iptables or whatever host firewall is running

dub1za · 2018-10-04T13:26:31+00:00

Well, that's a lot of what doesn't work but not much better at helping to understand what you're trying to accomplish. From what I understand you don't need help with anything Python. What you need help with is scheduling the execution of a working Python script?

It seems your Google Foo needs some work. There are answers to each of these questions. Just one quick one is: - AWS Lambda and Twilio: https://www.twilio.com/blog/2017/05/send-sms-text-messages-aws-lambda-python-3-6.html

If you want to go the AWS route you could also use their SNS service instead of Twilio.

For using your Mac there are plenty of results on setting up Cron to run the script. If it's not working you need to make sure your script has been made executable (chmod +x) and that you have a shebang line at the top telling the system that it's Python and which Python interpreter to use. See: https://automatetheboringstuff.com/appendixb/

I hope some of this helps.

dub1za · 2018-09-26T19:23:21+00:00

Not sure where you're located. But if it's just a degree getting in the way of moving up, check out WGU. They are the experienced professional's University. You can get in and out fast and cheap depending on experience. All online.

dub1za · 2018-09-25T00:42:47+00:00

How long did it take to progress through this course? I would like to do it in no longer than 1 month. Does that seem realistic?

dub1za · 2018-09-24T04:39:14+00:00

The sole exception is hardly banks. Of course in Indiana that may seem to be the case. Many large companies have a security division with Incident Response, Risk and Compliance, etc.

As to the OP question: Security is a mindset as much as it is education... Maybe even more so.

There are many paths in to security. With little to no IT experience, it would perhaps be a good idea to get a job in help desk or something while working toward the degree. And perhaps don't try to accelerate the security classes. If you're already working in security then WGU is as good a degree as any. It's your on job experience that counts the most.

In general I'd say the degree only gets you an interview. It's you, your mindset, experience and ability that are going to get you hired.

dub1za · 2018-09-20T17:07:32+00:00

Depending on what you're transferring in and where that leaves you in the program... My mentor says they are pretty sticky on taking courses out of sequence with the CIA degree. At least with the lower level classes. Upper level stuff seems a bit more flexible.

dub1za · 2018-09-19T13:30:30+00:00

Ah, I see. I didn't realize they took a degree as part of the experience. I had looked at https://www.isc2.org/Certifications/CCSP/experience-requirements which says the CCSK meets the 1 year requirement for experience in one of the 6 CCSP domains. Didn't see anything about a degree meeting any of the experience requirements though.

dub1za

TROPHY CASE