Gone in 60 ms: Intrusion and Exfiltration in Serverless Architectures [video] (opens in new tab)

(media.ccc.de)

34 pointsASUmusicMAN9y ago7 comments

7 comments

This made me put "sign up on gun.io" on my to-do list. Very cool talk, very sympathetic guy (+1 for rapid fire info,+10 for making a stand for hacker aesthetics and fun in hacking)

Mizza9y ago

Thanks man! :D

windexh8er9y ago

Is the repo still empty due to that one little NDA tidbit? o_O

thatwebdude9y ago

AKA!!!

So, if IAM is the keys to the city for Lambda, how can I be sure I'm using IAM correctly on AWS (Since AWS documentation is not great). Any suggestions? (asking for a friend...)

Mizza9y ago

(Presenter here) - My opinion is that there is no magic bullet here. There are some 3rd party tools that can help to audit your IAM usage for large organizations, but I think manual review is necessary. I think Amazon is also starting to roll out some of there own tools. There are some general best practices you can implement - keep production on a different _account_, don't allow the use '*' anywhere, things like that.

After the talk, I spoke to a nice Dutch man who told me the way they handled it at their company was to randomly turn off an overly broad permission and see who came to complain!

Pica_soO9y ago

Great Talk.

GrumpyNl9y ago

Have to watch this guy, next time he gives a talk. Rapid but motivational.

j / k navigate · click thread line to collapse

7 comments

wojcech9y ago

This made me put "sign up on gun.io" on my to-do list. Very cool talk, very sympathetic guy (+1 for rapid fire info,+10 for making a stand for hacker aesthetics and fun in hacking)

Mizza9y ago

Thanks man! :D

windexh8er9y ago

Is the repo still empty due to that one little NDA tidbit? o_O

thatwebdude9y ago

AKA!!!

So, if IAM is the keys to the city for Lambda, how can I be sure I'm using IAM correctly on AWS (Since AWS documentation is not great). Any suggestions? (asking for a friend...)

Mizza9y ago

After the talk, I spoke to a nice Dutch man who told me the way they handled it at their company was to randomly turn off an overly broad permission and see who came to complain!

Pica_soO9y ago

Great Talk.

GrumpyNl9y ago

Have to watch this guy, next time he gives a talk. Rapid but motivational.

j / k navigate · click thread line to collapse