Securing the Cloud #17

?? Welcome to the 17th Edition of Securing the Cloud! ???

Hello, Cloud Security Warriors! It's Brandon Carroll, the Cloud Security Guy, here with another edition that's sure to sharpen your skills and spark some thought. This week we're zooming in on AWS CodePipeline for cloud security best practices, weighing the pros and cons of in-person vs. WFH at the start of your IT career, and sharing some brain-boosting tips to improve your memory for those crucial learning moments. Let's go!

Cloud Security Best Practices: CodePipeline ????

Building on the foundation we laid in the 16th edition with AWS CodeCommit, let's expand into the world of AWS CodePipeline. CodePipeline is a continuous integration and continuous delivery (CI/CD) service that automates your software release processes, enabling you to rapidly and reliably deliver features and updates.

Imagine you're managing network infrastructure and need to enforce stringent security practices across your cloud resources. CodePipeline can be the conduit for all changes, integrating security checks at every stage—from code commits to deployment.

Consider a scenario where you're updating network configurations to enhance security. With CodePipeline, you'd first write your Infrastructure as Code (IaC), such as AWS CloudFormation templates, to define the desired network changes. CodePipeline then automates the build, test, and deployment of these configurations, ensuring every update undergoes a rigorous security assessment.

Setting Up with AWS CLI: To set up a basic pipeline with AWS CLI, you'd perform the following steps:

Create a pipeline that specifies the source provider (like CodeCommit) and a build project (using CodeBuild):

aws codepipeline create-pipeline --cli-input-json file://pipeline.json

Your pipeline.json file would define the pipeline structure and stages.

Add a stage for security checks, where automated tests are run to validate your network configurations against security policies.

Deploy, where the approved, tested code is automatically deployed to your cloud environment.

What about the pipeline.json file we mentioned above? Here's a simple example of what might be included in a pipeline.json file for creating a basic pipeline. The JSON example that follows, defines a pipeline with two stages: Source and Build. The Source stage is connected to an AWS CodeCommit repository, and the Build stage is set up to use AWS CodeBuild.

{

"pipeline": {

"name": "Network-Security-Pipeline",

"roleArn": "arn:aws:iam::123456789012:role/AWSCodePipelineServiceRole",

"artifactStore": {

"type": "S3",

"location": "codepipeline-us-east-1-123456789012"

},

"stages": [

{

"name": "Source",

"actions": [

{

"name": "SourceAction",

"actionTypeId": {

"category": "Source",

"owner": "AWS",

"provider": "CodeCommit",

"version": "1"

},

"runOrder": 1,

"configuration": {

"RepositoryName": "MyDemoRepo",

"BranchName": "main"

},

"outputArtifacts": [

{

"name": "SourceOutput"

}

],

"inputArtifacts": []

}

]

},

{

"name": "Build",

"actions": [

{

"name": "BuildAction",

"actionTypeId": {

"category": "Build",

"owner": "AWS",

"provider": "CodeBuild",

"version": "1"

},

"runOrder": 1,

"configuration": {

"ProjectName": "MySecurityBuildProject"

},

"outputArtifacts": [

{

"name": "BuildOutput"

}

],

"inputArtifacts": [

{

"name": "SourceOutput"

}

]

}

]

}

],

"version": 1

}

}

Of course, this file should be customized to fit the specific AWS account and region, IAM roles, and resource names relevant to your environment. The role specified in roleArn needs to have the appropriate permissions to access CodeCommit, CodeBuild, and the S3 artifact store.

This overall process illustrates how CodePipeline enforces a disciplined, security-first approach to managing and updating network infrastructure, ensuring that every change is deliberate, secure, and aligned with best practices.

Career Advice: Office or Home Office? ????

In the world of IT and network security, the question of where we work is as pressing as how we work. According to a Gartner survey, 82% of company leaders plan to allow employees to work remotely some of the time, while 47% will allow employees to work from home full-time [Gartner, 2020]. This reflects a significant shift from pre-pandemic norms and opens up a dialogue about the most conducive environment for career development when starting in IT.

While remote work offers flexibility and comfort, the office environment provides structured learning opportunities, especially for those new to the field. Being physically present allows for immediate collaboration, mentorship, and learning through osmosis – picking up skills by simply being in an environment surrounded by expertise.

To be clear, my take here is that those new to the field should spend more time in the office than working from home. There are benefits you can gain from being in the office rather than working from home 100% of the time. You can see my thoughts here:

https://www.tiktok.com/@thecloudsecurityguy/video/7325184445823110442

Now, for those opting for the office, here are a few tips to make the most of it:

• Network Relentlessly: Use the opportunity to form connections with experienced colleagues.
• Seek Mentorship: Look for guidance from seasoned professionals who can offer insights that you may not find in remote settings.
• Engage in Live Problem-Solving: The office is a live lab; participate actively in brainstorming sessions and troubleshooting.

Whether you are required to be in the office or you opt to do it on your own, the key is to remain adaptable and make conscious choices that align with your professional development path.

Certification and Learning Tips: Boosting Memory ???

In the realm of IT certification and continuous learning, a strong memory isn't just a benefit—it's a necessity. Enhancing your memory can be the key to not only passing certification exams but also to excelling in your professional development.

Mnemonic Devices: Mnemonics are a time-tested method to remember complex information. For instance, to remember the OSI model layers, the phrase "Please Do Not Throw Sausage Pizza Away" can be used, with each first letter representing a layer (Physical, Data Link, Network, etc.). I asked ChatGPT for some help creating some Mnemonics to remember AWS concepts. Here is what we came up with:

Mnemonic: "CCC Data Streams"

Explanation:

• CodeCommit
• CodeBuild
• CodePipeline
• Developer Tools
• AWS Amplify
• Terraform
• Artifact Store
• Source Code Repository
• Stack Updates

This mnemonic helps remember the key components of a GitOps pipeline in AWS, including CodeCommit, CodeBuild, CodePipeline, and other relevant tools and resources, and this is exactly what our current theme is for January and February!

Here is another on what's needed to create a VPC:

Mnemonic: "Subnets Gather Routes, Internet, Peering, and ACLs"

Explanation:

• Subnets
• Gateway (Internet or NAT)
• Route Tables
• Internet Gateway
• Peering Connections
• Access Control Lists (Network ACLs)

This mnemonic outlines the essential components to set up a Virtual Private Cloud (VPC) in AWS, such as subnets, gateways, route tables, internet gateways, peering connections, and network ACLs.

And how about one more to remember the storage tiers in AWS:

Mnemonic: "Frequent, Infrequent, Glacier, Archive"

Explanation:

• Frequent Access (S3 Standard)
• Infrequent Access (S3 Standard-IA)
• Glacier
• Archive (S3 Glacier Deep Archive)

This mnemonic helps remember the different Amazon S3 storage classes, from the most commonly accessed 'S3 Standard' to the least accessed 'S3 Glacier Deep Archive', based on the frequency of access and cost considerations.

OK, so what else can we do to improve our memory?

Visualization and Mind Mapping: Visual aids like charts, graphs, and mind maps can be incredibly effective. For example, when learning network topologies, drawing out a mind map can help in visualizing and remembering the connections and functionalities of each network type. Let's tie this back to our GitOps theme. Here is an example of how I created a mind map using Obsidian and a mind map plugin using my GitOps markdown notes.

Here is a nice resource of AWS Mind maps I came across@

Spaced Repetition: This technique involves reviewing information at increasing intervals. Using flashcards for network protocols or security policies and revisiting them at set intervals can significantly enhance retention. Here is an example plan to use spaced repetition to learn about GitOps:

Day 1: Learn the basics of GitOps. Read articles, watch introductory videos, and write a summary of what GitOps is, why it's beneficial, and its key principles. Focus on understanding the core concepts without too much detail.

Day 2: Review your summary from Day 1. Create a mind map that includes GitOps tools like AWS CodeCommit, CodeBuild, and CodePipeline. Try to recall the details without referring back to the original materials.

Day 4: Two days after your last session, revisit the mind map. This time, add additional details you might have missed, such as the role of AWS Amplify and Terraform in a GitOps workflow. Create flashcards for each tool with a description of its purpose and use cases.

Day 7: One week from the start, test yourself with the flashcards. Then, try to explain GitOps and its components to a friend or colleague without notes. Discuss any real-world applications and how each component contributes to the workflow.

Day 14: Two weeks after your initial learning, write a blog post or report on GitOps, detailing the flow of operations from code commit to deployment. Include real-life scenarios or case studies if possible.

Day 30: After a month, engage in a more practical application. Try setting up a simple CI/CD pipeline using the AWS suite of tools, applying the concepts you've learned.

Every 60 days: Review the process by updating the pipeline with new features or tools, or teaching the concepts to someone else. Each review should reinforce and build upon your existing knowledge.

By gradually increasing the intervals between reviews, you ensure that the information is transferred from short-term to long-term memory, cementing your understanding of GitOps. Now lets look at our last method to improve our memory.

Teaching Others: They say the best way to learn is to teach. Explaining concepts like cloud security or network configuration to a peer or through a blog post can reinforce your understanding and memory.

Remember, improving memory is a skill, and like any other skill, it gets better with practice. Regularly engaging in exercises that challenge and enhance your memory will pay dividends in your IT career.

To practice this memory aid, use the comments below to teach me something you just learned. Go ahead, try it and let me learn from you!!!

Wrapping it up!

As we close out this edition of Securing the Cloud, remember that whether you’re orchestrating a CodePipeline, choosing between the buzz of an office or the quiet of a home workspace, or developing mnemonic devices to enhance your memory, the journey is yours to shape. Each step you take is a building block in your cloud security career. Keep exploring, keep learning, and don't be afraid to share your knowledge – it's one of the best ways to solidify it.

Until we meet again, remember to engage with your peers, ask questions, seek out new learning opportunities, and embrace the continuous evolution of the IT landscape. And, of course, I can't wait to hear what you've taught others (and will teach me) in the comments!

Happy Labbing, and see you in the next edition! ????

#SecuringTheCloud #CodePipeline #GitOps #AWS #CloudSecurity #ITCareer #RemoteWork #LearningTips #MemoryEnhancement #TeachToLearn