Use AWS Config To Hunt Public S3 Buckets

This post covers using AWS Config as a starting point to find public s3 buckets in your organization.

November 2, 2020 · 2 min · Me

Find Resources With AWS Config

Use AWS Config to locate AWS resources

August 12, 2020 · 3 min · Me

How to Securely Configure CloudFlare with S3

This post covers how to secure an S3 bucket serving content through Cloudflare

April 17, 2020 · 4 min · Me

Site Update: Cloudflare

This site now uses CloudFlare

April 16, 2020 · 2 min · Me

AWS Cloudwatch

AWS CloudWatch enables monitoring and alerting on cloud events.

April 3, 2020 · 4 min · Me

AWS Security Hub

AWS Security Hub eases the pain of cloud monitoring

February 21, 2020 · 4 min · Me

Protect AWS API Gateway with AWS WAF

Help protect APIGW from attackers with AWS WAF

January 31, 2020 · 5 min · Me

AWS CloudTrail

AWS CloudTrail is the cornerstone of cloud SECOPS

January 30, 2020 · 3 min · Me

Cross-Account file access on AWS S3

The Problem Secure file sharing using AWS S3: I upload a file to an S3 bucket with restricted permissions The client downloads the file and processes it The client uploads the results to the S3 bucket I download the processed file and the transaction is complete I thought setting the permissions on the bucket would be enough. I was wrong. The Setup I use a federated login to AWS and assume a role under a corporate account....

March 30, 2018 · 3 min · Me

Fix AWS SSL Certificate error in Burpsuite

This morning, while I was trying to proxy traffic to this site in Burpsuite, I ran across an SSL handshake error. Googling the issue returned this helpful article that got me started on the right path. The crux of the problem was that the JRE didn’t have the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files installed. However, since this article was published, Portswigger began bundling the JRE with Burpsuite itself....

January 11, 2017 · 2 min · Me

Static Sites in 2016 - Updated

In a previous post I discussed the complicated process of configuring S3 to use Letsencrypt to obtain a TLS certificate. That post served as a reference for me to re-implement Letsencrypt every 90 days. Since then, my 90-day Letsencrypt certificate expired, and I was at a loss for how to re-instate it. Using my own post as a reference didn’t help me with the arcane letsencrypt errors I was encountering....

October 3, 2016 · 3 min · Me

Static Sites in 2016

It’s early 2016, and there are a multitude of content management systems and blog platforms out there: Wikipedia’s List of Content Management Systems The security blog I contribute to, Penetrate.IO runs on the venerable Wordpress and requires constant updates to stay one step ahead of attackers. This becomes tiresome after a while, especially since the only thing I’m interested in hosting is a series of articles. These don’t require server-side computation, simply hosting....

March 25, 2016 · 7 min · Me