Security

DynamoDB now supports cross-account access. But is that a good idea?

AWS, DynamoDB, Security

DynamoDB now supports resource-based policies, which simplified cross-account access to tables.

But just because you can, doesn’t mean you should!

Cross-account access to DynamoDB tables is almost always a smell. But as with everything, there are exceptions and edge cases. You should think carefully before you use resource-based policies to enable cross-account access to your DynamoDB tables.

In this post, let’s explore some legitimate use cases for cross-account access to DynamoDB tables.

How to secure CI/CD pipelines without burning developer production to the ground

AWS, Security

When it comes to CI/CD roles, your instinct might be to lock them down to just what it needs. Because we all want to follow the principle of least privilege. But as you will see in this post, this comes with a hefty price in terms of developer productivity, and it’s not as secure as you might think.

So instead, I prefer a more holistic approach when it comes to securing CI/CD pipelines, involving account boundaries, SCPs, ABAC and the use of permissive roles. Come in and find out how.

How to create private, VPC-only DynamoDB tables

AWS, DynamoDB, Security

You don’t need network security to keep your DynamoDB data safe. However, adding network security on top of IAM authentication and authorization is not a bad thing. Sometimes, it’s even necessary to meet regulatory requirements.

In this post, let’s see how to put DynamoDB in VPC so your data can only be accessed from within a VPC. We will look at what works best for feature teams and what works best for platform teams.

The Old Faithful: Why SSM Parameter Store still reigns over Secrets Manager

AWS, Security, Serverless

Managing and securing application secrets is a crucial part of any cloud-native application. AWS offers two primary services: the Systems Manager (SSM) Parameter Store and the more recent Secrets Manager. You might think Secrets Manager is the better choice for managing secrets because it’s a newer service and offers more advanced features such as cross-region …

The Old Faithful: Why SSM Parameter Store still reigns over Secrets Manager Read More »

Implementing Magic Links with Amazon Cognito: A Step-by-Step Guide

AWS, Cognito, Lambda, Security, Serverless

Last week, we looked at implementing passwordless authentication using one-time passwords (OTPs) using Cognito [1]. Another popular passwordless authentication method is magic links where: The user initiates the sign-in process by entering their email in your application. They receive an email with a time-limited URL. The user clicks on the URL and is authenticated into …

Implementing Magic Links with Amazon Cognito: A Step-by-Step Guide Read More »

Passwordless Authentication made easy with Cognito: a step-by-step guide

AWS, Cognito, Security, Serverless

Password-based authentication has long been the norm for securing user accounts. However, it is becoming increasingly clear that password-based authentication has several drawbacks. Such as the risk of password theft, the need for users to remember complex passwords, and the time and effort required to reset forgotten passwords. Fortunately, more and more websites have started …

Passwordless Authentication made easy with Cognito: a step-by-step guide Read More »

Yes, S3 now encrypts objects by default, but your job is not done yet

AWS, S3, Security

Update 06/04/2023: AWS announced that S3 now enables the “block public access” and “disable ACL” settings for all new buckets. It’s great to see these being enabled by default. But the points I raised in the post still stand. The default encryption (SSE-S3) only protects against situations when someone has stolen data from AWS servers/disks …

Yes, S3 now encrypts objects by default, but your job is not done yet Read More »

Group-based auth with AppSync Lambda authoriser

AppSync, AWS, Programming, Security, Serverless

AWS AppSync added support for Lambda authorizers on 30th July 2021 and it made it much easier to implement group-based authorization with 3rd party identity services. Group-based auth with AppSync and Cognito I previously wrote about how you can secure multi-tenant applications with AppSync and Cognito. Where you can use custom attributes to capture the tenant …

Group-based auth with AppSync Lambda authoriser Read More »

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close