Security

The Old Faithful: Why SSM Parameter Store still reigns over Secrets Manager

Managing and securing application secrets is a crucial part of any cloud-native application. AWS offers two primary services: the Systems Manager (SSM) Parameter Store and the more recent Secrets Manager. You might think Secrets Manager is the better choice for managing secrets because it’s a newer service and offers more advanced features such as cross-region …

The Old Faithful: Why SSM Parameter Store still reigns over Secrets Manager Read More »

Implementing Magic Links with Amazon Cognito: A Step-by-Step Guide

Last week, we looked at implementing passwordless authentication using one-time passwords (OTPs) using Cognito. Another popular passwordless authentication method is magic links where: The user initiates the sign-in process by entering their email in your application. They receive an email with a time-limited URL. The user clicks on the URL and is authenticated into the …

Implementing Magic Links with Amazon Cognito: A Step-by-Step Guide Read More »

Passwordless Authentication made easy with Cognito: a step-by-step guide

Password-based authentication has long been the norm for securing user accounts. However, it is becoming increasingly clear that password-based authentication has several drawbacks. Such as the risk of password theft, the need for users to remember complex passwords, and the time and effort required to reset forgotten passwords. Fortunately, more and more websites have started …

Passwordless Authentication made easy with Cognito: a step-by-step guide Read More »

Yes, S3 now encrypts objects by default, but your job is not done yet

Update 06/04/2023: AWS announced that S3 now enables the “block public access” and “disable ACL” settings for all new buckets. It’s great to see these being enabled by default. But the points I raised in the post still stand. The default encryption (SSE-S3) only protects against situations when someone has stolen data from AWS servers/disks …

Yes, S3 now encrypts objects by default, but your job is not done yet Read More »

How to setup geofencing and IP allow-list for Cognito user pool

AWS announced a new feature this week that lets you enable WAF protection for Cognito user pools. And one of the things you can do with this is to implement geo-fencing and IP allow/deny lists. Geo-fencing and IP allow/deny lists are usually implemented in the frontend as well as the backend APIs. But users (and …

How to setup geofencing and IP allow-list for Cognito user pool Read More »

Group-based auth with AppSync Lambda authoriser

AWS AppSync added support for Lambda authorizers on 30th July 2021 and it made it much easier to implement group-based authorization with 3rd party identity services. Group-based auth with AppSync and Cognito I previously wrote about how you can secure multi-tenant applications with AppSync and Cognito. Where you can use custom attributes to capture the tenant …

Group-based auth with AppSync Lambda authoriser Read More »

How to choose the right API Gateway auth method

Update 21/06/2020: following lots of feedback and questions on Twitter, I have updated the post to include a few more options. Quite a few clients have asked me “Hey Yan, what API Gateway auth method should I use for this REST API?” so I thought I’d share my answer with everyone here. This is the …

How to choose the right API Gateway auth method Read More »

The API Gateway security risk you need to pay attention to

When you deploy an API to API Gateway, throttling is enabled by default in the stage configurations. By default, every method inherits its throttling settings from the stage. Having built-in throttling enabled by default is great. However, the default method limits – 10k req/s with a burst of 5000 concurrent requests – matches your account …

The API Gateway security risk you need to pay attention to Read More »

Many-faced threats to Serverless security

Threats to the security of our serverless applications take many forms, some are the same old foes we have faced before; some are new; and some have taken on new forms in the serverless world. As we adopt the serverless paradigm for building cloud-hosted applications, we delegate even more of the operational responsibilities to our …

Many-faced threats to Serverless security Read More »

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close