Early next year, AWS will launch one of the largest changes to its cloud product in decades. For the first time, they will launch a new partition<\/em>, the European Sovereign Cloud (ESC), open to anyone. This article covers why you might want to use it, what are some of the threats to consider, mitgations, and alternatives to consider.<\/p>"},{"title":"re:Invent 2025 recap","link":"https:\/\/www.chrisfarris.com\/post\/reinvent2025\/","pubDate":"Sun, 07 Dec 2025 07:25:35 +0000","guid":"https:\/\/www.chrisfarris.com\/post\/reinvent2025\/","description":" This will be the first re:Invent I’ve missed since 2015 (we don’t talk about 2020 - never happened - FAKE NEWS), but I’ve relocated to Portugal and, for various reasons, had to pre:Invent also started late this year. We really didn’t start to see any interesting announcements till mid-November. In previous years, I’ve seen pre:Invent start in early October. The number of keynote announcements was pretty disappointing, too; a few things were thrown in as a “shot clock” at the end of a GenAI-laden keynote.<\/p>\n I’m shocked that laying off tens of thousands of people and replacing them with GenAI has slowed innovation.<\/p>\n Once again, I’ve categorized the announcements into a handful of categories focused on the ones that matter most for security practitioners and cloud governance folks:<\/p>\n With the US Government acting in an erratic and hostile manner towards its traditional allies, it makes sense for companies not typically subject to US Jurisdiction to reconsider their threat models when using the big three cloud providers. All of them are US-based companies, and all three conduct a substantial amount of business with the US Government.<\/p>"},{"title":"Implementing Security Invariants in an AWS Management Account","link":"https:\/\/www.chrisfarris.com\/post\/payer-invariants\/","pubDate":"Tue, 24 Dec 2024 19:40:00 -0500","guid":"https:\/\/www.chrisfarris.com\/post\/payer-invariants\/","description":" I’ve spoken a lot about Security Invariants<\/a>, but all of them have been implemented using Organizational Policies. That’s great, but organizational policies don’t apply to the Organizational Management Account (aka “payer”). So how does one implement invariants in a payer account?<\/p>\n AWS would tell you that you shouldn’t be giving anyone access to the payer account, so the need for invariants should be minimal. However, that doesn’t reflect the reality that AWS never protected its customers from themselves and prevented the enabling of Organizations or Control Tower in an account with existing workloads. I would say this is a failure of Customer Obsession and demonstrates Security is not the Top Priority. AWS would hide behind shared responsibility and blame the customer.<\/p>\n Regardless, there are many cases where workloads are in a payer account, and as a security person, you need to live with those workloads while protecting the rest of the AWS Organization. So, how do we build invariants into a payer account when SCPs and RCPs don’t apply?<\/p>\n Enter Permission Boundaries.<\/p>"},{"title":"Farris's Three Laws of Auto Remediation","link":"https:\/\/www.chrisfarris.com\/post\/three-laws\/","pubDate":"Mon, 16 Dec 2024 17:31:27 -0500","guid":"https:\/\/www.chrisfarris.com\/post\/three-laws\/","description":" I’ve finally settled on the wording for Farris’s Three Laws of Cloud Security Auto Remediation<\/strong>:<\/p>\n I think these reflect the key tenants of auto-remediation while staying true to the original source of the Three Laws<\/a>.<\/p>"},{"title":"How AWS needs to change","link":"https:\/\/www.chrisfarris.com\/post\/aws-call-to-action\/","pubDate":"Sun, 01 Dec 2024 00:00:00 +0000","guid":"https:\/\/www.chrisfarris.com\/post\/aws-call-to-action\/","description":" In previous<\/a> posts<\/a>, I took AWS to task for not making the customer’s security Job Zero. This offended some sensibilities, so let me lay out my It\u2019s once again pre:Invent, that magical season where AWS announces new features related to their legacy<\/em> products (cloud) before they jump all-in on Generative AI magician gimmicks at re:Invent in Las Vegas. Once again, I will be in attendance at re:Invent, although I start to question my life choices every time I get off the plane in Vegas and am hit by the dry air, cigarette smoke, and insanely bright lights. Oh, right, I agreed to do a breakout session with Rich Mogull: DEV401 - Security invariants: From enterprise chaos to cloud order.<\/em> We\u2019re in Mandalay Bay (which is on the ass end of the strip) and in a silent disco setup, so I won\u2019t be offended if you don\u2019t attend, but if you do, Rich and I will probably set up for lunch somewhere afterward and talk about practical cloud security.<\/p>\n This is also my 5th year doing a pre:Invent round up. I almost decided not to do one. I\u2019m in Germany this Thanksgiving week giving thanks that I\u2019m not in the US for a bit. But at least it is conditioning me for the cigarette smoke onslaught I\u2019ll experience in the casinos.<\/p>"},{"title":"Effective Techniques for AWS Ransomware","link":"https:\/\/www.chrisfarris.com\/post\/effective-aws-ransomware\/","pubDate":"Wed, 06 Nov 2024 17:38:31 -0500","guid":"https:\/\/www.chrisfarris.com\/post\/effective-aws-ransomware\/","description":" In order to profit effectively from a ransomware attack, a threat actor needs to have something to offer in return for payment. This blog post outlines a process to encrypt AWS resources and then revoke access to the secret material until the ransom is paid.<\/p>\n Apparently, this post caused some consternation at AWS, and perhaps this technique is too effective to publish here. So, the original post has been revised to remove the actual scripts, include some mitigations, and provide commentary on how both Public Cloud (AWS Included) and Generative AI are dangerous tools in the hands of the general public and need more regulation.<\/strong><\/em><\/p>"},{"title":"Your AWS Account is a floating cloud of garbage. Mine is too.","link":"https:\/\/www.chrisfarris.com\/post\/garbage-account\/","pubDate":"Sun, 03 Nov 2024 07:37:55 -0500","guid":"https:\/\/www.chrisfarris.com\/post\/garbage-account\/","description":"Cloud Hygiene is a Cloud Security problem, and we need to cleanup the pollution in our cloud environments"},{"title":"The Cloud is Darker and More Full of Terrors - Sec-T 2024","link":"https:\/\/www.chrisfarris.com\/post\/sect2024\/","pubDate":"Fri, 13 Sep 2024 00:00:00 -0400","guid":"https:\/\/www.chrisfarris.com\/post\/sect2024\/","description":" In September 2024, I returned to Stockholm<\/a> to give a talk at Sec-T<\/a>. The Slides are here<\/a>, and the YouTube Video is here<\/a>.<\/p>\n In the last year or so talking to organizations of all sizes, shapes, and security budgets, it’s become clear there is a deeper problem than just “developers don’t know how to not make a bucket public”. How we as an industry use the public cloud is fundamentally unsafe.<\/strong> We wouldn’t give any random 16-year-old kid with a driver’s license a 787 to fly. Yet, with the public cloud, anyone with a credit card can sign up for one of the most technically complex creations the IT Industry has ever created. Engineers fresh out of school are given access to enterprise cloud tenants and told to deploy their applications. At no point do the cloud providers take reasonable measures to ensure you<\/em> are qualified to operate the cloud safely, nor are their default auto-pilot settings all that safe.<\/p>"},{"title":"Public Cloud is the most insecure form of infrastructure, except for all the others.","link":"https:\/\/www.chrisfarris.com\/post\/uctm\/","pubDate":"Tue, 23 Apr 2024 12:00:00 -0400","guid":"https:\/\/www.chrisfarris.com\/post\/uctm\/","description":"Sir Winston Churchill, introducing the Universal Cloud Threat Model to the House of Commons, June 1940."},{"title":"Wandering in a Winter Wonderland","link":"https:\/\/www.chrisfarris.com\/post\/oslo\/","pubDate":"Sat, 17 Feb 2024 07:30:17 -0500","guid":"https:\/\/www.chrisfarris.com\/post\/oslo\/","description":" The fine folks at HackCon<\/a> invited me to Oslo to speak at their security conference. You can find the cloud security ramblings<\/a> elsewhere on this site; this post is another in my series of practical advice for traveling outside the US.<\/p>\n HackCon was held in Oslo, Norway (cool) in February (wait, what?), and I’m happy to report I made it back home with all my fingers and toes and didn’t freeze to death.<\/p>"},{"title":"Chris Farris in the Multicloud of Madness","link":"https:\/\/www.chrisfarris.com\/post\/madness\/","pubDate":"Wed, 14 Feb 2024 04:02:58 -0500","guid":"https:\/\/www.chrisfarris.com\/post\/madness\/","description":" Multicloud is Madness!!!!<\/strong><\/em><\/p>\n Your organization is doing a poor job protecting the one cloud you have. Why in heaven’s name would you want to deploy into another cloud? In this two-part blog post, we’ll cover details from my HackCon 2024<\/a> talk “Chris Farris in the MultiCloud of Madness”<\/em> (slides<\/a>). Part one is here, and it covers all the weirdness between the three major hyperscalers - AWS, Azure, and GCP. The second part will provide checklists to help you establish Minimally Viable Cloud Governance<\/a> in each cloud.<\/p>"},{"title":"SecurityHub revisited","link":"https:\/\/www.chrisfarris.com\/post\/securityhub-2023-2\/","pubDate":"Wed, 27 Dec 2023 15:50:00 -0400","guid":"https:\/\/www.chrisfarris.com\/post\/securityhub-2023-2\/","description":" So earlier this year, I wrote (and then much later published) a blog post ripping AWS Security Hub<\/a>. That led to conversations with folks on that team, and I got a chance to look at Security Hub’s new Central Configuration<\/a> capabilities.<\/p>\n In short - this is an improvement for folks who use Security Hub and the built-in Security Standards<\/a>. Sadly, it doesn’t solve many of the presentation issues that conflate “Compliance” and “Security”.<\/p>"},{"title":"re:Invent 2023 recap","link":"https:\/\/www.chrisfarris.com\/post\/reinvent2023\/","pubDate":"Sun, 03 Dec 2023 16:15:24 -0400","guid":"https:\/\/www.chrisfarris.com\/post\/reinvent2023\/","description":" I’m back from re:Invent and still trying to adjust my sleep schedule (I’m on the East Coast and go to bed early; 6 pm Las Vegas time is my biological clock’s bedtime).<\/p>\n This year was one of my favorite re:Invents. I got to meet old and new co-workers and hang out with a lot of Community Builders<\/a> and AWS Heroes<\/a>, talk to service teams about what they should do to make their products work more for the security 99%<\/a>. I got to a couple of good chalk talks on GenAI and GenAI security, which will help inform my poking at that over the holidays.<\/p>\n As for announcements, in the last seven days, there were 195 things posted to AWS What’s New<\/a>. These are the ones I care to follow up on.<\/p>\n For simplicity, we’ll break them down into:<\/p>\n As has been my tradition the last few years, I prep for re:Invent by reviewing all the interesting announcements that happen in the weeks leading up to the event. This gives me a chance to keep an eye out for sessions and chalktalks related to things I care about, and a chance to corner an SA or product manager at the AWS Booth and go like this:<\/p>\n \n This year I’ll be attending AWS as a Security Hero. The good news for all 845,000 attendees is that I don’t have to wear tights. Instead I’ll be hanging out in the Heroes lounge with the other Heroes and Community Builders (hopefully sipping mimosas during the keynotes).<\/p>"},{"title":"The Consistently Inconsistence response to Access Key Leaks","link":"https:\/\/www.chrisfarris.com\/post\/akia-response\/","pubDate":"Tue, 03 Oct 2023 19:23:52 -0400","guid":"https:\/\/www.chrisfarris.com\/post\/akia-response\/","description":" So I did it again<\/a>. Proving I’m the most incompetent Security Hero EVER<\/a>, I committed eight different access keys to a public GitHub repository for eight different AWS Accounts.<\/p>\n What is fascinating is the consistently inconsistent response of AWS support. Behold a tale of seven cities and a professor.<\/p>"}]}}miss<\/del> skip it this year. Normally, I do a pre:Invent post on Thanksgiving morning as a prep for what I want to ask about, but this year it’s a summary of both pre:Invent and re:Invent.<\/p>\n\n
\n
95<\/del> 13 Thesis against the current AWS Culture and how it is neither Customer-Obsessed<\/a>, nor makes security job zero.<\/p>"},{"title":"AWS pre:Invent 2024","link":"https:\/\/www.chrisfarris.com\/post\/preinvent2024\/","pubDate":"Wed, 27 Nov 2024 00:50:03 -0500","guid":"https:\/\/www.chrisfarris.com\/post\/preinvent2024\/","description":"\n
![\"Jackie](\"https:\/\/www.chrisfarris.com\/post\/preinvent2023\/jackiechan.jpg\")
\n\n<\/p>\n