Five Functional Facts about AWS Identity and Access Management

This post is part of an open-ended series I’m writing where I take a specific protocol, app, or whatever-I-feel-like and focus on five functional aspects of that thing in order to expose some of how that thing really works.

The topic in this post is the AWS Identity and Access Management (IAM) service. The IAM service holds a unique position within AWS: it doesn’t get the attention that the machine learning or AI services get, and doesn’t come to mind when buzzwords like “serverless” or “containers” are brought up, yet it’s used by–or should be used by–every single AWS customer (and if you’re not using it, you’re not following best practice, tsk, tsk) so it’s worthwhile to take the time to really get to know this service.

Let’s begin!

1 – The root user supersedes IAM policies

The main reason I threw a bit of shade about following best practice and always using IAM has to do with the root user in an account. The root user is what’s created when a new AWS account is opened. The username for the root user is always an email address and the root user is able to log into the AWS account Continue reading

Using Kubeadm to Add New Control Plane Nodes with AWS Integration

In my recent post on using kubeadm to set up a Kubernetes 1.13 cluster with AWS integration, I mentioned that I was still working out the details on enabling AWS integration (via the AWS cloud provider) while also using new functionality in kubeadm (specifically, the --experimental-control-plane flag) to make it easier to join new control plane nodes to the cluster. In this post, I’ll share with you what I’ve found to make this work.

The challenge here, by the way, is that you can’t use the --config <filename>.yaml flag and the --experimental-control-plane flag at the same time. I did try this, and the results of my testing led me to believe that although kubeadm doesn’t report an error, it does ignore the --experimental-control-plane flag. (Kubernetes experts/contributors, feel free to let me know if I’ve missed something here.)

After some trial-and-error—mostly my own fault because I didn’t take the time to review the v1beta1 kubeadm API docs ahead of time—I finally arrived at a working configuration that allows you to use kubeadm join --config <filename>.yaml to join a control plane node to an existing AWS-integrated Kubernetes cluster.

Credit for finding the solution goes to Rafael Fernández López, Continue reading

Online Trust Audit Finds Better Email Authentication and Encryption; Worse Privacy Statement Scores

Do you know how – or even if – your favorite retailer, or your bank, or your ISP is working to protect you? The Online Trust Alliance recognizes excellence in consumer protection, data security and responsible privacy practices. Today, we released the 10th annual Online Trust Audit & Honor Roll, covering more than 1,200 predominantly consumer-facing websites, and found that 70% of the websites we analyzed qualified for the Honor Roll. That’s the highest proportion ever, driven primarily by improvements in email authentication and session encryption.

Highlights

Overall, we found a strong move toward encryption, with 93% of sites encrypting all web sessions. Email authentication is also at record highs; 76% use both SPF and DKIM (which prevent spoofed/forged emails) and 50% have a DMARC record (which provides instruction on how to handle messages that fail authentication).

It’s not all good news, though. We also found that only 11% of organizations use mechanisms for vulnerability reporting, which allows users to report bugs and security problems. Only 6% use Certificate Authority Authorization, which limits certificate abuse. And overall privacy scores dropped compared to last year, primarily due to more stringent scoring in light of the E.U.’s General Continue reading

What SDN is and where it’s going

Hardware reigned supreme in the networking world until the emergence of software-defined networking (SDN), a category of technologies that separate the network control plane from the forwarding plane to enable more automated provisioning and policy-based management of network resources.SDN's origins can be traced to a research collaboration between Stanford University and the University of California at Berkeley that ultimately yielded the OpenFlow protocol in the 2008 timeframe. [Learn more about the difference between SDN and NFV. Get regularly scheduled insights by signing up for Network World newsletters] OpenFlow is only one of the first SDN canons, but it's a key component because it started the networking software revolution. OpenFlow defined a programmable network protocol that could help manage and direct traffic among routers and switches no matter which vendor made the underlying router or switch. To read this article in full, please click here

REST API Is Not Transactional

This blog post was initially sent to subscribers of my SDN and Network Automation mailing list. Subscribe here.

I was walking down the infinite hallways of Cisco Live Europe chatting with the fellow Tech Field Day Extra delegates when I probably blanked out for a minute as the weirdest of thoughts hit me: “REST API is not transactional

TL&DR: Apart from using structured data and having error codes REST API is functionally equivalent to Cisco IOS CLI from 1995

Read more ...

How to deal with backup when you switch to hyperconverged infrastructure

Companies migrating to hyperconverged infrastructure (HCI) systems are usually doing so to simplify their virtualization environment. Since backup is one of the most complicated parts of virtualization, they are often looking to simplify it as well via their migration to HCI.Other customers have chosen to use HCI to simplify their hardware complexity, while using a traditional backup approach for operational and disaster recovery. Here’s a look at cover both scenarios.To read this article in full, please click here

How to deal with backup when you switch to hyperconverged infrastructure

Companies migrating to hyperconverged infrastructure (HCI) systems are usually doing so to simplify their virtualization environment. Since backup is one of the most complicated parts of virtualization, they are often looking to simplify it as well via their migration to HCI.Other customers have chosen to use HCI to simplify their hardware complexity, while using a traditional backup approach for operational and disaster recovery. Here’s a look at cover both scenarios.To read this article in full, please click here

More DOH

DOH is not going away. It seems that the previous article on DOH has generated some reaction, and also there is some further development that should be reported, all of which I'll cover here.

Five Functional Facts about AWS Identity and Access Management

This post is part of an open-ended series I'm writing where I take a specific protocol, app, or whatever-I-feel-like and focus on five functional aspects of that thing in order to expose some of how that thing really works.

The topic in this post is the AWS Identity and Access Management (IAM) service. The IAM service holds a unique position within AWS: it doesn't get the attention that the machine learning or AI services get, and doesn't come to mind when buzzwords like “serverless” or “containers” are brought up, yet it's used by-or should be used by-every single AWS customer (and if you're not using it, you're not following best practice, tsk, tsk) so it's worthwhile to take the time to really get to know this service.

Let's begin!

How to identify duplicate files on Linux

Identifying files that share disk space relies on making use of the fact that the files share the same inode — the data structure that stores all the information about a file except its name and content. If two or more files have different names and file system locations, yet share an inode, they also share content, ownership, permissions, etc.These files are often referred to as "hard links" — unlike symbolic links that simply point to other files by containing their names. Symbolic links are easy to pick out in a file listing by the "l" in the first position and -> symbol that refers to the file being referenced.$ ls -l my* -rw-r--r-- 4 shs shs 228 Apr 12 19:37 myfile lrwxrwxrwx 1 shs shs 6 Apr 15 11:18 myref -> myfile -rw-r--r-- 4 shs shs 228 Apr 12 19:37 mytwin Identifying hard links in a single directory is not as obvious, but it is still quite easy. If you list the files using the ls -i command and sort them by inode number, you can pick out the hard links fairly easily. In this type of ls output, the first column shows the inode numbers.To read Continue reading

Nyansa’s Voyance expands to the IoT

Nyansa announced today that their flagship Voyance product can now apply its AI-based secret sauce to IoT devices, over and above the networking equipment and IT endpoints it could already manage.Voyance – a network management product that leverages AI to automate the discovery of devices on the network and identify unusual behavior – has been around for two years now, and Nyansa says that it’s being used to observe a total of 25 million client devices operating across roughly 200 customer networks. More on IoT:To read this article in full, please click here

Why You Should Block Notifications and Close Your Browser

Every so often, while browsing the web, you run into a web page that asks if you would like to allow the site to push notifications to your browser. Apparently, according to the paper under review, about 12% of the people who receive this notification allow notifications. What, precisely, is this doing, and what are the side effects?

Papadopoulos, Panagiotis, Panagiotis Ilia, Michalis Polychronakis, Evangelos P. Markatos, Sotiris Ioannidis, and Giorgos Vasiliadis. “Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation.” In Proceedings 2019 Network and Distributed System Security Symposium. San Diego, CA: Internet Society, 2019. https://doi.org/10.14722/ndss.2019.23070.

Allowing notifications allows the server to kick off one of two different kinds of processes on the local computer, a service worker. There are, in fact, two kinds of worker apps that can run “behind” a web site in HTML5; the web worker and the service worker. The web worker is designed to calculate or locally render some object that will appear on the site, such as unencrypting a downloaded audio file for local rendition. This moves the processing load (including the power and cooling use!) from the server to the client, saving money Continue reading

The Hallway Track Is Open For Scheduling

The Hallway Track at DockerCon is an innovative space designed to help facilitate those valuable conversations that come from chance hallway encounters. Instead of leaving it to chance, we’ve partnered with e180 to provide a platform that helps you find like-minded people to meet and learn from, discussing topics you are both interested in.

 The Hallway Track is open Monday through Thursday, and it’s best to schedule your meetings in advance. Register for DockerCon and then follow these steps to log in and start scheduling your Hallway Tracks today:

  1. Explore the Market – where all participants post knowledge offers of topics they are willing to share, or questions they want to brainstorm.
  2. Pick a topic from the list and/or create your own offers or questions. You don’t have to be an expert to post!
  3. Schedule your Hallway Tracks and meet in person at the Hallway Track Lounge at DockerCon (Lobby, Level 2).

The Hallway Track is your opportunity to meet and share knowledge with other attendees, Docker Staff, Speakers, and Docker Captains. Register for DockerCon today and look out for email instructions to log into the Hallway Track platform.

Arriving for early registration before the Welcome Reception on Monday? Continue reading

1 1,211 1,212 1,213 1,214 1,215 3,793