AWS Deployment Framework — Where was I?
ACM.476 A summary of where I left off an am picking up and working on next after stepping away for a bit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.
🔒 Related Stories: Application Security | Secure Code | AWS Security
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In the last post in my series I had to jump over and fix some networking issues. I was testing out a particular network architecture I hope to deploy with my deployment framework, but first I had to get the whole thing working. Sometimes you need a sandbox to click around in and test things out, and then you automate it. Hopefully I’ll be showing you all that in the near-ish future but I’ve been really busy.
It’s been a while since I wrote about this framework because I had to complete some other things and got requests for a bunch of proposals all at once. Everyone is gearing up for the new year and scheduling their penetration tests earlier, thankfully!
I wrote about scheduling pentests here:
After writing that it looks like I might be busy in some of those months I mentioned. Thank you!
I wrote about penetration test proposals here:
All that funds what I’m writing about and helps my clients secure their systems.
Now I can get back to what I was doing for a minute — but I have to remember what I was doing. So here’s a recap.
- I was organizing my code repositories to separate: deployment execution code, resource configuration (CloudFormation templates) and job configuration (in SSM Parameter store). Users deploying resources may have access to one or all the repositories. This lends itself to better separation of duties and can limit the blast radius if an attacker obtains access to a session or credentials.
- I created development and production repositories. I hope to demonstrate how I push code between them and over to AWS CodeCommit once I have the environment set up in AWS.
- I’m starting to migrate that code to a new repository but not finished. I have some other thoughts on that I’ll save for later.
- The code is also revamped to allow for parallel resource deployments through either multiple jobs or the new configuration code that specifies which resources to deploy in parallel or not.
- I kind of have the code working but I need to complete the first job that actually uses it end to end — the root job.
- I also have some ideas about importing resources I want to flesh out.
All the prior posts are here:
In theory, once I have a fully working job that deploys the resources in my configuration I can easily create any new job by deploying a new SSM parameter as long as the underlying CloudFormation templates exist.
The deployment log in it’s own repository handles execution and doesn’t care what is in the CloudFormation templates or the parameters passed into them. It is concerned with the scheduling and passing things around to execute the deployments.
The SSM parameters are simply data that define the execution flow and the parameters passed to the templates. The parameters themselves don’t execute anything. They define the job and the resources to be deployed.
The templates should be generic and reusable definitions of compliant types that users can deploy in an AWS environment. As explained many times I’m using microtemplates. That has various benefits as descried here:
Alright now that I’ve refreshed my brain on what I was doing, let’s do it.
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2024
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight LabNeed Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for PresentationFollow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab