avatarTeri Radichel

Free AI web copilot to create summaries, insights and extended knowledge, download it at here

5548

Abstract

th, food scientists simply build on what we are wired to crave.</p><p id="a8dc">From <a href="https://www.webmd.com/diet/features/13-ways-to-fight-sugar-cravings#1">WebMD</a>:</p><p id="958f"><i>…Americans do overconsume, averaging about 22 teaspoons of added sugars per day, according to the American <a href="https://www.webmd.com/heart/picture-of-the-heart">Heart</a> Association, which recommends limiting added sugars to about 6 teaspoons per day for women and 9 for men.</i></p><p id="4b06">There is sugar in damned near everything, if it’s processed, along with additional salts and other crap you and I can’t pronounce. So it was easy to pack it on as some of us had to turn to packaged foods when getting to the grocer, or at least doing it safely, got harder.</p><p id="f572">Under Covid, many if not most of us packed on pounds, feeding ourselves “comfort foods,” many if not most of which included added sugars, if not were pure sugar, as in candies and chocolate bars. I know I did.</p><figure id="9904"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*2Yle9ir1P2JupdYN"><figcaption>Photo by <a href="https://unsplash.com/@heatherbarnes?utm_source=medium&amp;utm_medium=referral">Heather Barnes</a> on <a href="https://unsplash.com?utm_source=medium&amp;utm_medium=referral">Unsplash</a></figcaption></figure><p id="713b">For me, however, it was more about pure stress. It’s hard to make a huge cross-country move. That’s one of life’s biggest stressors. Add to that a trip to the hospital with a kidney infection and stones, then a nasty car accident, well. It’s been quite the year and it ain’t done yet. Hardly.</p><p id="2bc7">The extreme stressors of those events were just part of the overall circumstance set.</p><p id="a524">I had to completely overhaul my diet at 67, given that I have Interstitial Cystitis and kidney stones. IC is, to my mind, a catch-all phrase that means <i>we have no clue but we’ll give it a name to sound official.</i></p><p id="3708">I know what IC is like in practice. Bad enough so that when handed a long list of Do Not Eats, I was happy to comply.</p><p id="4e89">Now handed a much, much longer additional list to prevent a recurrence of oxalate kidney stones, I was also told in no uncertain terms that salt, and my beloved sugar, were off the table. Worse, NO MORE CHOCOLATE.</p><p id="7147">Even worse, NO MORE CHOCOLATE ALMONDS. As in <b>ever</b>.</p><p id="685d">Well. <i>Shit</i>.</p><p id="3ad0">While in some ways this is a blessing, I will confess that the forced divorce from one of Life’s Great Joys- milk chocolate almonds-was hard.</p><figure id="4e2b"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*lngsYribIcdTKR5w"><figcaption>Photo by <a href="https://unsplash.com/@grimnoire?utm_source=medium&amp;utm_medium=referral">emy</a> on <a href="https://unsplash.com?utm_source=medium&amp;utm_medium=referral">Unsplash</a></figcaption></figure><p id="8e44">Unlike a friend, who, when faced with the same list I got, he intoned with great gravity, that he would “eat what I want and deal with the stones,” I like being alive. Those stones nearly killed me. Imagine eating what you want, but living with a potentially deadly Sword of Damocles over your head.</p><p id="8231">I can’t speak for anyone else, but kidney stones equal suffering. At least for me they do, and for anyone else I’ve ever spoken with who has experienced them. To that, and again I can only speak for myself, stuffing my favorite foods down my gullet out of the need to put my gustatory delights ahead of both my personal safety and that of others seems stupid at best, and foolish at worst.</p><p id="9c1c">The reason, at least in my case, that such decisions have the potential to hurt others, there’s this: I flipped my car because of a kidney stone in July. It was only stupid damned luck I didn’t land on top of a car full of kids, or cause oncoming traffic to swerve and kill off those occupants. You see my point.</p><p id="fb17">Our self-serving selfishness can indeed affect others in ways that we most certainly don’t intend. If, however, you and I learn that our desires can hurt others, and I am just teasing out food here, then it seems incumbent upon us to <i>back the fuck off.</i></p><p id="12f6">If what you and I ingest makes us unhealthy, causes us disease and other issues, then it’s most certainly not just about us. It’s very much about those who count on us, love us and want us to stick around a bit longer.</p><p id="cd30">But that’s just me.</p><p id="7086">In a country full of folks who can’t be bothered to wear masks because it protects OTHER people, why on earth should I expect those same folks to make better choices about their health for the same reasons?</p><p id="bc02">But I digress.</p><figure id="eb2f"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*G9hwJ4RPM6v3rvvE"><figcaption>Photo by <a href="https://unsplash.com/@ahungryblonde_?utm_source=medium&amp;utm_medium=referral">Sara Dubler</a> on <a href="https://unsplash.com?utm_source=medium&amp;utm_medium=referral">Unsplash</a></figcaption></figure><p id="4089">In my favorite <a href="https://www.amazon.com/Heart-Buddhas-Teaching-Transforming-Liberation/dp/0767903692">book </a>by Vietnamese Buddhist monk Thich Nhat Hanh, he points out that you and I, when and if we are able to identify the source of our suffering, in this case for me both IC and kidney stones, we can choose not to ingest those things which cause us suffering. While in the largest sense this

Options

would be just as applicable to ingesting doom material, hate speech and the like, let’s just keep this to sugar, my beloved nemesis.</p><p id="f7b9">I was given long and difficult lists to redirect my eating habits to prevent stones. But also those nasty IC flareups which mean long nights on the toilet with no relief in sight and the unhappy prospect of having to wear Certain Undergarments. Look. For me it was easy. I have no interest in making myself suffer physically any more than necessary.</p><p id="5603">What that meant was that those foods were off the menu. Yeah, and forever this time. No more <i>next time</i>, or <i>just a little. Just one</i>. Because for me and my compulsive nature, Just One is an invitation to the Whole Damned Bag.</p><p id="e78b">I am as bad as a reformed alcoholic invited into a bar. Just a sip, that’s all.</p><p id="8e80">Not on your life, especially if it really does mean your life.</p><p id="fcfc">Since July, I’ve not had any of the foods on the May Not Have List.</p><p id="6458">Several things have happened. Not only has my weight, which had risen some 23 pounds, dropped back down (at first to sheer stress, and now it’s maintenance). The other gift, which has been echoed by fellow Medium writers, is that the tongue gets retrained naturally to enjoy what Nature has always offered us as natural candy: berries, bananas, apples, the sweet treats without the damaging <a href="https://www.medicalnewstoday.com/articles/323818">fructose</a>. Honey in my hot milk, for I had to give up tea and coffee because of the oxalates and tannins, is sweet enough.</p><p id="8033">A big handful of green grapes is about as sweet as I can handle. Those are my big, big treats. A Honey Crisp apple is nearly a meal unto itself. I have found immense joy in scarfing down a six ounce package of huge blackberries, and I never leave the house without two big apples in the console when I need consolation.</p><p id="a3e6">Why apples? There are all kinds of reasons that the old saw of an apple a day really is based on solid science:</p><div id="c1b4" class="link-block"> <a href="https://www.besthealthmag.ca/best-eats/nutrition/health-benefits-apples/"> <div> <div> <h2>13 Surprising Health Benefits of Apples That'll Have You Eating One (or More) a Day</h2> <div><h3>Sometimes the simplest foods are the best foods for us. You don't have to be a nutritionist to realize that apples are…</h3></div> <div><p>www.besthealthmag.ca</p></div> </div> <div> <div style="background-image: url(https://miro.readmedium.com/v2/resize:fit:320/0*nwBspeSWAwx2gW2Q)"></div> </div> </div> </a> </div><p id="30e6">If you can eat apples, have at it. As with all issues dietary, know what you can and can’t have.</p><p id="ba78">You may do that research and STILL eat shit. At that point, when the body rebels and we get sick, or get stones, or expire early, there really is just one person to blame.</p><p id="95c5">One Medium buddy had to do much the same thing with her body. She told me I could retrain my sweet tooth, and she’s right. While I will still use sweetener (certain kinds, not all), I have noticed that in the largest sense, giving up sugar has given me back two things: the body I had, which is much happier where I am now; better health from taking out those substances that make me feel heavy and logey; and better long-term health by removing substances that my particular body doesn’t like.</p><figure id="4e78"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*mIPHlZYL_YbLhX2a"><figcaption>Photo by <a href="https://unsplash.com/@elldot_?utm_source=medium&amp;utm_medium=referral">Leon Ell'</a> on <a href="https://unsplash.com?utm_source=medium&amp;utm_medium=referral">Unsplash</a></figcaption></figure><p id="6eb0">That last is likely true for all of us. I’ve written elsewhere that as we age, our dietary needs change. For some it’s just fewer calories. For others, for whatever reason, as we shift into life’s later gears, nutritional needs shift with us. Not paying attention can cost us dearly. Learning what we need, and still not paying attention, is just plain stupid, if not spiteful behavior towards the only instrument we have through which to experience life on Earth.</p><p id="24b9">Retraining my sweet tooth this year wasn’t strictly about getting my pre-breakup, pre-Covid body back. It wasn’t just about stating my gustatory freedom from the bad juju the breakup left behind. It was as much a statement of a genuine commitment to vibrant health as anything. While yes, you’re damned right I miss my chocolate almonds (which at one point my <i>Illumination </i>buddy <a href="undefined">Charles Roast</a> offered to send me express mail, bless his six-pack-protected good heart), I am done with them.</p><p id="873d"><b>That’s a statement of freedom.</b> From bad food, bad diseases, bad side effects. And the freedom to eat what Nature intended as our sweets, some of which (citrus, pineapple) I’ve also had to give up. But what’s left is plenty.</p><figure id="3621"><img src="https://cdn-images-1.readmedium.com/v2/resize:fit:800/0*b94AMNsik10wYjYD"><figcaption>Photo by <a href="https://unsplash.com/@clemono?utm_source=medium&amp;utm_medium=referral">Clem Onojeghuo</a> on <a href="https://unsplash.com?utm_source=medium&amp;utm_medium=referral">Unsplash</a></figcaption></figure></article></body>

Resources To Deploy for an AWS Organization Using a Common Deployment Container

ACM.386 Taking a moment to regroup and think through code migration and re-deployment

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Part of my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: AWS Security | AWS Organizations

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post I finally got my container running my scripts with MFA after some fits and starts trying to do it cross-organization and cross-region.

Sometimes you just need to stop and think a bit.

The following is a list of things I think I need to create or recreate related to the Governance OU and Environment. I skipped over some of this before and jumped over to my Sandbox environment. Now I’m going to revisit all of this and see if I can get it done.

Importing vs. deleting or renaming and redeploying

Now I want to redeploy my governance environment with that container. I need to move my code over from the prior post into the container and run it from there. I don’t think I am going to bother importing existing resources as I did with my organization in this post. If anything has a conflicting name I’ll simply delete or rename it. If you can’t do that, you can leverage the import mechanism I used here.

What do I need to deploy or redeploy?

Here are the things I am going to redeploy with the new naming convention and leveraging the new directory structure. I’ll need to pull over the code I wrote about and created in prior posts. I also need to test this out to make sure it works as I’m envisioning it so there may be changes down the line. It’s based off this earlier post for the most part:

Governance OU

  • Any Organizational settings I’m missing from my prior code plus new settings mentioned below.
  • An environment script that creates any new accounts in the environment with the account related resources for that environment, run by the OrgAdminRole.
  • Governance OU
  • Root Service Control Policies: Allowed Regions, DenyAll, Suspended, RestrictUsersToOwnCredentials
  • IAM, Governance, and Billing Accounts.
  • SSM Parameters (org and env) in each account and every other account created below. All the accounts in this list are part of the “governance” environment. The org name is pulled from the org parameter in the root account.
  • A rootadminrole in every account with full admin access that requires MFA and can only be assumed by the rootadmin in the management account.
  • OrgAdmin — an account that can assume any role in the “governance” environment to deploy resources that require multiple roles, like a new environment structure. The OrgAdmin can assume any admin role in the OrgAdmin OU.
  • IAMAdmin, GovernanceAdmin, BillingAdmin (admins of the three new accounts) with respective groups and a role in each account that can be leveraged by our container. All Admin roles across the organization will require MFA to assume and can be assumed by the OrgAdmin.
  • IAM, Governance, and Billing Cross-Account management roles for things the administrators cannot do outside the management account. I have been looking for a clearcut list of what those things are and so far cannot find it.
  • OrgAdmin Service Control Policies: An SCP that limits which accounts and roles can perform which actions. This policy gets updated as new accounts and permissions are added below. For example, once I create the KMS account, I restrict creation of all new KMS keys to this account.
  • DenyAll OU for accounts in which no actions are allowed.
  • Suspended OU for accounts that are closed but have not yet dropped off the list.

Critical Resources OU

As described in the diagram in the post above I want to manage critical resources in particular accounts with Specific Administrators.

  • A Shared Resources OU for KMS, Networking, Repository, Domain and Repository accounts
  • A KMS Account, administrator, group, role and policies — any new KMS keys I create will go in this account. I’ve done this before but need to revisit and make sure it works the way we want and proper logging gets enabled.
  • A Environment KMS Key shared to any account in that environment for use as needed. More granular keys can be leveraged as needed. The environment admin account has access to use the key to view anything encrypted with it in an environment.
  • A NetworkAdmin account, administrator, group, role, and policies for deploying network resources. Ultimately networking jobs can run from this account and if there are any shared network resources like Shared VPCs would exist in this account.
  • DeployAdmin Account including admin, group, role, and policies — this is the account for deployment jobs that move code between environments like GitHub to CodeCommit or Sandbox to Production.
  • Production Repository Account**, admin, group, role, and policies. This account maintains the ECR repository, CodeCommit repository, AMIs, containers, and packages used in production environments. Repositories for the governance environment.
  • Sandbox Repository Account**, admin, group, and policies. Same as production repository account but for development and QA. Repositories for the governance environment.

** Note that in a larger environment I’d likely also have QA and Staging repositories but we’ll start with this.

Security OU

  • A Security Monitoring Account that can manage security across the organization including any AWS Organizations security related services that span the organization. Delegate any of the AWS Organizations Security services to the Security account.
  • Organization Logs and Monitoring Services deployed by or leveraged by security monitoring account. There are certain services that can be leveraged across the organization like CloudTrail and GuardDuty. I need to get these all set up in this account. Where possible the security team will set up these logs and manage them in the Security Monitoring Account. This will be a one stop shop place to view all logs across the organization. I want to check out Security Data Lake but also need to review the cost.
  • A separate KMS key for logs in each environment. The Security Admin needs to be able to decrypt any logs throughout the organization. Each Environment Admin needs to be able to decrypt logs in their own environment.
  • OrgAdmin SCP: Logging SCP that enforces what logs must be configured for different services when deployed. Also, prevent anyone from deleting or modifying the CloudTrail log configuration once it is in place.
  • A Seller account for the AWS Marketplace with related user, group, roles. At some point I will revisit setting up a container on the AWS Marketplace.
  • IdP: Redeploy the IdP I set up for interaction with Okta. Create Okta logins for certain users and roles above to login to everything from one place. I still need to review Okta further. As noted previously I do not like that Okta lacks some network features I would like such as AWS PrivateLink integration. Perhaps those features would have helped in recent credential compromise attacks I wrote about in earlier posts, but I need to review all that further.

After that is all setup I want to work on the following:

  • Use the common environment script to deploy my Sandbox environment. What is common out of the above resources? The way accounts get created with the admin user and SSM parameters. The repository account access. An environment KMS key for use in all the accounts in the environment. (Again, separate keys can be created for resources as needed, but this base key can be used in some cases to reduce costs for non-critical assets and to make sure the environment administrator can view all those assets, such as logs.)
  • Redeploy and all the Sandbox resources with the new code structure.
  • Complete my web deployment with an environment KMS key shared from the KMS account (which is part of what led me to another reboot.)
  • Okta APIs and automation: I want to review the Okta APIs at some point and see if I can automate things on the Okta side. At first glance I did not like my options but perhaps things have improved.
  • Better container security and AMI deployments.
  • A production web environment.
  • A production project environment.

Phew! I better get to work. I may revise this as things change. I have a lot of this code written already but need to move it to the new directory structure and get it working in my container.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
Deploy
Architect
AWS
Organization
Security
Recommended from ReadMedium