Monday, 10 September 2018

This is how Netflix keep their AWS Cloud Credentials locked and secure



Earlier we had discussed as to how Netflix use Application Auto Scaling service for their Video Streaming Company but now we will discuss how Netflix keep their AWS Credentials secure.

Netflix uses Amazon Web Services to leverage their infrastructure and computing resources that they use to operate streaming media services. Netflix is one of the 10th largest Internets by revenue chose to go all-in-the-cloud to AWS Cloud. As AWS is a public cloud, the resources as well as AWS Credentials that are stored in the AWS Storage can be shared which is a risk factor for the large user like Netflix. Cloud Security is the major concern for the first time cloud users and also for AWS Cloud customers.

Will Bengston, Senior software security engineer at Netflix’s security tools and operation team explained that how Netflix takes steps to detect potentials unauthorized or compromised credentials. He said that Netflix has millions of virtual server instances running on the AWS Cloud. So to know when a credential is used when it should not be, they use multiple tools provided by the AWS Cloud including the Amazon GuardDuty, which regularly scans for any potential threats. He added that attack landscape on Netflix is at large and the credentials in the AWS Cloud is created and used speedily. Their major concern was how the AWS Security Token Service is being used because STS provisions credentials for the AWS identify and Access Management.

Amazon CloudTrail Security:

Netflix uses Amazon CloudTrail which is one of the AWS primary security services to keep AWS account and credentials secure. They are using CloudTrail to gain insight over the activity of how things are running.

Bengston explained that Amazon CloudTrail can be used to track and monitor the event history for the AWS Account activity. They have configured the CloudTrail to send logs to the Amazon Simple Storage Service (S3) so that they can evaluate and analyze their AWS Account history. The IT team analyze the IP addresses that are in use by comparing each IP found in the CloudTrail to the list of the IPs in the Netflix to spot any unknown behavior, which is quite a challenging task. Apart from this approach, they are also using other additional steps to detect any credential misuse. 

One of the approaches that they are using is to go through the CloudTrail logs and find “GetCallerIdentiy” function because the attacker utilizes that function to know what account they are in. This same function is not in use in the Netflix system because the access and credentials are already known.

Netflix’s Trailblazer Open source:

As challenging task it seems to go through the CloudTrail logs to compare each IP address to find unauthorized logins, Bengston confirmed that it was not a scalable task by building a new open source tool called Trailblazer. Trailblazer collects all the API Calls that are made through the IP address, assumed role records, instances ID and other related AWS Data to ascertain which AWS API calls are logged by the CloudTrail and what they are logged as.

Security of the Cloud:

The security of the AWS Cloud can be improved more by using the best practices and setting up the right security services. Customers don’t realize that it is a shared responsibility for keeping the data secure. Enterprises should know the overall functioning of the S3 storage by performing quality assurance on policies and configurations, maintaining the access control list and auditing which user is authorized to access what.

Companies can set up AWS Identity Access Manager to solve this issue where they can have the top down policy to lock down all the buckets by default and make exceptions when they want the buckets to go public. The company that has multiple AWS accounts can use AWS organizations to inculcate the practice of central management console. AWS Guard duty can be used to analyze the S3 bucket permission and get notified whenever the bucket is set to go public.  AWS CloudTrail can be used for governance, risk auditing, compliance, and operational auditing.


Managing the whole AWS account cannot be an easy task because there are a lot of things that have to be taken care of. The AWS managed service provider offer you insights as to how best you can use the AWS services. It is always better to let an AWS partner guide you through the AWS Cloud journey so that you don't face any pitfall.

About Cloud.in:

Cloud.in is an AWS Advanced Consulting Partner that delivers AWS managed services that cater every business need and aims in simplifying the AWS Cloud Journey. Our Team is the driving force behind Cloud.in with the experience, knowledge, and the skills that they behold in making cloud computing and AWS Cloud a pleasant experience. 

Amazon AppSteam 2.0 allows you to apply persistent user application settings

Amazon AppStream 2.0 adds support for persistent user application settings that will allow you to enable persistent user application settings for your users on Amazon AppStream 2.0. All the user settings such as plugins, browser favorites, application connection profiles, toolbar settings, and other settings will be saved and implement each time the streaming session starts. The settings will be configured and retained when the streaming session starts and these settings will be stored in the Amazon Simple Storage Service bucket in the AWS Account. To get started with this features you have to select stacks from the AppStream 2.0 management console and choose the user settings>application settings persistence>edit. Then in the application settings persistence dialog box, you can select enable application settings persistence. 

AWS Config has now added seven more new managed rules

AWS Config announced that they have added 7 new managed rules that will help you easily analyze whether the AWS Resource configuration is compiled according to the common best practices. AWS Config allows you to assess, audit and analyze the configurations of the AWS resources so that it enables users to review their configurations and overall compliance against the configuration. The new managed rules added by the AWS Config will allow you to easily audit and simplify the security analysis, operational troubleshooting and change management. You report non-compliant patches in the managed instances, report non-compliant AWS Systems Manager association installed on the instance, Verify EC2 instances and Amazon GuardDuty and much more. To read all seven rules please click here.

You can now use AWS X-Ray for APIs in Amazon API Gateway to trace and analyze user requests

AWS has announced that Amazon API Gateway now adds support for AWS X-Ray so to keep track and analyze the user request as they travel via the APIs to the underlying services. AWS X-Ray allows you to debug and analyze the applications such as the application built using the microservices architecture. You can see the performance of the applications and troubleshoot any problem or error arising from the applications. With the new update, you can trace all the API Gateway endpoint types that are Edge-optimized, Regional and Private. You can now use the AWS X-Ray with Amazon API Gateway in all the AWS Regions where the X-Ray is available. 

Friday, 7 September 2018

AWS Batch now adds support for c5d, m5d, p3, r5, r5d, z1d and x1e instance types

AWS Batch allows developers, cloud engineers and scientist to run millions of batch computing jobs efficiently on AWS Cloud. AWS Batch provision optimal type of compute resources and quantity such as CPU or memory optimized instances which will be based on the volume and specific resource of the jobs submitted. You don’t have to install any software or cluster to run your job so this allows you to focus on solving the problems and analyzing the results. AWS has now announced that AWS Batch now supports c5d, m5d, p3, r5, r5d, z1d and x1e instance types. 

AWS introduced AWS CloudFormation Macros for custom processing

Amazon Web Services has announced that have now launched AWS CloudFormation Macros to perform custom processing on the CloudFormation Templates such as finding and replacing operation and transformation of the entire template. AWS CloudFormation Macros include the same technology that is utilized for AWS Include and AWS Serverless transforms. Macro allows you to condense the expression of the AWS infrastructure as code and reuse the template components. Earlier you had to use the AWS Include and AWS Serverless transforms to process the CloudFromation template but now with the latest update, you can now use the Amazon CloudFormation Macros to create customs transformations. You can now create common string functions or define shorthand syntaxes for CloudFormation resources and much more with CloudFromation Macros. 

Thursday, 6 September 2018

AWS has now updated three AWS Training courses to implement current best practices

Amazon Web Services conduct AWS training courses that adhere to AWS technical knowledge and best practices of implementation of AWS Cloud services. AWS has now announced that they have now updated 3 of their AWS Training courses that will be linked to the latest AWS exam domains, service updates, and current best practices. The AWS classes are conducted by the AWS Instructors and you can give live feedback to the questions. Developing on AWS, Exam Readiness: AWS Certified Developer – Associate course and System Operations on AWS are the AWS Courses that are been updated to the latest AWS practices. 

This is how Netflix keep their AWS Cloud Credentials locked and secure

Earlier we had discussed as to how  Netflix use Application Auto Scaling service for their Video Streaming Company but now we wil...