January 27, 2022

150: The Cloud Pod Exfiltrates Jonathan’s Credentials

36 minutes

On The Cloud Pod this week, Jonathan is still AWOL. Also Amazon is on GuardDuty with credential exfiltration, Google Cloud Deploy is generally available, and Azure is suffering from more serious DDoS attacks.

A big thanks to this week’s sponsors:

Foghorn Consulting, which provides full-stack cloud solutions with a focus on strategy, planning and execution for enterprises seeking to take advantage of the transformative capabilities of AWS, Google Cloud and Azure.

This week’s highlights

Amazon’s been on GuardDuty with enhanced detection of EC2 instance credential exfiltration.

Google Cloud Deploy (GCD) is now generally available, making continuous delivery on Google Kubernetes Engine (GKE) easier.

Azure reports that it spent the last half of 2021 dealing with distributed denial-of-service (DDoS) attacks that are increasing in both severity and frequency.

Top Quotes

“The biggest risk to cloud infrastructure is that you’re one secret access key away from a big booboo.”

“Last November, [Azure] had just mitigated a pretty large attack — at the time the largest in history, at least from ones that have been reported to the world. … Things have gotten worse in Q3 and Q4 — not only the levels [of attacks], but the complexity has gotten worse.”

AWS: Beefing Up GuardDuty

The threat detection service Amazon GuardDuty — which monitors your accounts for malicious activity and unauthorized behavior — is pretty great already. In the aftermath of the Superglue issue, however, AWS is ramping things up with enhanced detection of EC2 instance credential exfiltration.

AWS Security Hub has been integrating with AWS Health and with AWS Trusted Advisor (TA). Does this mean everything annoying gets reflagged? Thanks, TA!

In a move that makes a lot of sense, Amazon Elastic Container Service (ECS) now supports ECS Exec and Amazon Linux 2 for workloads running on-premises with Amazon ECS Anywhere. No more yum and Red Hat-based Fedora deployment sounds great, although it would be nice to have a few more implementation details ahead of rolling it out.

Replication is now possible for Amazon Elastic File System (EFS), but watch out for those pesky inter-region transfer fees — which do rack up — before enabling this.

GCP: Google Cloud Deploy Makes Your Life Easier

Google Cloud Deploy (GCD) is now generally available, making it easier to do continuous delivery to GKE. We’ve also done the math on this and it seems to be cheaper than Ryan: GCD customers get their first active delivery pipeline per account free, and pay a $15/month management fee for each additional pipeline. Whereas Ryan is, frankly, expensive.

Azure: Azure Under Attack and It’s Getting Worse

In an announcement that isn’t really an

...more

View all episodes

By Justin Brodley, Jonathan Baker, Ryan Lucas and Matthew Kohn

4.9

3333 ratings