A list of available articles posted by Justin Fox. To submit an article, contact Justin via Twitter.
PRIDE is about the promotion of the self-affirmation, dignity, equality, and increased visibility of LGBTQ+ community and its allies. At the heart of the movement is the support for people of diverse backgrounds and their recognition and inclusion in society. Within Mastercard we have a strong statement of support throughout the organization that helps to bring together people with different backgrounds and ideas, a powerful belief that our differences enable us to be a better team that makes better decisions, drives innovation, and delivers results that blow my mind away!
A meetup in review: I presented a talk at the February 2018 Vancouver Amazon Web Services User Group where I discussed "Securing Secrets on AWS". The talk focused on how the AWS KMS service works, how it compares to other approaches (such as DIY and CloudHSM, and some of the services it integrates with. We did a live demo, where we encrypted information fictional information about Fred's death. It was a great opportunity to be apart of the event! This post provides the resources from my presentation.
A meetup in review: I presented a talk at the October 2017 Vancouver Amazon Web Services User Group where I discussed "Securing Your AWS Accounts". The talk focused on how to set AWS accounts up in a secure manner, and the log data that's available for debugging and security purposes. We configured AWS Cloudtrail and AWS Config live at the event, and discussed the usefulness and impact of AWS Organizations. Each of these tools are critical in securing AWS accounts. Do you have them enabled today? With the tools enabled on an account, you’re able to query API call activity and resource changes, audit resources, and control the what can be used on a child account. It was a great opportunity to be apart of the event! This post provides the resources from my presentation.
A conference in review: I participated in a talk at the 2017 Canadian Executive Cloud and DevOps Summit where I discussed "Securing Your DevOps Pipeline On AWS". The conference had a variety of attendees, including technology executives, AWS staff, DevOps solution vendors, and of course many technically minded individuals that identify with the DevOps movement. It was a great opportunity to be apart of the event! This post provides a review of the conference experience, along with the resources from my presentation.
What type of CI/CD pipeline are you running? Does it automate all the things you want it to? Is it as secure as you want it to be? Where does it run? In this post, I cover the differences between the CI and CD in a CI/CD pipeline. I also talk about using Jenkins to automate tasks on AWS and how AWS technologies can also be used to support your CI/CD goals.
Does your AWS account comply with your security policies? How do you know? How do you track the state of resources, or alert, or even automatically remediate issues? This post discusses the usage of AWS Config Rules to track resource changes and apply custom rules against the resources on your account. In particular, we'll take a look at the recommended benchmarks for your AWS account from the Center for Internet Security (CIS).
First off, what are HTTP headers (and in particular, response headers) and how can they make your website more secure? HTTP headers are name-value pairs of strings sent back from a server with web content based on your requests. You can typically see technical information like caching rule, mime types, the server software, etc. You can also use HTTP Response headers to transmit security policies to the end users browser. By passing security policies back to the client in this fashion, hosts can ensure a much safer browsing experience for their visitors by limiting avenues of attack that attackers can utilize.
As time passes I find that AWS accounts become quite cluttered, often with "legacy" items that no one knows about, or so people may claim. Through a combination of services you can trace the history of objects and their changes in an environment. This post discusses how to review and audit various components of your AWS environment, including: things you should enable prior to undertaking an audit, user permissions, firewall configuration, api call history, and environment changes. We'll also cover usage of the Trusted Advisor to do a high level evaluation.
When you're hosting a website or web service, one security challenge you may have is how to implement rate limiting to limit abuse of your service. Realistically the main objective of this type of restriction is to prevent denial of service attacks from interrupting your service or causing higher than expected costs.
Are you hosting a Wordpress or other CMS website and do you find that the performance of your website is meh? Enter CloudFront! You can create a CloudFront distribution that allows you to enable dynamic content to be accelerated to your end users.
Networking is generally a topic I find many people struggle with, and networking in cloud environment adds a bit of extra complexity that may throw off even the most experienced network professionals. This post discusses the limitations on networking on AWS, and tackles concepts like transient routing, vpc peering, multicast, unicast, and broadcasting.
When an organization grows and expands their usage of AWS, you'll notice a lot of "mess" from development and trial and error. Sometimes a lot of money could be walking out the door just to poor instance management. This post (which is highly opinionated, there's not necessarily a correct way to do this) discusses the usage of multiple AWS accounts to minimize runaway costs and make groups more accountable for costs.
While S3 can only host a static website, Amazon has other services that can be combined to enable a certain level of dynamic processing. This post discusses the usage of Amazon's Cognito identity service in conjunction with DynamoDB to provide extra features to a basic website hosted on S3. Specifically in this issue, we'll focuses on how to use Cognito and DynamoDB to super charge your website by including access to a database engine.
Amazon releases so many really cool tools, but to me this one is truely amazing. Free SSL certificates with a really good management interface, instant generation, and easily applied to relevent services - who can ask for more? Beats paying hundreds per year per wildcard certificate to a Certificate Authority. This article explores using the service to secure your website.
AWhile S3 can only host a static website, Amazon has other services that can be combined to enable a certain level of dynamic processing. This post discusses the usage of Amazon's API Gateway and Lambda to provide extra features to a basic website hosted on S3.
Working with Amazon and popular frameworks makes it fairly to build and develop websites that appear to be dynamic but are really a collection of static files. This post discusses the usage of popular frameworks such as Bootstrap, FontAwesome, and AngularJS to build a lightweight web application with some basic templating.
When working with Amazon web services, it's a common trend for beginners to just expose instances using their public ips. A better way is to make use of VPC's and VPC peering connections to build a management VPC and carefully control and restrict traffic. This post discusses the usage of OpenVPN to build an easy to use and resilient VPN service using CloudFormation.
Handling the log files of a single server is typically pretty easy. Even a handful of servers isn't usually that hard. But with scale handling these logs carefully becomes ever more important. Enter the ELK stack! I personally prefer running my own ELK stack over outsourcing to outside services - not that outsourcing is a bad option. This post discusses the standard ELK (Elasticsearch, Logstash, and Kibana) stack, a great alternative over Loggly or Splunk.
Saltstack has so many cool features. Depending on your usage of Saltstack or other configuration management tools, the Salt Reactor System is pretty cool. It works by watching for events and then processing them accordingly. Examples include when a new Cassandra node is configured or a web server joins a cluster. This post discusses SaltStack Reator System, a very powerful event-driven feature.
While my previous posts about using Saltstack for active management of instance configuration are pretty cool, using Salt to design and build an image is pretty cool too - and can save time on deployment. You can use Packer to make fully or partially baked AMIs and other images. This post discusses building images with Packer, in particular AWS AMIs and development images.
Vagrant is a pretty cool tool for quickly getting a development environment up and running or providing a simple demo of a tool or service. This post discusses how to get started with Vagrant and how to develop faster. In a later post I'll address building custom images.
This post discusses how to store secrets with Vault and distribute them securely.
This post discusses service discovery and as part of that discovery detecting the health of instances. Consul is a great tool for this, rich with top-notch features and presenting a really nice dashboard.
Depending on your logging needs you can use Cloudwatch logs instead of ELK or similar logging service. You can easily add log files on your system and have them forwarded to the service. This post discusses the usage of CloudWatch logs, and the various functionality that exists within CloudWatch Logs.
This post discusses changes in the way that we monitor in environments like AWS and Azure, focusing on the flexibility that a tool like Sensu brings to our toolkit.
This post discusses implementing continuous integration in AWS using CloudFormation with Jenkins and Jenkins Job Builder.
This post discusses how to use Troposphere to generate AWS CloudFormation templates.
This post discusses how to use SaltStack's salt-cloud to manipulate EC2 resources. We also explore the salt reactor system, a very powerful event-driven feature.
This post discusses how to implement custome execution modules using SaltStack. We look how to use custom modules to accomplish complex tasks.
This post discusses how to daemonize a Node.js application, how to implement a startup script for node-based applications, and how to deploy using configuration management software (SaltStack).
This post discusses how to implement masterless configuration management in an environment using SaltStack. We look at the required method of installing and configuring the salt-minion so that it can bootstrap it's configured system state.
This post discusses how to implement configuration management in an environment using SaltStack. We revisit briefly the configuration of a salt-master and a salt-minion, and then move on to the parts relevant to managing the server configuration.
This post discusses the usage of nested CloudFormation stacks to create reusable infrastructure components.
This post discusses how to implement remote execution in an environment using SaltStack. We look at installing and configuring a salt-master and a salt-minion. We then connect the two and run a few example commands.
This post discusses the usage of Amazon CloudFormation to create the different sub components required to create and manage a VPC network.
This post discusses system automation in AWS, particularly the usage of Amazon CloudFormation to create different types of components in AWS. We look at several important topics, such as infrastructure as code, version controlled templates, and deployment methods.
This post discusses implementing system controls in AWS using CloudFormation to implement IAM server roles.
This post discusses the use of latency and geo based routing provided by Route53. Using AWS Route53 allows you to assign endpoints to geographic regions (potentially restricting access to endpoints), or create a latency based routing set that will direct clients to the most performing endpoint.
This post discusses the potential redundancy benefits provided by Route53. Using AWS Route53 allows you to specify secondary endpoints for DNS queries and use health checks to detect unhealthy endpoints.