Category Archives: Strategy and IT (Information Technology)

Solved: DE-Centralized Puppet Asset Management – factbeat

Using a DE-Centralized (Master-Less) Puppet stack has its benefits for dynamic fast morphing environments.

Yet you’d still love to get all changes made to your environment recorded in a central repo.

Check out factbeat from Elasticsearch community. It’s a beat that  ships Puppet Facter facts to Elasticsearch, where they can be stored, analyzed, displayed and compared over time.

Factor can be easily customized to ship new types of configuration information as your heart desires.

What are you using?

AWS Lambda 5 cool features

What I liked:

  1. Versions and aliases (prod as an alias can point to the active function)
  2. Scheduling of actions
  3. Support for Python and others
  4. Dynamic – No need to setup servers
  5. VPC support – can communicate with other services you have internally
  6. Integration with CloudWatch (inspect and Analyze incoming log entries)

AWS Config Rules!

I know what you did last summer…opening all those insecure ports in your security groups to quickly troubleshoot that nasty bug, then in the rush to close this issue, forgot to close back the gate! AWS Config is your friend then 🙂

AWS Config Rules is built on top of AWS Config and it allows you to get notified or have action taken when a configuration change is made where it breaches the AWS best practice rules or any of your own set of rules.

Here is the video session on this and the main goodies as well as important notes I found:

  1. It is a change control and auditing solution completely automated! No need for scripts, data store or tracking done by you.
  2. You can troubleshoot and run a time travel like view through your resources, their state and relationships to any other dependent resources exiting through any point in time, including any change or deletion done.
  3. Your data is highly reusable: You get a JSON formatted record of any change to your resources, and where relevant it compatible with the relevant AWS describe commands so you can use that match for validation scenarios.
  4. Powerful correlation: It will use CloudTrail to show you who and when change a resource.
  5. Easily expandable: You create your own rules through AWS Lambda using any language it supports. Rule verifications are triggered based on time or AWS API event (tag created, instance deleted, etc)
  6. Targeted: You easily get a report of what changed when, resources that exist while they shouldn’t or are missing.
  7. Turn events into data by routing AWS Config events SNS notifications into your own event repository in real time.
  8. Coverage: Everything EC2, VPC and CloudTrail related, and now the holy grail: IAM, so now you can dig into who added that policy, or detect when an admin user has been added where it shouldn’t have been.
  9. Availability: AWS Config is available everywhere and AWS Config rules is only available in North Virginia.
  10. Spread: Regional. You need to run and review it in each region separately.. Not quiet as powerful if it were account centered..
  11. Pricing: Right here!

Slides Decks is here:

Sweet findings in AWS Inspector

Taking a look at the AWS Inspector intro  by Alex Lucas I could see several sweet features all DevOps security minded pros would love (and of course it includes even more goodies).

  1. Covers all the CVE stuff, finds, reports, act (patch, etc) and many more best practices the AWS team had gathered all along.
  2. Recording of activities inside your instances and tracking of suspicious or activities that may harm your defense.
  3. Automation via the AWS CLI, API, including workflow control for vulnerabilities and their mitigation actions (you can mark a vulnerability as clear manually for example, or tag one as needing a review by Auditor, etc)
  4.  Able to catch real time system call operations, analyze and report – such as setting a library file with wide open permissions that is owned by root…
  5. Requires an agent that is ready for Amazon and Ubuntu AMIs for now (more platforms including Windows to follow
  6. Simple and cheap to try, no need to spend time and money on massive software suites. I know that’s AWS core concept, but in the vulnerability scanning world its even more enticing.
  7. Did you know that Amazon Linux instances will automatically patch themselves on any reboot (at least for critical security patches I guess)? Alex mentions this as one of the “obstacles” he had, while he was trying to setup a vulnerable instance that does not have critical patches installed…

Open topics:

  1. What is the Agent’s overhead?
  2. Support for Cloud Watch Integration yet to come
  3. People in the YouTube session seem to be either sleepy or something, because they did not jump of their sits in enthusiasm as I would 🙂

Slide deck is here:

Disaster Recovery in just $200? Watch this “On-Premise DR, assisted by Amazon AWS” session

I think this one is a “Watch ASAP” for Enterprise IT Professionals who are looking for ways to cut on the time and effort spent on their On-Premise DR (Disaster Recovery) project, and are open to use Amazon AWS for that purpose.

Watch the gradual build up of your DR solution enhancement by using a simple backup to S3 or Glacier and into parallel multi region automated solutions.

This is NOT a “fully figured out cut for you” solution, but it takes you gently into the realm of DR, cloud assisted solutions, and should be a nice brainstorming source to look into your specific case.

Near the end it kind of mentions my “Nano Self Rebuilding Data Center” idea (basically allowing any AWS based project to be turned into a script that can be used to rebuild it, like AWS Config on steroids…)