20 Years on AWS and Never Not My Job
5 hours ago
- #Cloud Security
- #FreeBSD
- #AWS
- The author created their first AWS account in 2006, initially interested in Amazon S3, but the account had SQS and E-Commerce Service enabled.
- Early concerns focused on security, such as lacking response signatures in AWS and advocating for end-to-end signing.
- They pushed for FreeBSD on EC2, requiring a custom kernel feature, and later contributed to making FreeBSD available on t1.micro instances.
- Security feedback included auditing Xen vulnerabilities and improving EC2 instance security features like read-only root disks.
- Proposed the concept of Eventually Known Consistency as an improvement over Eventual Consistency in S3.
- Reported security issues in AWS services, such as signature collisions in SimpleDB and insecure NextToken values.
- Engaged with AWS on access key security, advocating for constrained keys, which influenced IAM and SigV4.
- Identified and reported infrastructure issues like router hardware failures and firewall problems affecting Path MTU Discovery.
- Highlighted risks of IAM Roles for EC2 via IMDS, leading to IMDSv2 after the Capital One breach.
- Contributed to AWS Heroes program and received sponsorship for FreeBSD/EC2 work after becoming FreeBSD Release Engineering Lead.
- Continued to provide security feedback, including on Seekable OCI, ensuring fixes were implemented.