CNSCon 2024 Lightning Talk: Don’t Make Me Impersonate My Identity
•
0 likes•128 views
Identities are a crucial part of running workloads on Kubernetes. How do you ensure Pods can securely access Cloud resources? In this lightning talk, you will learn how large Cloud providers work together to share Identity Provider responsibilities in order to federate identities in multi-cloud environments.
Report
Share
Report
Share
Download to read offline
Recommended
NahamConEU2022.pdf
1. The document discusses security misconfigurations that can occur when using Amazon Cognito for user authentication.
2. It describes how an unauthenticated user could potentially access AWS services by fetching temporary credentials from an identity pool if the unauthenticated role is not disabled.
3. It also explains how an attacker could bypass authentication by enabling user signup if that API action is not disabled for applications that do not require signup.
4. Additional misconfigurations discussed include privilege escalation through writable user attributes, and updating a user's email attribute before verification which could allow bypassing authorization checks.
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
Developing mobile apps can be complex and time-consuming. Learn how to simplify mobile identity management and data synchronization across devices. In addition, learn how to follow security best practices to give your app access to the resources it needs to provide a great user experience without hard-coding security credentials. We will cover how to easily and securely onboard users as anonymous guests using public login providers like Amazon, Facebook, Twitter, or your own user identity system. We are very excited to have Twitter representatives join us on stage for a deep dive on authenticating users with Twitter and Digits, which enables users to sign in with their phone numbers.
Attacking and Defending Kubernetes - Nithin Jois
This document provides an overview of attacking and defending Kubernetes clusters. It begins with introductions to containers, container orchestration with Kubernetes, and Kubernetes architecture and components. It then discusses the Kubernetes threat model and common attack vectors such as compromising nodes, pods, and secrets. The document outlines Kubernetes authentication and authorization methods like RBAC and discusses admission controllers. It covers securing Kubernetes with practices like pod security policies and network policies. Finally, it notes some limitations and gotchas regarding secrets management in Kubernetes.
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Identity management for cloud deployed applications can be a challenge. Often users will want to leverage an existing social network or corporate identity. Now we have to worry about dealing with multiple APIs, any updates to those APIs, or the addition of new identity providers. Windows Azure Access Control Services offers a better way! ACS allows for federated user authentication via popular social networks and Active Directory. In this session we’ll provide a crash course in claims as they relate to identity management. We’ll discuss why claims are important and how to add additional claims beyond what is provided by the identity providers. We'll also take a look at Windows Azure Active Directory and see how to manage corporate identities in the cloud.
Federation
This document discusses federated access to AWS resources using temporary security credentials. It describes how users from other identity stores can be provided access to AWS resources without needing AWS credentials. Common use cases include delegating access to other AWS accounts or federating with corporate directories. Sessions are generated by AWS Security Token Service and include temporary credentials. Multiple methods are covered, including getting sessions via GetSessionToken or GetFederationToken APIs or by assuming roles. Demos show federating access to the AWS console and CLI using Active Directory credentials.
Federation
This document discusses federated access to AWS resources using temporary security credentials. It describes how federation works by allowing users in other AWS accounts or identity stores to access resources in your AWS account through the use of sessions. Common use cases for federation include delegating access to other AWS accounts or teams and federating with corporate directories. The document then demonstrates how to request and use sessions to access AWS through the console and CLI using SAML and web identity federation.
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass. The slides used during the class with links to the commands, scripts and setup information.
These slides are to be used with the masterclass video recording on YouTube -
Hands on exercises are highly recommended to get the most out of this class!
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
This document discusses how HashiCorp Vault and Puppet can be used together to dynamically manage SSL/TLS certificates across platforms. Vault's PKI secrets engine is used to sign certificates while Puppet distributes the certificates and keys to servers and configures services to use the certificates. On Linux, Puppet writes certificates to the filesystem and reloads services. On Windows, a Puppet function is used to embed certificates in the catalog so their thumbprints can be retrieved and used to configure services in the certificate store. This dynamic duo of Vault and Puppet enables centralized signing of certificates, auto-renewal, cross-platform distribution, and integration with services.
Recommended
NahamConEU2022.pdf
1. The document discusses security misconfigurations that can occur when using Amazon Cognito for user authentication.
2. It describes how an unauthenticated user could potentially access AWS services by fetching temporary credentials from an identity pool if the unauthenticated role is not disabled.
3. It also explains how an attacker could bypass authentication by enabling user signup if that API action is not disabled for applications that do not require signup.
4. Additional misconfigurations discussed include privilege escalation through writable user attributes, and updating a user's email attribute before verification which could allow bypassing authorization checks.
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
Developing mobile apps can be complex and time-consuming. Learn how to simplify mobile identity management and data synchronization across devices. In addition, learn how to follow security best practices to give your app access to the resources it needs to provide a great user experience without hard-coding security credentials. We will cover how to easily and securely onboard users as anonymous guests using public login providers like Amazon, Facebook, Twitter, or your own user identity system. We are very excited to have Twitter representatives join us on stage for a deep dive on authenticating users with Twitter and Digits, which enables users to sign in with their phone numbers.
Attacking and Defending Kubernetes - Nithin Jois
This document provides an overview of attacking and defending Kubernetes clusters. It begins with introductions to containers, container orchestration with Kubernetes, and Kubernetes architecture and components. It then discusses the Kubernetes threat model and common attack vectors such as compromising nodes, pods, and secrets. The document outlines Kubernetes authentication and authorization methods like RBAC and discusses admission controllers. It covers securing Kubernetes with practices like pod security policies and network policies. Finally, it notes some limitations and gotchas regarding secrets management in Kubernetes.
Using Windows Azure for Solving Identity Management Challenges (Visual Studio...
Identity management for cloud deployed applications can be a challenge. Often users will want to leverage an existing social network or corporate identity. Now we have to worry about dealing with multiple APIs, any updates to those APIs, or the addition of new identity providers. Windows Azure Access Control Services offers a better way! ACS allows for federated user authentication via popular social networks and Active Directory. In this session we’ll provide a crash course in claims as they relate to identity management. We’ll discuss why claims are important and how to add additional claims beyond what is provided by the identity providers. We'll also take a look at Windows Azure Active Directory and see how to manage corporate identities in the cloud.
Federation
This document discusses federated access to AWS resources using temporary security credentials. It describes how users from other identity stores can be provided access to AWS resources without needing AWS credentials. Common use cases include delegating access to other AWS accounts or federating with corporate directories. Sessions are generated by AWS Security Token Service and include temporary credentials. Multiple methods are covered, including getting sessions via GetSessionToken or GetFederationToken APIs or by assuming roles. Demos show federating access to the AWS console and CLI using Active Directory credentials.
Federation
This document discusses federated access to AWS resources using temporary security credentials. It describes how federation works by allowing users in other AWS accounts or identity stores to access resources in your AWS account through the use of sessions. Common use cases for federation include delegating access to other AWS accounts or teams and federating with corporate directories. The document then demonstrates how to request and use sessions to access AWS through the console and CLI using SAML and web identity federation.
Appsecco Kubernetes Hacking Masterclass Presentation Slides
Appsecco Kubernetes Hacking Masterclass. The slides used during the class with links to the commands, scripts and setup information.
These slides are to be used with the masterclass video recording on YouTube -
Hands on exercises are highly recommended to get the most out of this class!
Hashitalks 2021 - How the Dynamic Duo of Vault and Puppet Tame SSL Certificates
This document discusses how HashiCorp Vault and Puppet can be used together to dynamically manage SSL/TLS certificates across platforms. Vault's PKI secrets engine is used to sign certificates while Puppet distributes the certificates and keys to servers and configures services to use the certificates. On Linux, Puppet writes certificates to the filesystem and reloads services. On Windows, a Puppet function is used to embed certificates in the catalog so their thumbprints can be retrieved and used to configure services in the certificate store. This dynamic duo of Vault and Puppet enables centralized signing of certificates, auto-renewal, cross-platform distribution, and integration with services.
Consolidating Infrastructure with Azure Kubernetes Service
In this session, see how Tailwind Traders took a containerized application and deployed it to Azure Kubernetes Service (AKS). You’ll walk away with a deep understanding of major Kubernetes concepts and how to put it all to use with industry standard tooling.
SharePoint 2010,
Claims-Based Identity, Facebook, and the Cloud
This document provides information about Danny Jessee, a senior software engineer with 8 years of SharePoint development experience. It includes his credentials, contact information, and topics he can present on, such as features of secure applications, SharePoint 2010 authentication options, claims terminology and technology overview. It also lists some demos he can provide, including setting up a new SharePoint 2010 web application, integrating Facebook authentication using Azure AppFabric ACS, and further integrating Facebook data into SharePoint using the Facebook C# SDK.
Overview of secret management solutions and architecture
The document provides an overview of secret management solutions and architectures. It discusses what secrets are and why secret management is important. Some key points:
- Secrets include authentication credentials, API keys, passwords, and certificates that need access control. As services increase, so do secrets.
- An ideal secret management solution provides security, encryption, access control, auditing, ease of use, and integration with other tools.
- Version control systems and orchestration tools like Kubernetes can be used for secrets but have limitations compared to dedicated secret management solutions.
- AWS offers Parameter Store, Secrets Manager, and KMS for secret management. Parameter Store is generally recommended, while Secrets Manager is better for database
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
Amazon API Gateway is a fully managed service that makes it easy for developers to create, deploy, secure, and monitor APIs at any scale. In this presentation, you’ll find out how to quickly declare an API interface and connect it with code running on AWS Lambda. Amazon API Gateway handles all of the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management. We will demonstrate how to build an API that uses AWS Identity and Access Management (IAM) for authorization and Amazon Cognito to retrieve temporary credentials for your API calls. We will write the AWS Lambda function code in Java and build an iOS sample application in Objective C.
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
The document discusses securing serverless applications using Amazon API Gateway, AWS Lambda, and Amazon Cognito. It describes how to build a basic 3-tier web app that is fully serverless, add authentication with Amazon Cognito by integrating with Cognito user pools, and implement authorization using AWS Identity and Access Management (IAM) by leveraging Cognito. Key benefits mentioned are that AWS Lambda and API Gateway provide automatic scaling with no infrastructure to manage, while security is improved by making use of IAM through Cognito.
Building Powerful IoT Apps with AWS IoT and Websockets
Presentation given during Start Up Day Hong Kong on September 15, 2017 within the Architecture track
Deploying Compliant Kubernetes: Real World Edge Cases
This document discusses Lola's deployment of compliant Kubernetes to meet PCI DSS requirements. Lola stores credit card details on behalf of users but does not directly process payments, requiring Level 1 PCI compliance. It outlines how Lola uses technologies like TLS encryption with Ingress controllers, IAM authentication for Kubernetes, and Prometheus for cluster monitoring to meet requirements for firewalls, encryption, secure systems, and access control. The document advises engaging auditors technically rather than treating Kubernetes as a black box, and leveraging open source tools and communities for pre-built applications to simplify compliance tasks like authentication, monitoring, and logging.
Deep Dive on Amazon Cognito - DevDay Austin 2017
Amazon Cognito is a service that provides authentication, authorization, and user management for web and mobile applications. It allows for user sign-up, sign-in, access control, account recovery, and integration with social identity providers. Cognito User Pools provides built-in user directory and authentication services, while Cognito Identity Pools enables the generation of temporary AWS credentials for application access. Sample use cases include business to consumer apps, business to employee apps, and IoT applications.
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
This work is part of the open source testbed setup for Cloud interoperability & portability. Cloud Security Workgroup will further review and generate complete working set as we move along. This is part I of the effort.
Amazon Cognito Deep Dive
by Fritz Kunstler, Sr. AWS Security Consultant AWS
Join us for four days of security and compliance sessions and hands-on labs led by our AWS security pros during AWS Security Week at the San Francisco Loft. Join us for all four days, or pick just the days that are most relevant to you. We'll open on Monday with Security 101 day, followed by sessions Tuesday on Identity and Access Management, our popular Threat Detection and Remediation day Wednesday will feature an updated GuardDuty lab, and we'll end Thursday with Incident Response sessions, labs, and a talk by Netflix on their new open source IR tool. This week will also feature Dome9 as a sponsor, and you can hear them speak and present a hands-on workshop Monday during Security 101 day.
How to implement authorization in your backend with AWS IAM
AWS Dev Day Kyiv 2019
Track: Backend & Architecture
Session: ""How to implement authorization in your backend with AWS IAM""
Speaker: Stas Ivaschenko, AWS solutions architect at Provectus
Level: 400
Video: https://www.youtube.com/watch?v=4Jje_WJ4V7Q
AWS Dev Day is a free, full-day technical event where new developers will learn about some of the hottest topics in cloud computing, and experienced developers can dive deep on newer AWS services.
Provectus has organized AWS Dev Day Kyiv in close collaboration with Amazon Web Services: 800+ participants, 18 sessions, 3 tracks, a really AWSome Day!
Now, together with Zeo Alliance, we're building and nurturing AWS User Group Ukraine — join us on Facebook to stay updated about cloud technologies and AWS services: https://www.facebook.com/groups/AWSUserGroupUkraine
"
K8s hard-way on DigitalOcean
CloudYuga presented at Kubernetes meetup in Banglaore on 22nd Dec'18. In this we covered how to setup a Kubernetes cluster from scratch on DigitalOcean. Full tutorial can be accessed at https://pilot.cloudyuga.guru/ .
Fiware cloud developers week brussels
- The FIWARE Lab provides cloud hosting and infrastructure as a service capabilities including compute, network, storage, and PaaS functionality.
- It utilizes OpenStack for core infrastructure services including compute (Nova), networking (Neutron), storage (Cinder, Swift), and identity (Keystone).
- The PaaS Manager allows users to define templates called Blueprints to deploy multi-tier applications and software stacks across the virtual infrastructure in an automated manner.
Lamdba micro service using Amazon Api Gateway
Detailed, step by step process on how to set up a web application using Amazon Cognito, Amazon API Gateway, and Lambda.
Certification authority
This document discusses certificate authorities (CAs) and provides an example scenario for securing a web server using a CA. It defines a CA as an entity that issues digital certificates for use by other parties in public key infrastructure schemes. There are commercial CAs, as well as CAs run by institutions and governments. The document then describes the process a CA goes through to issue a certificate and how users can verify certificates. It provides a list of common CAs. Finally, it presents a scenario where a web server obtains a server certificate from a CA to secure its SSL port, and clients can obtain client certificates from the CA's website to access the secure site.
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 2
This document summarizes a webinar about integrating Azure Active Directory B2C (AAD B2C) with applications using the Microsoft Authentication Libraries (MSAL). It discusses how MSAL can be used to acquire tokens to call protected APIs and validate tokens in web APIs and applications. It provides an overview of using MSAL in .NET Core web apps to sign users in with AAD B2C, redeem authorization codes to acquire tokens, and implement token caching for silent authentication. The document demonstrates how to build a .NET Core web app that signs users in with AAD B2C using MSAL.
DEVNET-1120 Intercloud Fabric - AWS and Azure Account Setup and Utilization
The document provides an agenda and overview for a session on setting up accounts with Intercloud Fabric on AWS and Azure. It discusses the steps required to set up accounts on each platform, including creating credentials, configuring policies and permissions, and connecting Intercloud Fabric. The conclusion encourages participants to ask questions and provides information on related sessions at Cisco Live.
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
- Understand user identity and federation principles and practices
- Learn how Amazon Cognito works with federated identity providers
- See how to use Amazon Cognito to add the forms for user Sign-up and Sign-in to an application
Aws(sdk)
The document discusses how to use various AWS services like Cognito, S3, Lambda, and API Gateway from an iOS application using the AWS SDK for iOS. It provides code snippets for creating an identity pool in Cognito, storing and retrieving data from Cognito Sync, uploading files to S3, invoking Lambda functions, and generating an iOS SDK for a API Gateway API.
Introduction to Amazon EKS - KubeCon 2018
Amazon EKS (Elastic Kubernetes Service) is a managed service that makes it easy to run Kubernetes on AWS. It handles provisioning and managing control plane resources so users can focus on applications. EKS provides a native Kubernetes experience while integrating seamlessly with other AWS services to eliminate undifferentiated heavy lifting. The EKS team actively contributes to the open source Kubernetes project.
KubeCon NA'22 Lightning Talk: Where did all my IPs go?
Kubernetes cluster planning requires quite a few things to get started. What about IPs? Common IP management hurdles with Kubernetes clusters include IP assignments when building a cluster and challenges faced when deploying in a multi-faceted environment. Kubernetes Admins often need to use IP addressing handed out by Network Admins juggling other non-k8s workload IP assignments and IP exhaustion. In this talk, Cynthia will discuss new and existing KEPs that SIG-network has implemented to help mitigate IP challenges. Such features include discontiguous cluster CIDRs and the journey to IPv6. Cynthia will also discuss how the best practices for Kubernetes IP management are changing with these new capabilities to help scale and grow instead of rebuild.
https://sched.co/184sj
Kernel advantages for Istio realized with Cilium
Istio brings a myriad of options to provide routing rules, encryption, and monitoring for microservices, typically in container environments. Cilium provides accelerated network security using a modern kernel technology called BPF. Put the two together and what do you get? A distributed security solution enabling microservices traffic management, security, and monitoring while enforcing policy as close to the microservices as possible.
Cynthia Thomas and Romain Lenglet discuss the architectural and performance benefits of using Cilium with Istio and provide a demo of this BPF-based, Linux kernel technology. Cilium provides an API-aware security solution that can make a decision on every single microservice flow, with the ability to enforce protocols such as HTTP, Kafka, and gRPC. By addressing security policy at the API layer, you can enforce policy efficiently with kernel capabilities while reducing the attack surface in a microservices deployment.
More Related Content
Similar to CNSCon 2024 Lightning Talk: Don’t Make Me Impersonate My Identity
Consolidating Infrastructure with Azure Kubernetes Service
In this session, see how Tailwind Traders took a containerized application and deployed it to Azure Kubernetes Service (AKS). You’ll walk away with a deep understanding of major Kubernetes concepts and how to put it all to use with industry standard tooling.
SharePoint 2010,
Claims-Based Identity, Facebook, and the Cloud
This document provides information about Danny Jessee, a senior software engineer with 8 years of SharePoint development experience. It includes his credentials, contact information, and topics he can present on, such as features of secure applications, SharePoint 2010 authentication options, claims terminology and technology overview. It also lists some demos he can provide, including setting up a new SharePoint 2010 web application, integrating Facebook authentication using Azure AppFabric ACS, and further integrating Facebook data into SharePoint using the Facebook C# SDK.
Overview of secret management solutions and architecture
The document provides an overview of secret management solutions and architectures. It discusses what secrets are and why secret management is important. Some key points:
- Secrets include authentication credentials, API keys, passwords, and certificates that need access control. As services increase, so do secrets.
- An ideal secret management solution provides security, encryption, access control, auditing, ease of use, and integration with other tools.
- Version control systems and orchestration tools like Kubernetes can be used for secrets but have limitations compared to dedicated secret management solutions.
- AWS offers Parameter Store, Secrets Manager, and KMS for secret management. Parameter Store is generally recommended, while Secrets Manager is better for database
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
Amazon API Gateway is a fully managed service that makes it easy for developers to create, deploy, secure, and monitor APIs at any scale. In this presentation, you’ll find out how to quickly declare an API interface and connect it with code running on AWS Lambda. Amazon API Gateway handles all of the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management. We will demonstrate how to build an API that uses AWS Identity and Access Management (IAM) for authorization and Amazon Cognito to retrieve temporary credentials for your API calls. We will write the AWS Lambda function code in Java and build an iOS sample application in Objective C.
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
The document discusses securing serverless applications using Amazon API Gateway, AWS Lambda, and Amazon Cognito. It describes how to build a basic 3-tier web app that is fully serverless, add authentication with Amazon Cognito by integrating with Cognito user pools, and implement authorization using AWS Identity and Access Management (IAM) by leveraging Cognito. Key benefits mentioned are that AWS Lambda and API Gateway provide automatic scaling with no infrastructure to manage, while security is improved by making use of IAM through Cognito.
Building Powerful IoT Apps with AWS IoT and Websockets
Presentation given during Start Up Day Hong Kong on September 15, 2017 within the Architecture track
Deploying Compliant Kubernetes: Real World Edge Cases
This document discusses Lola's deployment of compliant Kubernetes to meet PCI DSS requirements. Lola stores credit card details on behalf of users but does not directly process payments, requiring Level 1 PCI compliance. It outlines how Lola uses technologies like TLS encryption with Ingress controllers, IAM authentication for Kubernetes, and Prometheus for cluster monitoring to meet requirements for firewalls, encryption, secure systems, and access control. The document advises engaging auditors technically rather than treating Kubernetes as a black box, and leveraging open source tools and communities for pre-built applications to simplify compliance tasks like authentication, monitoring, and logging.
Deep Dive on Amazon Cognito - DevDay Austin 2017
Amazon Cognito is a service that provides authentication, authorization, and user management for web and mobile applications. It allows for user sign-up, sign-in, access control, account recovery, and integration with social identity providers. Cognito User Pools provides built-in user directory and authentication services, while Cognito Identity Pools enables the generation of temporary AWS credentials for application access. Sample use cases include business to consumer apps, business to employee apps, and IoT applications.
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
This work is part of the open source testbed setup for Cloud interoperability & portability. Cloud Security Workgroup will further review and generate complete working set as we move along. This is part I of the effort.
Amazon Cognito Deep Dive
by Fritz Kunstler, Sr. AWS Security Consultant AWS
Join us for four days of security and compliance sessions and hands-on labs led by our AWS security pros during AWS Security Week at the San Francisco Loft. Join us for all four days, or pick just the days that are most relevant to you. We'll open on Monday with Security 101 day, followed by sessions Tuesday on Identity and Access Management, our popular Threat Detection and Remediation day Wednesday will feature an updated GuardDuty lab, and we'll end Thursday with Incident Response sessions, labs, and a talk by Netflix on their new open source IR tool. This week will also feature Dome9 as a sponsor, and you can hear them speak and present a hands-on workshop Monday during Security 101 day.
How to implement authorization in your backend with AWS IAM
AWS Dev Day Kyiv 2019
Track: Backend & Architecture
Session: ""How to implement authorization in your backend with AWS IAM""
Speaker: Stas Ivaschenko, AWS solutions architect at Provectus
Level: 400
Video: https://www.youtube.com/watch?v=4Jje_WJ4V7Q
AWS Dev Day is a free, full-day technical event where new developers will learn about some of the hottest topics in cloud computing, and experienced developers can dive deep on newer AWS services.
Provectus has organized AWS Dev Day Kyiv in close collaboration with Amazon Web Services: 800+ participants, 18 sessions, 3 tracks, a really AWSome Day!
Now, together with Zeo Alliance, we're building and nurturing AWS User Group Ukraine — join us on Facebook to stay updated about cloud technologies and AWS services: https://www.facebook.com/groups/AWSUserGroupUkraine
"
K8s hard-way on DigitalOcean
CloudYuga presented at Kubernetes meetup in Banglaore on 22nd Dec'18. In this we covered how to setup a Kubernetes cluster from scratch on DigitalOcean. Full tutorial can be accessed at https://pilot.cloudyuga.guru/ .
Fiware cloud developers week brussels
- The FIWARE Lab provides cloud hosting and infrastructure as a service capabilities including compute, network, storage, and PaaS functionality.
- It utilizes OpenStack for core infrastructure services including compute (Nova), networking (Neutron), storage (Cinder, Swift), and identity (Keystone).
- The PaaS Manager allows users to define templates called Blueprints to deploy multi-tier applications and software stacks across the virtual infrastructure in an automated manner.
Lamdba micro service using Amazon Api Gateway
Detailed, step by step process on how to set up a web application using Amazon Cognito, Amazon API Gateway, and Lambda.
Certification authority
This document discusses certificate authorities (CAs) and provides an example scenario for securing a web server using a CA. It defines a CA as an entity that issues digital certificates for use by other parties in public key infrastructure schemes. There are commercial CAs, as well as CAs run by institutions and governments. The document then describes the process a CA goes through to issue a certificate and how users can verify certificates. It provides a list of common CAs. Finally, it presents a scenario where a web server obtains a server certificate from a CA to secure its SSL port, and clients can obtain client certificates from the CA's website to access the secure site.
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 2
This document summarizes a webinar about integrating Azure Active Directory B2C (AAD B2C) with applications using the Microsoft Authentication Libraries (MSAL). It discusses how MSAL can be used to acquire tokens to call protected APIs and validate tokens in web APIs and applications. It provides an overview of using MSAL in .NET Core web apps to sign users in with AAD B2C, redeem authorization codes to acquire tokens, and implement token caching for silent authentication. The document demonstrates how to build a .NET Core web app that signs users in with AAD B2C using MSAL.
DEVNET-1120 Intercloud Fabric - AWS and Azure Account Setup and Utilization
The document provides an agenda and overview for a session on setting up accounts with Intercloud Fabric on AWS and Azure. It discusses the steps required to set up accounts on each platform, including creating credentials, configuring policies and permissions, and connecting Intercloud Fabric. The conclusion encourages participants to ask questions and provides information on related sessions at Cisco Live.
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
- Understand user identity and federation principles and practices
- Learn how Amazon Cognito works with federated identity providers
- See how to use Amazon Cognito to add the forms for user Sign-up and Sign-in to an application
Aws(sdk)
The document discusses how to use various AWS services like Cognito, S3, Lambda, and API Gateway from an iOS application using the AWS SDK for iOS. It provides code snippets for creating an identity pool in Cognito, storing and retrieving data from Cognito Sync, uploading files to S3, invoking Lambda functions, and generating an iOS SDK for a API Gateway API.
Introduction to Amazon EKS - KubeCon 2018
Amazon EKS (Elastic Kubernetes Service) is a managed service that makes it easy to run Kubernetes on AWS. It handles provisioning and managing control plane resources so users can focus on applications. EKS provides a native Kubernetes experience while integrating seamlessly with other AWS services to eliminate undifferentiated heavy lifting. The EKS team actively contributes to the open source Kubernetes project.
Similar to CNSCon 2024 Lightning Talk: Don’t Make Me Impersonate My Identity (20)
Consolidating Infrastructure with Azure Kubernetes Service
Consolidating Infrastructure with Azure Kubernetes Service
SharePoint 2010,
Claims-Based Identity, Facebook, and the Cloud
SharePoint 2010,
Claims-Based Identity, Facebook, and the Cloud
Overview of secret management solutions and architecture
Overview of secret management solutions and architecture
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Building Powerful IoT Apps with AWS IoT and Websockets
Building Powerful IoT Apps with AWS IoT and Websockets
Deploying Compliant Kubernetes: Real World Edge Cases
Deploying Compliant Kubernetes: Real World Edge Cases
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
CCICI CIP 1.0 Testbed - Security access implementation and reference - v1.0
How to implement authorization in your backend with AWS IAM
How to implement authorization in your backend with AWS IAM
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 2
Azure AD B2C Webinar Series: Identity Protocols OIDC and OAuth2 part 2
DEVNET-1120 Intercloud Fabric - AWS and Azure Account Setup and Utilization
DEVNET-1120 Intercloud Fabric - AWS and Azure Account Setup and Utilization
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
Deep Dive on User Sign-up Sign-in with Amazon Cognito - AWS Online Tech Talks
More from Cynthia Thomas
KubeCon NA'22 Lightning Talk: Where did all my IPs go?
Kubernetes cluster planning requires quite a few things to get started. What about IPs? Common IP management hurdles with Kubernetes clusters include IP assignments when building a cluster and challenges faced when deploying in a multi-faceted environment. Kubernetes Admins often need to use IP addressing handed out by Network Admins juggling other non-k8s workload IP assignments and IP exhaustion. In this talk, Cynthia will discuss new and existing KEPs that SIG-network has implemented to help mitigate IP challenges. Such features include discontiguous cluster CIDRs and the journey to IPv6. Cynthia will also discuss how the best practices for Kubernetes IP management are changing with these new capabilities to help scale and grow instead of rebuild.
https://sched.co/184sj
Kernel advantages for Istio realized with Cilium
Istio brings a myriad of options to provide routing rules, encryption, and monitoring for microservices, typically in container environments. Cilium provides accelerated network security using a modern kernel technology called BPF. Put the two together and what do you get? A distributed security solution enabling microservices traffic management, security, and monitoring while enforcing policy as close to the microservices as possible.
Cynthia Thomas and Romain Lenglet discuss the architectural and performance benefits of using Cilium with Istio and provide a demo of this BPF-based, Linux kernel technology. Cilium provides an API-aware security solution that can make a decision on every single microservice flow, with the ability to enforce protocols such as HTTP, Kafka, and gRPC. By addressing security policy at the API layer, you can enforce policy efficiently with kernel capabilities while reducing the attack surface in a microservices deployment.
Cilium:: Application-Aware Microservices via BPF
Intro to Cilium Microservices Security with Kubernetes Integration
Open Source Cilium website: cilium.io
GH: github.com/cilium/cilium
Join our Slack! cilium.herokuapp.com
Follow us on Twitter!
@ciliumproject
@_techcet_
Cilium: Seattle Kubernetes MeetUp Dec 2017
BPF (Berkeley Packet Filter) is becoming the fastest growing technology in the Linux kernel and is revolutionizing networking, security and tracing. At the same time, the rise of container-based orchestration platforms such as Kubernetes is creating demand for routing, load-balancing & security infrastructure that is highly scalable, application-aware, and resilient.
This talk introduces the open source project Cilium - a modern networking and security platform for microservices. Cilium is built on top of BPF and provides Linux native networking and security services with application protocol awareness. Cilium works hand in hand with application proxies such as Envoy and the services management orchestration layer Istio to provide infrastructure services in a transparent manner and with minimal overhead. This talk will discuss the challenges of exposing services via APIs and the solution that Cilium provides to enforce least privilege security.
Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF
We have introduced Cilium at DockerCon US 2017 this year. Cilium provides application-aware network connectivity, security, and load-balancing for containers. This talk will follow up on the introduction and deep dive into recent kernel developments that address two fundamental questions: How can I provide application-aware security and routing efficiently without overhead embedded into every service? How can container hosts protect themselves from internal and external DDoS attacks? The solutions include:
kproxy: a kernel-based socket proxy which allows for application-aware routing and security enforcement with minimal overhead.
XDP: A lightning-fast packet processing datapath using BPF. The technology is intended for DDoS mitigation, load-balancing, and forwarding.
This talk will deep dive into these exciting technologies and show how Cilium makes BPF and these kernel features available on Linux for your Docker containers.
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
This session offers techniques for securing Docker containers and hosts using open source network virtualization technologies to implement microsegmentation. Come learn real tips and tricks that you can apply to keep your production environment secure.
Midokura @ OpenStack Seattle
Neutron: Past, Present, and Future
Midokura presents at the OpenStack Seattle MeetUp
March 2nd, 2015
Hosted by Blue Box Group
What's the deal with Neutron?
A look at the project’s progression from Nova-Network to Neutron and Beyond. We will recall the early stages of Nova-Networking and how the functionality evolved to what is Neutron networking today. We will discuss previous default Neutron plugin implementation issues and current solutions with the now open-source SDN solution, MidoNet.
CloudKC: Evolution of Network Virtualization
This document discusses the evolution of network virtualization. It begins with an overview of using VLANs for network virtualization, which provides L2 isolation but has limitations around scalability and management. OpenFlow is presented as an early approach that uses a centralized controller but has performance impacts. The document then introduces network overlays using software-defined networking as a more advanced approach, allowing network services to be decoupled from physical network hardware for improved scalability, agility and fault tolerance. It provides an overview of using the Midokura network virtualization platform with OpenStack Neutron for network automation and management.
From Nova-Network to Neutron and Beyond: A Look at OpenStack Networking
This document provides an overview of the evolution of network virtualization and OpenStack networking. It describes how networking started with manually configured VLANs, moved to OpenFlow which required programming flows, and then to network overlays using software defined networking. It outlines the requirements for network virtualization. It also details the evolution of OpenStack networking from Nova network to Quantum/Neutron, including the transition to using overlays and supporting plugins. Key features of Neutron are summarized, as well as upcoming features planned for future OpenStack releases.
More from Cynthia Thomas (10)
KubeCon NA'22 Lightning Talk: Where did all my IPs go?
KubeCon NA'22 Lightning Talk: Where did all my IPs go?
Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF
Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
From Nova-Network to Neutron and Beyond: A Look at OpenStack Networking
From Nova-Network to Neutron and Beyond: A Look at OpenStack Networking
Recently uploaded
Product Listing Optimization Presentation - Gay De La Cruz.pdf
Product Listing Optimization Presentation
Leading a Tableau User Group - Onboarding deck for new leaders
Onboarding deck for new Tableau User Group Leaders.
20240702 QFM021 Machine Intelligence Reading List June 2024
Everything that I found interesting about machines behaving intelligently during June 2024
The "Zen" of Python Exemplars - OTel Community Day
The Zen of Python states "There should be one-- and preferably only one --obvious way to do it." OpenTelemetry is the obvious choice for traces but bad news for Pythonistas when it comes to metrics because both Prometheus and OpenTelemetry offer compelling choices. Let's look at all of the ways you can tie metrics and traces together with exemplars whether you're working with OTel metrics, Prom metrics, Prom-turned-OTel metrics, or OTel-turned-Prom metrics!
Quality Patents: Patents That Stand the Test of Time
Is your patent a vanity piece of paper for your office wall? Or is it a reliable, defendable, assertable, property right? The difference is often quality.
Is your patent simply a transactional cost and a large pile of legal bills for your startup? Or is it a leverageable asset worthy of attracting precious investment dollars, worth its cost in multiples of valuation? The difference is often quality.
Is your patent application only good enough to get through the examination process? Or has it been crafted to stand the tests of time and varied audiences if you later need to assert that document against an infringer, find yourself litigating with it in an Article 3 Court at the hands of a judge and jury, God forbid, end up having to defend its validity at the PTAB, or even needing to use it to block pirated imports at the International Trade Commission? The difference is often quality.
Quality will be our focus for a good chunk of the remainder of this season. What goes into a quality patent, and where possible, how do you get it without breaking the bank?
** Episode Overview **
In this first episode of our quality series, Kristen Hansen and the panel discuss:
⦿ What do we mean when we say patent quality?
⦿ Why is patent quality important?
⦿ How to balance quality and budget
⦿ The importance of searching, continuations, and draftsperson domain expertise
⦿ Very practical tips, tricks, examples, and Kristen’s Musts for drafting quality applications
https://www.aurorapatents.com/patently-strategic-podcast.html
How to Optimize Call Monitoring: Automate QA and Elevate Customer Experience
The traditional method of manual call monitoring is no longer cutting it in today's fast-paced call center environment. Join this webinar where industry experts Angie Kronlage and April Wiita from Working Solutions will explore the power of automation to revolutionize outdated call review processes!
Details of description part II: Describing images in practice - Tech Forum 2024
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and transcript: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
9 Ways Pastors Will Use AI Everyday By 2029
9 Ways Pastors Will Use AI Everyday By 2029
These future use cases are only a handful of the many many options generative AI is providing pastors and leaders everywhere. If you learn how AI might enhance and support your ministry, you'll enter into a world that's full of hope for the Gospel.
Learn more at http://www.AIforChurchLeaders.com and http://www.churchtechtoday.com
Chapter 2 - Testing Throughout SDLC V4.0
The document discusses testing throughout the software development life cycle. It describes different software development models including sequential, incremental, and iterative models. It also covers different test levels from component and integration testing to system and acceptance testing. The document discusses different types of testing including functional and non-functional testing. It also covers topics like maintenance testing and triggers for additional testing when changes are made. Also covers concepts of Agile including DevOps, Shift Left Approach, TDD, BDD, ATDD, Retrospective and Process Improvement
Pigging Solutions Sustainability brochure.pdf
Sustainability requires ingenuity and stewardship. Did you know Pigging Solutions pigging systems help you achieve your sustainable manufacturing goals AND provide rapid return on investment.
How? Our systems recover over 99% of product in transfer piping. Recovering trapped product from transfer lines that would otherwise become flush-waste, means you can increase batch yields and eliminate flush waste. From raw materials to finished product, if you can pump it, we can pig it.
Chapter 1 - Fundamentals of Testing V4.0
The document discusses fundamentals of software testing including definitions of testing, why testing is necessary, seven testing principles, and the test process. It describes the test process as consisting of test planning, monitoring and control, analysis, design, implementation, execution, and completion. It also outlines the typical work products created during each phase of the test process.
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
In this follow-up session on knowledge and prompt engineering, we will explore structured prompting, chain of thought prompting, iterative prompting, prompt optimization, emotional language prompts, and the inclusion of user signals and industry-specific data to enhance LLM performance.
Join EIS Founder & CEO Seth Earley and special guest Nick Usborne, Copywriter, Trainer, and Speaker, as they delve into these methodologies to improve AI-driven knowledge processes for employees and customers alike.
Kubernetes Cloud Native Indonesia Meetup - June 2024
Kubernetes Cloud Native Indonesia Meetup - June 2024
Multimodal Retrieval Augmented Generation (RAG) with Milvus
We've seen an influx of powerful multimodal capabilities in many LLMs. In this talk, we'll vectorize a dataset of images and texts into the same embedding space, store them in Milvus, retrieve all relevant data using multilingual texts and/or images and input multimodal data as context into GPT-4o.
Getting Started Using the National Research Platform
SoX Monthly Workshop
Remote Presentation
September 29, 2023
HTTP Adaptive Streaming – Quo Vadis (2024)
Video traffic on the Internet is constantly growing; networked multimedia applications consume a predominant share of the available Internet bandwidth. A major technical breakthrough and enabler in multimedia systems research and of industrial networked multimedia services certainly was the HTTP Adaptive Streaming (HAS) technique. This resulted in the standardization of MPEG Dynamic Adaptive Streaming over HTTP (MPEG-DASH) which, together with HTTP Live Streaming (HLS), is widely used for multimedia delivery in today’s networks. Existing challenges in multimedia systems research deal with the trade-off between (i) the ever-increasing content complexity, (ii) various requirements with respect to time (most importantly, latency), and (iii) quality of experience (QoE). Optimizing towards one aspect usually negatively impacts at least one of the other two aspects if not both. This situation sets the stage for our research work in the ATHENA Christian Doppler (CD) Laboratory (Adaptive Streaming over HTTP and Emerging Networked Multimedia Services; https://athena.itec.aau.at/), jointly funded by public sources and industry. In this talk, we will present selected novel approaches and research results of the first year of the ATHENA CD Lab’s operation. We will highlight HAS-related research on (i) multimedia content provisioning (machine learning for video encoding); (ii) multimedia content delivery (support of edge processing and virtualized network functions for video networking); (iii) multimedia content consumption and end-to-end aspects (player-triggered segment retransmissions to improve video playout quality); and (iv) novel QoE investigations (adaptive point cloud streaming). We will also put the work into the context of international multimedia systems research.
From 1M to 1B Features Per Second: Scaling ShareChat's ML Feature Store
ShareChat's Ivan Burmistrov walks through how they built a low latency ML Feature Store based on ScyllaDB which initially failed to meet the scalability requirements and failed on 1 million features per second load, but has been successfully scaled 1000 times to handle 1 billing features per second without scaling the underlying database.
ThousandEyes New Product Features and Release Highlights: June 2024
Presented by Brian Tobia and Chris Villemez
Recently uploaded (20)
Product Listing Optimization Presentation - Gay De La Cruz.pdf
Product Listing Optimization Presentation - Gay De La Cruz.pdf
Leading a Tableau User Group - Onboarding deck for new leaders
Leading a Tableau User Group - Onboarding deck for new leaders
20240702 QFM021 Machine Intelligence Reading List June 2024
20240702 QFM021 Machine Intelligence Reading List June 2024
The "Zen" of Python Exemplars - OTel Community Day
The "Zen" of Python Exemplars - OTel Community Day
Quality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of Time
How to Optimize Call Monitoring: Automate QA and Elevate Customer Experience
How to Optimize Call Monitoring: Automate QA and Elevate Customer Experience
Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Kubernetes Cloud Native Indonesia Meetup - June 2024
Kubernetes Cloud Native Indonesia Meetup - June 2024
Multimodal Retrieval Augmented Generation (RAG) with Milvus
Multimodal Retrieval Augmented Generation (RAG) with Milvus
Getting Started Using the National Research Platform
Getting Started Using the National Research Platform
New ThousandEyes Product Features and Release Highlights: June 2024
New ThousandEyes Product Features and Release Highlights: June 2024
From 1M to 1B Features Per Second: Scaling ShareChat's ML Feature Store
From 1M to 1B Features Per Second: Scaling ShareChat's ML Feature Store
ThousandEyes New Product Features and Release Highlights: June 2024
ThousandEyes New Product Features and Release Highlights: June 2024
CNSCon 2024 Lightning Talk: Don’t Make Me Impersonate My Identity
- 1. Don’t Make Me Impersonate My Identity Lightning Talk Cynthia Thomas linkedin.com/in/cynthia-thomas, @_techcet_ GKE Security, Google Cloud
- 2. Kubernetes Pods and their identities - In Kubernetes, Pods are given a distinct identity within a Kubernetes cluster - How? Through a Service Account: typically an account type for non-humans - Pods are always given Service Accounts by default or configured
- 3. How to get Pods to talk to Cloud Resources Options: 1. Export credentials and mount as a Kubernetes secret in the Pod at runtime 2. Use the worker node/VM identity credential 3. Use Workload Identity Federation
- 4. Cloud provider K8s Cluster K8s Worker Nodes K8s Worker Nodes K8s Worker Nodes Namespace foo Pod Pod K8s Control Plane kube-API server Workload Identity Federation at work Step 2: Secured communication Cloud IAM Cloud API Step 1: Trust Established Blog: Kubernetes token support for OIDC
- 5. Before After Create Kubernetes namespace Create Kubernetes namespace Create Kubernetes Service Account (KSA) Create Kubernetes Service Account (KSA) Create Google Service Account Not needed Configure KSA to impersonate GSA Not needed Annotate KSA with the GSA so GKE knows the link Not needed Bind role to Google Service Account (GSA) Bind role directly to KSA SA Impersonation Just say no to impersonation
- 6. - Dont worry about managing secrets - Dont worry about identity impersonation - Federate identities - supports OIDC/SAML and now X.509 certificates with SPIFFE Don’t make me impersonate my identity Be more secure with Workload Identity Federation!