[$] Per-CPU memory for user space

Post Syndicated from corbet original https://lwn.net/Articles/1016408/

The kernel makes extensive use of per-CPU data as a way to avoid contention
between processors and improve scalability. Using the same technique in
user space is harder, though, since there is little control over which CPU
a process may be running on at any given time. That hasn’t stopped Mathieu
Desnoyers from trying, though; in the memory-management track of the 2025
Linux Storage, Filesystem, Memory-Management, and BPF Summit, he presented
a proposal for how user-space per-CPU memory could work.

Security updates for Tuesday

Post Syndicated from corbet original https://lwn.net/Articles/1016774/

Security updates have been issued by AlmaLinux (gimp, libxslt, python3.11, python3.12, and tomcat), Debian (ghostscript and libnet-easytcp-perl), Fedora (openvpn, perl-Data-Entropy, and webkitgtk), Red Hat (python-jinja2), SUSE (giflib, pam, and xen), and Ubuntu (apache2, binutils, expat, fis-gtm, linux-azure, linux-azure-6.8, linux-nvidia-lowlatency, linux-azure, linux-azure-fde, linux-azure-5.15, linux-azure-fde-5.15, linux-azure-fips, linux-gcp-fips, linux-hwe-5.4, linux-nvidia, linux-nvidia-tegra-igx, ruby2.7, ruby3.0, ruby3.2, ruby3.3, and vim).

2025 Ransomware: Business as Usual, Business is Booming

Post Syndicated from Chris Boyd original https://blog.rapid7.com/2025/04/08/2025-ransomware-business-as-usual-business-is-booming/

2025 Ransomware: Business as Usual, Business is Booming

Getting an edge on your adversaries involves understanding their behaviors and their mindset. Rapid7 Labs took a look at internal and publicly-available ransomware data for Q1 2025 and added our own insights to provide a picture of the year thus far—and what you can do now to reduce your attack surface against ransomware.

The data highlights that businesses can’t afford to take their foot off the gas pedal when it comes to proactively tackling ransomware. Established threat actors and relative newcomers are taking an “if it ain’t broke, don’t fix it” approach, shunning unpredictability for proven revenue generation techniques. And, in almost all cases, the name of the game is data exfiltration and blackmail via leak site posts.

At a glance

The heavy hitters of the current ransomware landscape are a mixture of new and familiar faces, largely leaning into the affiliate model or announcing partnerships with well-known groups for a visibility boost. There were 80 active groups in Q1, 16 of them new since January 1. There are also 13 groups that were active in Q4, 2024, but have thus far been silent in 2025.

2025 Ransomware: Business as Usual, Business is Booming

New ransomware groups active since the start of 2025 include (but are not limited to): Ailock, Belsen Group, CrazyHunter, Cs-137, D0Glun, GD LockerSec, Linkc, NightSpire, Ox Thief, Run Some Wares, SECP0, Sonshi, and VanHelsing.

Popular targets in Q1:

  • Manufacturing, business services, healthcare, and construction were the top industries under siege by a variety of established and newly emerging threat actors. Of the 618 leak site posts we reviewed containing victims’ industry information, 22% were manufacturing organizations. Business services was a distant second at 11%, followed by healthcare services and construction, both at 10%.
  • Top regional targets included traditional favorites such as the U.S., Canada, the UK, Germany, and Australia, as well as a fair share of victims in Taiwan, Singapore, and Japan. We also saw an increase of victims in unusual locations such as Colombia and Thailand.

Reinvested ransoms

The Black Basta chat leaks that occurred in February provided an insightful look into not only the group’s infighting, but also its inner workings. And while the group’s activity stopped dead in its tracks (the last leak site post was on January 11, 2025), we would be remiss if we didn’t give mention to a significant trend we have suspected was happening, but were only able to verify with these chat logs: Ransomware groups are reinvesting the ransoms they’re paid to purchase zero days.

Within the Black Basta chat logs, we observed that on November 23, 2023, the group was offered a zero-day exploit targeting Ivanti Connect Secure for their purchase. The exploit came with an asking price of $200,000, and is described by the seller as an unauthenticated RCE exploit, leveraging an unknown memory corruption vulnerability.

While it’s unclear if a purchase was ever made, we can speculate as to what this vulnerability may or may not have been, based on recently published Ivanti Connect Secure CVEs. There were three notable CVEs exploited in the wild as zero days circa late 2023: CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893. However, the seller describes the zero day as a memory corruption vulnerability, which none of those three were. It was also not CVE-2024-21893, which was an SSRF vulnerability. A more recent CVE affecting Ivanti Connect Secure, which was both a memory corruption vulnerability, and exploited in the wild as a zero day, was CVE-2025-0282; however, the affected version ranges of this CVE don’t line up with the zero day being offered in the Black Basta logs. It is possible the zero day being offered for sale to the Black Basta group remains a zero day, as there is no evidence to suggest that it has been patched.

Separate from the Ivanti discussion, however, we observed that Black Basta did indeed buy a Juniper firewall exploit. This followed a comparison between a public, authenticated remote code execution (RCE) exploit (which only gives user-mode access) and the purchased one that provides full root access.

Repackaged offerings

Several groups are making a name for themselves by simply dragging out the classics. Most recently, a supposedly resurrected Babuk ransomware group was not all it seemed, with old data taken from RansomHub, FunkSec and LockBit repurposed as their own. Rapid7 analysis highlights the challenges of groups reforming or collaborating under new identities, such as “Babuk 2.0” just being LockBit 3.0 / LockBit Black with a different name applied.

Elsewhere, FunkSec is not above repurposing old leak data, and LockBit was found to be posting a mixture of old data and faked attacks after global arrests of suspected LockBit developers and affiliates. Visibly weakened by the trilateral law enforcement action, what was left of LockBit turned to fakery as a way of making it seem as though things were still business as usual.

Restructured groups

When ransomware groups go silent, others are there to take their place. Part of this dynamic is a continuously circulating affiliate network that keeps defenders and cybersecurity analysts on their toes. Rebrands aside, Rapid7 observed what appears to be a “changing of the guard” within the Akira ransomware group.

In the scatterplot below, we see Q4 2024 leak site post activity for the top 15 ransomware groups, where the dots indicate individual posts and the dot sizes indicate the amount of data being posted. Looking at Akira’s (5th from top) posting distribution, we can see that it is sporadic but its pace begins to increase around mid December. By way of comparison, RansomHub’s (bottom line) posting distribution is consistent and strong throughout the quarter.

2025 Ransomware: Business as Usual, Business is Booming

In the following scatterplot, which is Q1 2025, we see Akira (4th from bottom) operating much more in line with other leading players (Qilin, Lynx, etc.). Rather than sporadic, often large data dumps, Akira has begun to make regular postings of similar size. Further trends analysis shows that Akira’s postings shifted from happening primarily on Fridays to being anytime throughout the week.

2025 Ransomware: Business as Usual, Business is Booming

Ones to watch

As noted above, the most prolific ransomware groups for Q1 2025, ranked by the number of posts on their dedicated leak sites, are Cl0p and RansomHub by a considerable margin. Along with these two groups, several others are disrupting businesses of varying sizes and industries. In this section we’ll discuss groups of particular concern due to their reach and/or negative organizational impacts.

RansomHub

RansomHub burst onto the scene in February 2024, combining data encryption and exfiltration from a minimum of 210 organizations across a 6-month period. Affiliates are known to use vulnerability exploitation and phishing for initial access, along with double extortion to force victims into paying a ransom or face leaked data and reputational damage. RansomHub was the most prolific leak group operator we saw in 2024, and based on current trends displays no sign of slowing down.

Cl0p

Cl0p is one of the most well known Ransomware-as-a-Service (RaaS) groups. First seen in 2019, Cl0p has a long history of using exploits to propagate ransomware and leans heavily into double extortion. Cl0p is also known for its involvement in devastating supply-chain incidents, most notably claiming to have stolen data from hundreds of MOVEit Transfer customers. Initial access vectors include phishing emails, social engineering, and malicious attachments.

The group has made a torrent of leak site posts since the start of the year, with an astonishing 345 leak site posts in February alone and 413 for Q1 overall. While some of these posts represent fresh attacks, the majority are drip-fed leaks related to their exploitation of an older vulnerability in Cleo’s file transfer software.

Anubis

A new RaaS group active since at least November 2024 with a strong focus on data extortion, Anubis has possibly redefined the double extortion approach into something best described as malevolence as a service. It’s not enough to exfiltrate and then leak victim data; Anubis presents findings in a format resembling citizen journalism, exposing the alleged wrongdoings of those they target. The Robin Hood approach, hoping to curry favor with the public, is a well-worn one.

All of this, wrapped up in a slick format of nice graphics and hype-generating announcements on social media.

2025 Ransomware: Business as Usual, Business is Booming

It feels more like buying into membership of an airline loyalty program, as opposed to some kind of ruthless extortion. Already well into the “Watch out for our next exciting leak” promotional activity stage, this is a group making waves and has claimed at least five public victims so far, mainly in the healthcare and engineering sectors. Of note is that Anubis itself has stated it is looking to exclude education, government and non-profit sectors from its list of potential targets. Thus far, targeted regions appear to be the U.S., Canada, Europe, and Australia.

Lynx

First observed in July 2024, this now-established RaaS group combines phishing and malicious downloads alongside double extortion tactics. Lynx targets a variety of sectors including utilities, construction, and manufacturing, with victims located in a wide variety of locations including the U.S., Australia, and Romania.

Lynx offers a slick and professional affiliate panel, allowing affiliates to micromanage almost all aspects of a campaign and its unfortunate targets. The panel includes victim profile pages, news and updates, and an “all-in-one” archive of executables targeting multiple architectures. It’s the kind of setup which lowers the bar to entry for newcomers, and only becomes more popular over time.

Qilin

Although not as visible as some other ransomware groups in Q1 2025, RaaS operator Qilin has achieved some notable success. First observed in 2022, Qilin ransomware has been used to target a wide variety of industries which includes the healthcare, financial, and manufacturing sectors. Known for spear phishing and making use of compromised credentials, Qilin attacks tend to specialize in double extortion and data exfiltration on a large scale—their leaks can range from a few hundred gigabytes to their most recently publicized attack, which is allegedly a haul of 1.1 terabytes of data. Alarmingly, Microsoft has observed North Korean group Moonstone Sleet deploying Qilin ransomware at “a limited number of organizations”, the first time this group has been known to make use of ransomware developed by a RaaS threat actor.

Tactics

Ransomware groups tend to follow a specific pattern: Initial access, reconnaissance, credential theft and lateral movement, exfiltration, and finally encryption. There are divergences, however. Some groups avoid ransomware deployment and file encryption, instead choosing to compromise the network via unsecured VPNs and Remote Desktop Protocol (RDP). From there, they move straight to data exfiltration. This is known as “extortionware.”

Other threat actors, notably LockBit, use Living off the Land (LOTL) tactics to infiltrate networks with legitimate tools and management software already in place. As no malware files are deployed, it becomes increasingly difficult to detect these attacks in motion and threat actors can sit undetected for weeks or even months.

Here are some of the key elements of ransomware tactics across this first quarter of 2025:

  • RaaS is firmly established as a key tactic for prominent ransomware groups. The ease with which affiliates can buy into a ransomware group of choice and immediately begin attacks (see example below) ensures a steady flow of profit for the criminals at the top of the food chain.
2025 Ransomware: Business as Usual, Business is Booming
  • Double extortion is also a firm favorite. FunkSec made inroads into this realm with ransoms as low as $10,000, perhaps designed to be more enticing to victims than the often unreachable demands for totals ranging from $600,000 to a cool million plus.
  • The deadline to pay a ransom, or just make initial contact with the threat actor, varies greatly between groups. RansomHub has previously handed out ransoms with deadlines ranging between 72 hours and 90 days. Cl0p has been known to apply varying degrees of pressure to encourage targets to get in touch. In December 2024, the group gave uncommunicative victims 48 hours to make contact or risk having their organization’s names disclosed publicly. Other Cl0p notes, such as the one below, reuse the 48-hour tactic but exclude mention of public exposure. Regardless of the tactics used, there’s no guarantee files will be unencrypted or stolen documents deleted from leak sites should the victims pay up. These supposed deadlines create a sense of urgency while potentially offering victims little beyond false hope.
2025 Ransomware: Business as Usual, Business is Booming

Five things you can do now

Unfortunately, there is no escaping the business reality of ransomware; it is a pervasive problem and it impacts every business at some level sooner or later. A solid defense plan can help to lower risk and prevent a disastrous outcome.

Here are five things you can do now that will make an immediate impact on reducing your attack surface:

  1. Take a fresh look at your MFA — If your organization has deployed multi-factor authentication (MFA), take the time now to review any policy exceptions that have been made over time and remove as many as possible. In addition, ensure that your MFA settings are properly configured (this is critical!). If your organization has not yet deployed MFA, see number 2.
  2. Deploy and configure MFA the right way — Multi-factor authentication is a must to avoid giving attackers an easy win from unsecured VPNs and RDP. Combine with geolocational restrictions, strong, unique passwords, and number matching in MFA applications to help ward off additional threats like MFA fatigue.
  3. Practice continuous patch management, especially for edge devices — Over the last couple of years, network edge devices have become a favorite way for attackers to gain initial access and then pivot elsewhere in the victim’s network. It’s critical that your patch management program accounts for this by prioritizing fixes to these devices as they are released. Prioritization of fixes should also be based on known exploits, their potential impacts to your business, and how these align with your business’s risk tolerance.
  4. Hold a ransomware attack simulation — Activate your incident response plan as if the organization has just been made aware of a breach. Who in the organization is involved and what are their immediate tasks? Are payment policies and outside resources pre-determined so there are no panic-driven mistakes and critical time isn’t lost? Note your learnings and schedule regular simulations every 6 months thereafter.
  5. Investigate your attack surface — Threat actors and their tools are poking and prodding your attack surface in search of vulnerabilities, and you must be proactive in doing the same. Resolve to speak with us regularly about Rapid7’s latest innovations in attack surface management.

Conclusion

Ransomware groups large and small have ushered in 2025 with a clear statement of intent: business as usual, and business is booming. The significant volume of leak posts and the heavy lean toward double extortion would indicate we can expect more of the same as the year progresses. In addition, the first glimmer of reportage-style commentary on their victim’s alleged failings suggests a bumpy road ahead for organizations unlucky enough to end up in the ransomware spotlight.

Newer groups hungry for publicity and affiliate network building will potentially look to emulate the Anubis approach, and do a little reportage style journalism of their own. Gimmicks sell and grab publicity, and reputational damage from data leaks may well go hand in hand with regulatory embarrassment and bad publicity. If that wasn’t bad enough, ransomware groups stand revealed through exposed chat logs as being in the market for purchasing zero days.

Businesses need to do everything they can to minimize the risk of easy network access and data exfiltration. Victims continue to pay the price for poor MFA coverage and inadequate patch management, which is why we heavily stressed these basics in our recommendations section above.

If there is a brave new world of ransomware to speak of, it largely resembles the old one with a few streamlined tweaks to a very well-oiled machine.

Skip the setup: deploy a Workers application in seconds

Post Syndicated from Nevi Shah original https://blog.cloudflare.com/deploy-workers-applications-in-seconds/

You can now add a Deploy to Cloudflare button to the README of your Git repository containing a Workers application — making it simple for other developers to quickly set up and deploy your project! 

The Deploy to Cloudflare button: 

  1. Creates a new Git repository on your GitHub/ GitLab account: Cloudflare will automatically clone and create a new repository on your account, so you can continue developing. 

  2. Automatically provisions resources the app needs: If your repository requires Cloudflare primitives like a Workers KV namespace, a D1 database, or an R2 bucket, Cloudflare will automatically provision them on your account and bind them to your Worker upon deployment. 

  3. Configures Workers Builds (CI/CD): Every new push to your production branch on your newly created repository will automatically build and deploy courtesy of Workers Builds

  4. Adds preview URLs to each pull request: If you’d like to test your changes before deploying, you can push changes to a non-production branch and preview URLs will be generated and posted back to GitHub as a comment.   


There is nothing more frustrating than struggling to kick the tires on a new project because you don’t know where to start. Over the past couple of months, we’ve launched some improvements to getting started on Workers, including a gallery of Git-connected templates that help you kickstart your development journey. 

But we think there’s another part of the story. Everyday, we see new Workers applications being built and open-sourced by developers in the community, ranging from starter projects to mission critical applications. These projects are designed to be shared, deployed, customized, and contributed to. But first and foremost, they must be simple to deploy.

Ditch the setup instructions

If you’ve open-sourced a new Workers application before, you may have listed in your README the following in order to get others going with your repository:

  1. “Clone this repo” 

  2. “Install these packages”

  3. “Install Wrangler” 

  4. “Create this database”

  5. “Paste the database ID back into your config file” 

  6. “Run this command to deploy” 

  7. “Push to a new Git repo” 

  8. “Set up CI” 

And the list goes on the more complicated your application gets, deterring other developers and making your project feel intimidating to deploy. Now, your project can be up and running in one shot — which means more traction, more feedback, and more contributions.

Self-hosting made easy 

We’re not just talking about building and sharing small starter apps but also complex pieces of software. If you’ve ever self-hosted your own instance of an application on a traditional cloud provider before, you’re likely familiar with the pain of tedious setup, operational overhead, or hidden costs of your infrastructure. 

Self-hosting with traditional cloud provider

Self-hosting with Cloudflare 

Setup a VPC

Install tools and dependencies  

Set up and provision storage 

Manually configure CI/CD pipeline to automate deployments 

Scramble to manually secure your environment if a runtime vulnerability is discovered

Configure autoscaling policies and manage idle servers

✅Serverless

✅Highly-available global network

✅Automatic provisioning of datastores like D1 databases and R2 buckets

✅Built-in CI/CD workflow configured out of the box

✅Automatic runtime updates to keep your environment secure

✅Scale automatically and only pay for what you use.

By making your open-source repository accessible with a Deploy to Cloudflare button, you can allow other developers to deploy their own instance of your app without requiring deep infrastructure expertise. 

From starter projects to full-stack applications

We’re inviting all Workers developers looking to open-source their project to add Deploy to Cloudflare buttons to their projects and help others get up and running faster. We’ve already started working with open-source app developers! Here are a few great examples to explore: 

Test and explore your APIs with Fiberplane 

Fiberplane helps developers build, test and explore Hono APIs and AI Agents in an embeddable playground. This Developer Week, Fiberplane released a set of sample Worker applications built on the ‘HONC‘ stack — Hono, Drizzle ORM, D1 Database, and Cloudflare Workers — that you can use as the foundation for your own projects. With an easy one-click Deploy to Cloudflare, each application comes preconfigured with the open source Fiberplane API Playground, making it easy to generate OpenAPI docs, test your handlers, and explore your API, all within one embedded interface.

Deploy your first remote MCP server 

You can now build and deploy remote Model Context Protocol (MCP) servers on Cloudflare Workers! MCP servers provide a standardized way for AI agents to interact with services directly, enabling them to complete actions on users’ behalf. Cloudflare’s remote MCP server implementation supports authentication, allowing users to login to their service from the agent to give it scoped permissions. This gives users the ability to interact with services without navigating dashboards or learning APIs — they simply tell their AI agent what they want to accomplish.

Start building your first agent 

AI agents are intelligent systems capable of autonomously executing tasks by making real-time decisions about which tools to use and how to structure their workflows. Unlike traditional automation (which follows rigid, predefined steps), agents dynamically adapt their strategies based on context and evolving inputs. This template serves as a starting point for building AI-driven chat agents on Cloudflare’s Agent platform. Powered by Cloudflare’s Agents SDK, it provides a solid foundation for creating interactive AI chat experiences with a modern UI and tool integrations capabilities.

Try it now

You can start using Deploy to Cloudflare buttons today!

Add a Deploy to Cloudflare button to your README

Be sure to make your Git repository public and add the following snippet including your Git repository URL.

[![Deploy to Cloudflare](https://deploy.workers.cloudflare.com/button)](https://deploy.workers.cloudflare.com/?url=<YOUR_GIT_REPO_URL>)

When another developer clicks your Deploy to Cloudflare button, Cloudflare will parse the Wrangler configuration file, provision any resources detected, and create a new repo on their account that’s updated with information about newly created resources. For example:

{
  "compatibility_date": "2024-04-03",

  "d1_databases": [
    {
      "binding": "MY_D1_DATABASE",

	//will be updated with newly created database ID
      "database_id": "1234567890abcdef1234567890abcdef"
    }
  ]
}

Check out our documentation for more information on how to set up a deploy button for your application and best practices to ensure a successful deployment for other developers. 

Start building 

For new Cloudflare developers, keep an eye out for “Deploy to Cloudflare” buttons across the web, or simply paste the URL of any public GitHub or GitLab repository containing a Workers application into the Cloudflare dashboard to get started.


During Developer Week, tune in to our blog as we unveil new features and announcements — many including Deploy to Cloudflare buttons — so you can jump right in and start building!

Deploying Zabbix Components with Docker and Docker Compose

Post Syndicated from Janis Eidaks original https://blog.zabbix.com/deploying-zabbix-components-with-docker-and-docker-compose/30025/

Installing Zabbix from packages can feel overwhelming, due to the availability of different configuration options. The detailed and comprehensive documentation certainly helps to check the purpose of these multiple options, what values can be set in their fields, and if one is required for your planned deployment. There are quite a few official Zabbix blog posts about Zabbix in containers, and this post is aimed at showcasing how additional Zabbix components can be easily set up in a docker environment, along with docker run and docker compose examples.

For those who would prefer to use Zabbix in a containerized environment such as Docker, or who want to try out Zabbix quickly, this guide is for you (you can also check out the other Zabbix Docker blog posts). You can also mix and match Zabbix components installed from packages or built from source with those running in containers.

Please follow the official guide on how to set up the docker here.

To better understand the Zabbix architecture for those who are trying out Zabbix for the first time, I will give you an overview that should make it much easier to follow and understand Zabbix.

Zabbix consists of 3 main components (the bare minimum to get started):

  • Zabbix Server – responsible for everything related to data collection, trigger evaluation, event generation, and alerting.
  • Zabbix Frontend – responsible for the configuration (modifying or changing the configuration of the monitoring targets) and visualization (dashboards, graphs, tables, and widgets).
  • Database – this is where the Zabbix configuration and monitoring history data are stored.

You can monitor your targets with the bare minimum setup; however, more comprehensive and complete monitoring can be achieved by using the C-based Zabbix-agent or GO-based Zabbix-agent2 in combination with templates, user parameters, and more. To set up the minimum necessary Zabbix components, you can use this example in the guide.

There are also official guides available on the Zabbix documentation page (for both: the docker run and docker compose) or the Docker/Github.

As of this writing , these official Zabbix docker components are available from the docker hub page:

  • Zabbix Server (with MySQL/PostgreSQL database)
  • Zabbix Proxy (with MySQL/SQLite3 database)
  • Zabbix Frontend (Apache/Nginx with MySQL/PostgreSQL DB)
  • Zabbix Agent (TLS encryption)
  • Zabbix Agent2 (TLS encryption)
  • Zabbix Java Gateway
  • Zabbix SNMP traps
  • Zabbix Web Service

Tags are used to select which OS container an image will be based on, as well as which Zabbix component version you wish to employ. If you only specify tag value – latest, you will get the latest Zabbix version based on the Alpine Linux. The images based on Linux Alpine are more lightweight than the other distros.

When something does not work as expected or fails, check the container error logs! This will be useful for debugging purposes and will help to narrow down the cause of an issue. Additionally, when debugging you can also specify additional options, such as specific lines of log, timestamp since or until, or following the log file content.

# docker logs --tail 50 container_name_or_id
    --details        Show extra details provided to logs
-f, --follow         Follow log output
    --since string   Show logs since timestamp (e.g. "2013-01-02T13:23:37Z") or relative (e.g. "42m" for 42 minutes)
-n, --tail string    Number of lines to show from the end of the logs (default "all")
-t, --timestamps     Show timestamps
    --until string   Show logs before a timestamp (e.g. "2013-01-02T13:23:37Z") or relative (e.g. "42m" for 42 minutes)

In some rare cases, when there is a container issue (everything else is correct, worked before, etc.), restarting the docker service can sometimes solve the issue.

So, what is different if you have only used Zabbix installed from packages?  The examples below illustrate the differences in configuration options based on different Zabbix deployment methods: a) package-based/compiled installation, b) docker run command, and c) docker compose file example. First of all, you will have to specify environment variables in the docker run command or docker compose file. The list of available environment variables for each docker image is available in both docker hub and Github.

A). Package-based config

# vi /etc/zabbix/zabbix_server.conf
...
DBName=zabbix
DBUser=zabbix_usr
DBPassword=zabbix_pwd
...

B).Docker run config

docker run --name zbxsrv -t \
...
-e MYSQL_DATABASE=zabbix\
-e MYSQL_USER=zabbix_usr \
-e MYSQL_PASSWORD=zabbix_pwd\
...

C). Docker compose config

# vi /../...yaml
...
  environment:
   MYSQL_DATABASE=zabbix
   MYSQL_USER=zabbix_usr
   MYSQL_PASSWORD=zabbix_pwd

The environment variables are represented as key-value pairs, e.g., VAR=VAL. The values can optionally be unquoted or double-quoted. If some environment variable value contains special characters, you will need to escape them. To properly escape them, check out the docker documentation page.

You can create custom, user-defined networks to connect multiple containers to the same network. On such networks, containers can resolve each other by name or alias. If needed, you can assign a specific IP address to a container (if the address is already used, you will get an error).

# docker network create --subnet 172.20.0.0/16 --ip-range 172.20.240.0/20 zabbix-net

Docker run

In this section, we have an example of docker run commands for two Zabbix components: Zabbix proxy and Java gateway. When using custom, user-defined networks, you can use container names for communication between containers instead of using IP addresses. Here, instead of defining the IP address for Zabbix Java gateway, the container name is used. You can set a static IP address for your container or let docker do it for you, but confirm if the change of the IP address will not cause issues in case your container gets a different IP address. This can become an issue if you use an IP address in some configuration fields instead of a container name.

A lot of parameters are specified using environment variables with the option -e. Also, 3 different ports are exposed on your host machine. To keep the SQLite3 database file upon container deletion, the container directory containing database file is mounted to host directory (the proxy DB is usually used as a buffer storage before sending data to Zabbix server and usually is not used to store data beyond the moment when the data is sent).

docker run --name zabbix-proxy-active-01 \
-e ZBX_HOSTNAME="Zabbix-proxy-active-01" \
-e ZBX_SERVER_HOST=46.101.140.98 \
-e ZBX_PROXYMODE="0" \
-e ZBX_JAVAGATEWAY_ENABLE=true \
-e ZBX_JAVAGATEWAY=zabbix-java-gateway-proxy \
-e ZBX_JAVAGATEWAYPORT=10052 \
-e ZBX_STARTJAVAPOLLERS=5 \
--network=zabbix-net \
-e ZBX_LISTENPORT=10101  \
-p 10101:10101 \
-p 10050:10050 \
-p 10051:10051 \
-v /var/lib/zabbix/db_data:/var/lib/zabbix/db_data \
--restart unless-stopped \
--init -d zabbix/zabbix-proxy-sqlite3:alpine-7.2.4
docker run --name zabbix-java-gateway-proxy \
--network=zabbix-net \
--restart unless-stopped \
-d zabbix/zabbix-java-gateway:alpine-7.2.4

You can start each of these Zabbix components using the docker run command, however, any change to the container configuration will require you to stop the container, delete it, and execute the docker run command again. You also have another option – you could create a docker compose file and write the necessary configuration in yaml format. When you need to add some changes to the container configuration, run the docker compose down command to remove containers, edit the docker compose file, and run docker compose up command to start them up again with the new configuration:

  • docker compose -f ./docker_compose_v3_proxy.yaml down
  • docker compose -f ./docker_compose_v3_proxy.yaml up -d

If you have not mounted volume or directory to container for the data you want to keep, you can copy the data from the container to your host. Otherwise, that data will be gone if you delete the container or use the docker compose down command. So, it is important to set up the persistent storage/volume for the data that needs retaining, so you don’t lose important data from the container when container configuration is changed. You also need to expose the ports for the necessary services for the appropriate components (if they are set up on on separate hosts): zabbix-server, zabbix-proxy, zabbix-agent/zabbix-agent2 (default ports: 10050 for Zabbix agent passive mode, 10051 for Zabbix-agent active mode, some different port for proxy, 10052 for Java gateway).

Here we have the same docker run options written to docker compose file, including the environment variables, mounted directories and exposed ports. You can specify as many services as needed and start them just with docker compose command.

docker_compose_v3_proxy.yaml

services:
  zabbix-proxy-active-01:
    image: "${PROXY_SQLITE3_IMAGE}:${ALPINE_IMAGE_TAG}"
    environment:
      ZBX_HOSTNAME: Zabbix-proxy-active-01
      ZBX_SERVER_HOST: ${ZBX_SERVER_HOST}
      ZBX_PROXYMODE: 0
      ZBX_LISTENPORT: 10101
      ZBX_JAVAGATEWAY_ENABLE: true
      ZBX_JAVAGATEWAY: zabbix-java-gateway-proxy
      ZBX_JAVAGATEWAYPORT: 10052
      ZBX_STARTJAVAPOLLERS: 5
    volumes:
      - /var/lib/zabbix/db_data:/var/lib/zabbix/db_data:rw
    networks:
      - backend
    ports:
      - 10101:10101
      - 10050:10050
      - 10051:10051
    restart: unless-stopped

  zabbix-java-gateway-proxy:
    image: "${JAVA_GW_IMAGE}:${ALPINE_IMAGE_TAG}"
    networks:
      - backend
    restart: unless-stopped

networks:
  backend:
    name: zabbix-net
    external: true

.env

PROXY_SQLITE3_IMAGE=zabbix/zabbix-proxy-sqlite3
JAVA_GW_IMAGE = zabbix/zabbix-java-gateway
ALPINE_IMAGE_TAG=alpine-7.2.4
ZBX_SERVER_HOST=46.101.140.98

You can also use official Zabbix-supplied docker compose files, try them out, and modify them as needed.

You can read more about the official docker compose files here.

Containerized Zabbix components allow us to use test different scenarios within the docker:

  • Creating HA Zabbix-server nodes
  • Creating multiple proxies
  • Creating multiple agents
  • Adding more Java gateways
  • Creating multiple frontends
  • Easily configure Browser monitoring
  • Configure SNMP traps
  • Easily make scheduled reports

Deploying multiple redundant Zabbix servers

To enable HA Zabbix server mode, modify both the Zabbix-server container and Zabbix-frontend container configuration environment variables.

For the HA Zabbix server mode, add 2 environment variables:

  • ZBX_HANODENAME
  • ZBX_NODEADDRESS

All of the containers are set with the user-defined network, therefore I will use the container name in the ZBX_HANODENAME option instead of the static address, as it will be resolved by docker. If you need to use a different listen port for the trapper, you need to define it using the environment variable ZBX_LISTENPORT. You can omit the port in variable ZBX_HANODENAME, as the ZBX_LISTENPORT (default is 10051) will be applied automatically.

Here is the docker run example for the Zabbix-server HA mode.

docker run --name zabbix-server-mysql-ha1 -t \
-e DB_SERVER_HOST="mysql-server" \
-e MYSQL_DATABASE="zabbix" \
-e MYSQL_USER="zabbix" \
-e MYSQL_PASSWORD="zabbix_pwd" \
-e MYSQL_ROOT_PASSWORD="root_pwd" \
-e ZBX_HANODENAME="zabbix-server-HA1" \
-e ZBX_NODEADDRESS="zabbix-server-mysql-ha1" \
--network=zabbix-net \
-p 10151:10051 \
--restart unless-stopped \
-d zabbix/zabbix-server-mysql:alpine-7.2.4
docker run --name zabbix-server-mysql-ha2 -t \
-e DB_SERVER_HOST="mysql-server" \
-e MYSQL_DATABASE="zabbix" \
-e MYSQL_USER="zabbix" \
-e MYSQL_PASSWORD="zabbix_pwd" \
-e MYSQL_ROOT_PASSWORD="root_pwd" \
-e ZBX_HANODENAME="zabbix-server-HA2" \
-e ZBX_NODEADDRESS="zabbix-server-mysql-ha2" \
--network=zabbix-net \
-p 10251:10051 \
--restart unless-stopped \
-d zabbix/zabbix-server-mysql:alpine-7.2.4

From the frontend container, remove these two environment variables:

  • ZBX_SERVER_HOST
  • ZBX_SERVER_PORT
docker run --name zabbix-web-nginx-mysql -t \
-e ZBX_SERVER_HOST="zabbix-server-mysql" \
-e ZBX_SERVER_PORT=10051
-e DB_SERVER_HOST="mysql-server" \
-e MYSQL_DATABASE="zabbix" \
-e MYSQL_USER="zabbix" \
-e MYSQL_PASSWORD="zabbix_pwd" \
-e MYSQL_ROOT_PASSWORD="root_pwd" \
--network=zabbix-net \
-p 80:8080 \
--restart unless-stopped \
-d zabbix/zabbix-web-nginx-mysql:alpine-7.2.4

Once both container configurations are modified, you should be able to see the currently added HA server nodes and their states without issues.

Fig. 1. Containers of HA Zabbix server containers

Fig. 2. Dashboard – system information

You can also execute commands on the container:

# docker exec -it container_name_or_id sh -c "zabbix_server -R ha_status"

Fig. 3. Executing command on container

Containers of HA Zabbix server containers

I’t’s possible to allocate an interactive pseudo-TTY shell, by adding option -ti and specifying shell after the container name or id.

# docker exec -ti container_name_or_id /bin/bash

Fig. 4. Executing command from within container

You can also start multiple proxies at once in docker. This can help to offload preprocessing to the proxy, gather data from the targets behind the firewall, and send collected data back to the Zabbix server, only requiring one port.

Fig. 5.Overall block diagram of Zabbix monitoring opportunities

Deploying multiple Zabbix proxies

First, you must choose the proxy mode and set the environment variable ZBX_PROXYMODE.

For active mode proxy, please define the server host address for a single server or addresses separated by a semicolon in the case of HA Zabbix server configuration (example shown below).

docker run --name zabbix-proxy-active-01 \
-e ZBX_HOSTNAME="Zabbix-proxy-active-01" \
-e ZBX_SERVER_HOST="zabbix-server-mysql-ha1;zabbix-server-mysql-ha2;zabbix-server-mysql-ha3" \
-e ZBX_PROXYMODE="0" \
--network=zabbix-net \
-e ZBX_LISTENPORT=10101  \
-p 10101:10101 \
-v /var/lib/zabbix/db_data:/var/lib/zabbix/db_data \
--restart unless-stopped \
--init -d zabbix/zabbix-proxy-sqlite3:alpine-7.2.4

For passive mode proxy, define the server host address for a single server or addresses separated by a comma in the case of HA Zabbix server configuration (example shown below).

docker run --name zabbix-proxy-passive-01 \
-e ZBX_HOSTNAME="Zabbix-proxy-passive-01" \
-e ZBX_SERVER_HOST="zabbix-server-mysql-ha1,zabbix-server-mysql-ha2,zabbix-server-mysql-ha3" \
-e ZBX_PROXYMODE="1" \
--network=zabbix-net \
-e ZBX_LISTENPORT=10102 \
-p 10102:10102 \
-v /var/lib/zabbix/db_data:/var/lib/zabbix/db_data \
--restart unless-stopped \
--init -d zabbix/zabbix-proxy-sqlite3:alpine-7.2.4

docker_compose_v3_proxies.yaml

services:
  zabbix-proxy-active-01:
    image: "${PROXY_SQLITE3_IMAGE}:${ALPINE_IMAGE_TAG}"
    environment:
      ZBX_HOSTNAME: zabbix-proxy-active-01
      ZBX_SERVER_HOST: zabbix-server-mysql-ha1;zabbix-server-mysql-ha2;zabbix-server-mysql-ha3
      ZBX_PROXYMODE: 0
      ZBX_LISTENPORT: 10101
    volumes:
      - /var/lib/zabbix/db_data:/var/lib/zabbix/db_data:rw
    networks:
      - backend
    ports:
      - 10101:10101
    restart: unless-stopped

  zabbix-proxy-passive-01:
    image: "${PROXY_SQLITE3_IMAGE}:${ALPINE_IMAGE_TAG}"
    environment:
      ZBX_HOSTNAME: zabbix-proxy-passive-01
      ZBX_SERVER_HOST: zabbix-server-mysql-ha1,zabbix-server-mysql-ha2,zabbix-server-mysql-ha3
      ZBX_PROXYMODE: 1
      ZBX_LISTENPORT: 10102
    volumes:
      - /var/lib/zabbix/db_data:/var/lib/zabbix/db_data:rw
    networks:
      - backend
    ports:
      - 10102:10102
    restart: unless-stopped
networks:
  backend:
    name: zabbix-net
    external: true

.env

PROXY_SQLITE3_IMAGE=zabbix/zabbix-proxy-sqlite3
JAVA_GW_IMAGE = zabbix/zabbix-java-gateway
ALPINE_IMAGE_TAG=alpine-7.2.4
ZBX_SERVER_HOST=46.101.140.98

The proxy name in the frontend must be the same as the value set in proxy environment variable ZBX_HOSTNAME! Also, in frontend for active proxies, you don’t need to add the proxy address.

Next, you can set hosts to be monitored by Zabbix-proxies, but make sure to update the agent configuration, so agents accept connections from proxy.

Fig. 6. Hosts monitored by proxy

Fig. 7.List of proxies and hosts monitored by them

Configuring Proxy groups

You can create as many proxy containers as necessary in Docker, and you can also create proxy groups for load balancing (it is based on the number of hosts per proxy).

First, create a proxy group in the frontend:

  • Set proxy group name
  • Select failover period
  • Minimum number of proxies

Fig. 8.Creating a new proxy group

Next, add proxies to the proxy group, and specify the address for active agents and port for the active agents.

Fig. 9. Adding proxy to proxy group

Do not forget to change Zabbix agent configuration for hosts now monitored through the proxy group (add proxy groups IPs/DNS to Server and ServerActive options).

Fig. 10. Creating a new host and monitoring it through proxy group

You can see additional information regarding the proxies in the Frontend section: Administration/ Proxies.

Fig. 11. List of all configured proxies and those belonging to proxy group

Adding more Java gateways

Zabbix server or proxy can communicate with only one Zabbix java gateway, however, you are not limited tin how many Zabbix proxies you create together with Zabbix Java Gateway. You can make an unlimited number of pairs, consisting of Zabbix proxy with Zabbix Java Gateway.

For the containerized Zabbix server, you will need to add these 4 environment variables:

ZBX_JAVAGATEWAY_ENABLE=true
ZBX_JAVAGATEWAY=zabbix-java-gateway-server
ZBX_JAVAGATEWAYPORT=10052
ZBX_STARTJAVAPOLLERS=5

And start the Java gateway for the zabbix-server in docker:

docker run --name zabbix-java-gateway-server -t \
--network=zabbix-net \
--restart unless-stopped \
-d zabbix/zabbix-java-gateway:alpine-7.2.4

Or if you want to add java gateway to the Zabbix proxy, then add these 4 environment variables to Zabbix proxy in docker:

ZBX_JAVAGATEWAY_ENABLE=true
ZBX_JAVAGATEWAY=zabbix-java-gateway-proxy
ZBX_JAVAGATEWAYPORT=10052
ZBX_STARTJAVAPOLLERS=5

And start the java gateway as a container:

docker run --name zabbix-java-gateway-proxy -t \
--network=zabbix-net \
--restart unless-stopped \
-d zabbix/zabbix-java-gateway:alpine-7.2.4

And here we have a host, monitored by zabbix-agent2 through zabbix-proxy-active-02

Fig. 12. Host monitored by proxy with configured Java gateway

Upgrading docker proxies with SQLite3 database

If you have older Zabbix components already running in docker and you have upgraded the server, you will also need to upgrade the proxies.

If you have a container created from the proxy zabbix-proxy-sqlite3 image and want to upgrade it, you will lose the existing data stored in the SQLite3 database. For most users, the database functions as a buffer to temporarily keep the data until it’s sent to Zabbix server and the loss of the proxy database file data is of no consequence.

Once you have updated the image for the container, the proxy will detect the existing old database version on startup. If the directory is mounted to database file, it will delete the database file and create a new one. This will impact those who keep data after sending it to Zabbix server and use the data from the proxy database for other purposes.

Fig. 13. Database upgrade for proxy container with SQLite3 database

Upgrading docker proxies with MySQL database

To upgrade the MySQL database for proxy, log in in the MySQL database, set the log_bin_trust_function_creators flag to 1. Change the proxy image version to a newer one and start the container.

mysql> set global log_bin_trust_function_creators = 1;

If you have not set the flag, you will receive an error of database upgrade.

Fig. 14. Failed database upgrade for proxy with MySQL database

Replace the previous version of the proxy image with the new one, check the log file, and check the docker logs to see when the database schema upgrade has finished. After the upgrade, set the flag back to 0.

mysql> set global log_bin_trust_function_creators = 0;

The upgrade has been successful, and the proxy service has started after that.

Fig. 15. Successful database upgrade for proxy with MySQL database

An official docker image for the proxy with Postgresql database support is not available due to the extensive number of existing images and different versions.

Deploying multiple frontends

You can launch as many frontends as you need if you are experiencing a sudden surge in Zabbix users. Just specify which port to assign for it and you are good to go (don’t forget to also open the port in the firewall).

docker run --name zabbix-web-nginx-mysql1 -t \
-e DB_SERVER_HOST="mysql-server" \
-e MYSQL_DATABASE="zabbix" \
-e MYSQL_USER="zabbix" \
-e MYSQL_PASSWORD="zabbix_pwd" \
-e MYSQL_ROOT_PASSWORD="root_pwd" \
--network=zabbix-net \
-p 80:8080 \
--restart unless-stopped \
-d zabbix/zabbix-web-nginx-mysql:alpine-7.2.4

Fig. 16. One started Zabbix frontend container in docker

docker run --name zabbix-web-nginx-mysql2 -t \
-e DB_SERVER_HOST="mysql-server" \
-e MYSQL_DATABASE="zabbix" \
-e MYSQL_USER="zabbix" \
-e MYSQL_PASSWORD="zabbix_pwd" \
-e MYSQL_ROOT_PASSWORD="root_pwd" \
--network=zabbix-net \
-p 81:8080 \
--restart unless-stopped \
-d zabbix/zabbix-web-nginx-mysql:alpine-7.2.4

Fig. 17. Two started Zabbix frontend containers in docker

docker run --name zabbix-web-nginx-mysql3 -t \
-e DB_SERVER_HOST="mysql-server" \
-e MYSQL_DATABASE="zabbix" \
-e MYSQL_USER="zabbix" \
-e MYSQL_PASSWORD="zabbix_pwd" \
-e MYSQL_ROOT_PASSWORD="root_pwd" \
--network=zabbix-net \
-p 82:8080 \
--restart unless-stopped \
-d zabbix/zabbix-web-nginx-mysql:alpine-7.2.4

Fig. 18. Three started Zabbix frontend containers in docker

Fig. 19. Multiple frontends accessed through different ports

Browser monitoring

Browser monitoring setup has never been easier! Just add two parameters to zabbix-server container config:

ZBX_WEBDRIVERURL=selenium:4444
ZBX_STARTBROWSERPOLLERS=2

And start the web driver in the docker (with a standalone chrome browser):

docker run --name selenium -t\
--network=zabbix-net \
--restart unless-stopped \
-p 4444:4444 \
--shm-size="1g" \
-d selenium/standalone-chrome:latest

Next step: create a new host, add the template, specify which page to monitor with Macro values, and it’s DONE!!!!

Fig. 20. Creating host for monitoring website

Fig. 21. Screenshot of the monitored website

SNMP traps

For the snmptraps to work, the same directory must be shared among the zabbix-server and zabbix-snmptrap container. On the Zabbix-server side, you need to explicitly set snmp environment variable ZBX_ENABLE_SNMP_TRAPS to true and mount directory /var/lib/zabbix/snmptraps.

You also need to add the same volume to the snmptrap container.

And run the snmptraps container (make sure there is no permission issue for the directory)

docker run --name zabbix-snmptraps -t \
-v /var/lib/zabbix/snmptraps:/var/lib/zabbix/snmptraps:rw \
--network=zabbix-net \
-p 162:1162/udp \
--restart unless-stopped \
-d zabbix/zabbix-snmptraps:alpine-7.2-latest

Fig. 22. Received SNMP trap message

Scheduled reports

You can also easily configure scheduled reports by adding 2 additional environment variables to the Zabbix-server. In my case, both of these containers are in the same custom user network, therefore I will use the container name zabbix-web-service in the ZBX_WEBSERVICEURL option.

ZBX_STARTREPORTWRITERS=5
ZBX_WEBSERVICEURL=http://zabbix-web-service:10053/report

Start the Zabbix-web service, specify also these 2 parameters (you can skip those if defaults are used). You can also allow any incoming connections by setting ZBX_ALLOWEDIP=0.0.0.0/0. We discourage this, however.

ZBX_ALLOWEDIP=zabbix-server-mysql
ZBX_LISTENPORT=10053

Before testing scheduled reports, make sure you have enabled and configured the email media type.

Fig. 23. Configured and enabled media type

It is also encouraged to test it and check that you have received the test email.

Fig. 24. Successful media type test response

Fig. 25. Received test response on the selected media type.

Next, configure the user media where the scheduled report will be sent.

Fig. 26.Media type defined for the user

Last, but not least, set the frontend URL in the section Administration/General/Other section. In my case, I set the container name of the frontend and specify the port.

for Apache: http://<server_ip_or_name>/zabbix
for Nginx: http://<server_ip_or_name>

Fig. 27. Configured frontend address for the Frontend URL option

Next, create a scheduled report based on the dashboard of your choice.

Fig. 28.Configuring scheduled report

Check that you have received the test report in your mail.

Fig. 29.Successful scheduled report test.

Fig. 30. Received scheduled report test in the email

Now you know how to set up scheduled reports!

Docker container monitoring

You can also monitor Docker containers with a containerized Zabbix instance*

* Disclaimer: If docker service is not running, Zabbix monitoring will also not function and you will not receive notifications and alerts.

You can also monitor your docker instance with the Zabbix agent 2, however, you will be required to install Zabbix-agent 2 on the host either as a package or build it from the source.

You will also need to give user zabbix access to the docker.sock file. Just add user zabbix to group docker:

# usermod -aG docker zabbix

Otherwise, you will get an error message in items:

Cannot fetch data: Get "http://1.28/info": dial unix /var/run/docker.sock: connect: permission denied.

Go back to the frontend and create a Host for monitoring the docker containers:

  • Link template: Docker by Zabbix agent 2
  • Add host to host group
  • Specify host address or dns name, set the correct connect to option, and specify the agent port (if a default port is used, then set 10050).

Fig. 31. Configuring the host for monitoring the docker container

Now, if some issue happens to other containers, Zabbix will monitor them. But to be notified of an issue, don’t forget to enable and configure the media, user media, media templates, and trigger actions, so that you receive alerts.

Fig. 32.Latest data for the docker host

Thank you for reading – I hope you’ve found this article helpful and informative!

 

The post Deploying Zabbix Components with Docker and Docker Compose appeared first on Zabbix Blog.

Arguing Against CALEA

Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2025/04/arguing-against-calea.html

At a Congressional hearing earlier this week, Matt Blaze made the point that CALEA, the 1994 law that forces telecoms to make phone calls wiretappable, is outdated in today’s threat environment and should be rethought:

In other words, while the legally-mandated CALEA capability requirements have changed little over the last three decades, the infrastructure that must implement and protect it has changed radically. This has greatly expanded the “attack surface” that must be defended to prevent unauthorized wiretaps, especially at scale. The job of the illegal eavesdropper has gotten significantly easier, with many more options and opportunities for them to exploit. Compromising our telecommunications infrastructure is now little different from performing any other kind of computer intrusion or data breach, a well-known and endemic cybersecurity problem. To put it bluntly, something like Salt Typhoon was inevitable, and will likely happen again unless significant changes are made.

This is the access that the Chinese threat actor Salt Typhoon used to spy on Americans:

The Wall Street Journal first reported Friday that a Chinese government hacking group dubbed Salt Typhoon broke into three of the largest U.S. internet providers, including AT&T, Lumen (formerly CenturyLink), and Verizon, to access systems they use for facilitating customer data to law enforcement and governments. The hacks reportedly may have resulted in the “vast collection of internet traffic”; from the telecom and internet giants. CNN and The Washington Post also confirmed the intrusions and that the U.S. government’s investigation is in its early stages.

Диана Димова от „Мисия Криле“: Пролетта започва с една птичка

Post Syndicated from Ина Иванова original https://www.toest.bg/diana-dimova-ot-misia-krile-proletta-zapochva-s-edna-ptichka/

Диана Димова от „Мисия Криле“: Пролетта започва с една птичка

Екипът на Фондация „Мисия Криле“ е на първа линия, когато става въпрос за майки с деца, опитващи се да се спасят от домашно насилие, за хора, изпаднали в крайна бедност, или за големи бежански вълни, като тези от Сирия, Афганистан и Украйна. Екипът е почти неизменен от основаването на фондацията през 2018 г. 

Председателка на организацията, чието седалище е в Стара Загора, е Диана Димова – отдадена социална работничка, майка и жена с кауза, която говори ясно, тихо и задълбочено по трудните теми.

За нея всичко започва преди 27 години, когато в родната ѝ Стара Загора се появяват бездомни деца, живеещи в района на гарата. Диана и други млади хора започват да ги хранят. Оттогава започва и дейността ѝ в помощ на хора от уязвими групи. 

Днес част от „Мисия Криле“ е основаният преди 20 години център Комплекс за социални услуги, на който Диана Димова е директорка. Той е оказал подкрепа на над 6000 жени и деца в риск.

В началото на годината представители на екипа на Фондация „Мисия Криле“ се опитаха да спасят бедстващи тийнейджъри, търсещи убежище, но поради бездействието на институциите децата починаха. 

Диана Димова и колегите ѝ създават и Консултативен център в град Харманли – в подкрепа на хора, търсещи и получили убежище в страната. Защото на практика дори онези, които получат хуманитарен или бежански статут, остават в повечето случаи отхвърлени или невидими за обществото. 

В предварителния ни разговор Диана Димова сподели с мен, че често намира утеха в книгата „Джонатан Ливингстън Чайката“. Героят на Ричард Бах е изхвърлен от ятото си за това, че се рее, вместо да изпълнява обичайните за чайка задължения. Наказан е да остане в изгнание на един остров. Там освен небесните ширини, сред които продължава да лети, Чайката намира съмишленици. И разбира, че грешката не е у него.

Най-впечатляващ обаче е завършекът на романа – Джонатан Ливингстън осъзнава, че трябва да се върне, че мисията му всъщност е да бъде там, сред враждебното ято, където е бил най-неразбран. Диана продължава да размишлява върху това: 

Да се опитваш да кажеш своите послания и да променяш твоята общност. Това е най-голямото предизвикателство на живота ми. Мисля, че ако живеем само за себе си, нищо не сме постигнали. Всеки трябва през своята къщурка да прави опити да стане светът по-добър, а може, всеки един от нас може.

Каква мечтаехте да станете, когато бяхте дете?

Като голяма част от момичетата на моята възраст си мечтаех да работя с деца, да помагам на деца. И понеже нямаше кой знае колко разнообразни професии тогава, единственият основен модел, който виждахме, беше детската учителка. Това присъстваше не само в мечтите, а и в игрите от моето детство. Ако сравним игрите, които играят децата днес, и игрите, които предпочитахме ние като деца, ще открием големи разлики. Защото малките играят моделите, които са възприели, личи кои са моделите за подражание и какви са ценностите на възрастните около тях.

За съжаление, много от образите, които ние имахме като деца, тези ореоли, които поставяхме на някои професии или на определени личности, се развенчаха с времето и от перспективата на съвремието. Ако се върна назад, виждам колко много неща, в които аз съм вярвала или които съм боготворяла, се оказаха фалшиви идоли и маски.

Това е голямата тема: какво играят децата ни и в какво вярват, какви са ценностите за тях. И тя се отнася и до нас – обяснява какви игри играят възрастните хора днес, кои са техните модели на подражание и как това се превръща в стил на живот.

От години работите с деца в бежански центрове. На какво играят те?

Като социален работник, като човек, който работи на първа линия с деца и възрастни, които преживяват или са преживели различни страдания, ми прави впечатление, че са забравили да мечтаят. 

Може да играе дете, което има мечти – без да имаш перспектива и фантазии за едно илюзорно или по-красиво, по-щастливо бъдеще, няма как. 

Децата в бежанските центрове трудно могат да символизират в игра своите представи за по-добър живот. Те често използват демонстрацията на сила, на власт над другия, над връстника, който може да се окаже заплаха, и се чувстват длъжни да му демонстрират своите граници, норми и правила. Ние организираме спортни събития, отваряме чрез спорта пространство за деца бежанци, за да могат да изразяват емоциите си. Те мислят, че ние играем с тях, но всъщност се опитваме да им помогнем да се лекуват. 

В нашия екип на „Мисия Криле“ имаме двама колеги треньори от Сирия, които работят много активно с деца бежанци чрез спорт, фитнес и футбол.

Прави ми впечатление на състезания колко силно удрят топката тийнейджърите, колко много имат да изразят от себе си и същевременно колко малко пространство имат за това. 

В арт ателиетата децата използват по-ярки цветове, понякога натискат силно, до степен да скъсат листа, което говори за това, което преживяват. 

В света, в който живеем, като че ли няма място да изразяваме емоции. И още нещо – има голяма пропаст между нас, възрастните, и съвременните деца. Грешка е да правим автоматични препратки към нашето детство, защото то е коренно различно от тяхното. Независимо дали сме психолози, социални работници, независимо дали работим с български, ромски деца, деца бежанци, е огромно предизвикателство да сме любопитни към тях и да се опитаме да разберем техния свят, а не да ги назидаваме какви трябва да бъдат през перспективата на живота, който ние сме имали. Най-полезни са ми били моментите, когато съм ги изслушвала, за да намеря пътя заедно с тях, когато те ми позволят да ги придружа за известен период, докато намерим посоката, тъй като те се лутат.

Какво научихте за себе си от битките, които водите за другите?

Много – и за себе си, и за близкия ми кръг, и за враговете си. Колко издръжливост има в мен. Понякога в ситуация, в която мисля, че ще се разпадна на парчета, разбирам, че всъщност съм на средата на пътя. Трудните моменти ни показват, че не сме толкова безпомощни, беззащитни и слаби, а че имаме повече сила, отколкото дори предполагаме. 

Може би една птичка не може да направи пролет, но пролетта може да започва с една птичка и капката може да разбие скалата с постоянство. Вярвам, че човек може да преобърне света. Вярвам, че войната може да спре с решението на един човек. Колкото и клиширано да звучи, смятам, че злото не може да трае вечно, колкото и всемогъщо да изглежда.

Кое Ви окрилява и кое Ви обезсърчава?

Аз все по активно търся неща, които да ме вдъхновят, които да ме очароват, които да ми върнат усещането за смисъл, мотивация. В последните години силно вдъхновение получавам, когато правим различни общностни събития, където има хора от различни култури – да готвят, танцуват или спортуват заедно. Изпитвам силно вълнение, защото много вярвам в идеята за многообразието. Смятам, че то е богатство и ако сме по-отворени едни към други, можем да почерпим от чуждия опит, от човека с различна вяра, ако щете, или на различна възраст. Всичко, което се иска от нас, е просто да сме любопитни и отворени към различния. 

Бих добавила още едно нещо, което много ми помага. Аз силно вярвам в християнските добродетели. И търся да се съюзявам със съмишленици, вместо да губя енергия да воювам с великани.

Огорчава ме едно огромно неразбиране, което все повече се засилва като усещане в мен – че онова, което правя, не просто е неразбираемо, не просто е неприемливо. А е недопустимо. Посланията, които чувам от различни кръгове по различен начин, мненията, които достигат до мен, когато говоря за моите каузи, са, че това, което правя, може да е заплаха за обществото или за националната сигурност, че съм национален предател. Това са неща, които мен лично ме изненадаха, защото не подозирах, че има хора, които могат да възприемат по-слабите като заплаха, независимо дали става въпрос за жена – жертва на насилие, дали за изоставено от родителите си дете, за бежанци, или за роми. 

От какво се страхуваме като общество и счупва ли се митът за българското гостоприемство, когато говорим за бежанци?

Тук е еднакво отношението към чужд човек, който е влязъл на територията на страната да търси убежище, или към човек от изолиран ромски квартал, който не го е напускал от 12 години и се страхува да слезе до центъра на големия град.

Има голяма съпротива от различни групи, мога само да подозирам какъв е техният мотив и откъде се захранват с такива идеи. Някои имат икономически интереси. Втори живеят в конспиративни теории, включително в ригиден, закостенял свят, в който другият е заплаха и приемането му може да означава загуба на собствената идентичност. Така че от тази гледна точка разбирам тяхното поведение, но не го оправдавам – защото в света, в който живеем, когато се даде пространство на този тип мислене и говорене, то може да взриви буквално цялата планета. 

Отдавна ме вълнува тази тема. Не съм намерила пътя как да се справя с това разочарование. И като мине малко време и си почина, си казвам: всъщност това е, за което живея. Нямам друг път и друг живот. Това е моята мисия. Да помагам на слабите и невидимите да бъдат тук и сега и мнозинството да се съобрази с тях, да ги приеме като равни. Да защитавам правата на слабите и да се боря за тяхното благополучие. Най-общо казано, това е човечността. Нищо повече. 

Да се върнем на темата за страха?

Истински смелите хора са се научили да яздят страха си, да го контролират, за да го насочат в една или друга посока. Страхът е като диво животно и научиш ли се да го яздиш, той може да ти свърши добра работа, да те предпазва от неблагополучия. За мен хората, които успяват да не се парализират от страх, съумяват да кажат какво мислят, а това става все по-трудно във времето, в което живеем. Особено в интернет. Виждаме как са тормозени хора заради липсата на истинска свобода на словото. В последните месеци разбрах, че държавни агенции към Министерския съвет се използват активно като бухалки срещу активисти и хора, които огласяват престъпления. Не бива да има област от обществения живот, в която гражданите да се страхуват да зададат въпрос. 

Аз задавам въпроси в една много трудна област и разказвам истории, които са достигнали до мен през хората, на които помагам, именно мигранти и бежанци, търсещи убежище и закрила – за това какво се случва по границите и в болниците.

И аз, и моите колеги се опитваме да усилваме на гласа на онези, които нямат такъв или чийто глас е много тих, макар за нас лично да става все по-трудно и рисковано да го правим. 

Вярвам в равнопоставеността, в справедливостта и ще се боря за това, докато имам сили. 

По-силният внушава много убедително, че е всемогъщ и държи всички лостове да се саморазправи с теб, но много често не е така. И когато си мислим, че сме сами, не е така. Вярвайте ми, злото просто не може да трае вечно. Не е възможно.

Какво винаги носи в чантата си Диана Димова?

Първо, аз непрекъснато сменям различни торби, раници и обикновено все съм забравила нещо в някоя друга чанта. Но все пак с мен винаги е лаптопът, защото много често пътувам и имам важни неща, които е ключово да се случат. Което означава, че непрекъснато съм в работен режим. Често нося хапчета за главоболие. В портмонето ми винаги е снимката на моя син и тя ми е много скъпа. Той е далеч от мен, замина да работи в Брюксел след една менторска програма преди година и половина. Не разбирах хората, които пътуват и се разделят, но и на мен ми се случи. Така че най-близкият до сърцето ми човек е символично с мен с тази снимка.

Дигитално евро, следене и ценности

Post Syndicated from Bozho original https://blog.bozho.net/blog/4473

Тъй като конспиративните теории за еврото от няколко дни са „на стероиди“, ето една контра-конспиративна теория. За тези, които не приемат аргументите, че дигиталното евро няма да се ползва за проследяване, тъй като в самия регламент има изрични текстове за анонимност на офлайн плащанията и липса на централна проследимост на трансакциите.

Ами ако „лошият ЕС“ реши да следи кеша? Всяка банкнота има индивидуален номер. Т.е. всяка банкнота е проследима. Банкоматът ще знае на кого са отпуснати дадени банкноти. В магазина могат много лесно тези номера да се сканират и така да се следи потокът им. На касите може да се въведе задължително показване на лична карта, така че дори рестото да е ясно при кого отива.

Или дори лицево разпознаване, вързано с базата данни със снимки на МВР. И може НАП да затваря магазини, които не изпълняват тези исиквания. (А, чакай, лошият ЕС на практика забрани лицевото разпознаване на обществени места, но сигурно това е заблуждаваща маневра)

Затова – никакъв кеш. Ще ни следят с него какво купуваме. Не веднага, но един ден… Така че само в злато. Хм, те пък и кюлчетата си имат серийни номера. Значи бартери.

Между другото, следят ви и в момента какво купувате. Дори като плащате с наложен платеж. И дори когато не сте го купили онлайн, а само сте си хо харесали. (Благодарение на проследяващите бисквитки, за които бъдещият председател на КЗЛД нищо не знаеше)

Само че не ви следи лошият ЕС, а Гугъл и Фейсбук, които лошият ЕС глобява заради неправомерно обработване на лични данни.

Следят ви и къде ходите. През GPS-a и през клетките на телефоните. Благодарение на ЕС можете да забраните да се записват данните от GPS-a централно. А благодарение на съда на ЕС, държавите трябва да ограничат телекомите в събиране на данни за местоположение доста под 6 месеца, именно за да не може да се анализира поведение.

Не е въпрос на технологии. Не е въпрос да измислим конспиративна теория как някой централно ще ни следи – има стотици начини за това и без дигитално евро. Въпрос на ценности е. А ценностите на европейските народи не допускат тоталитаризъм. Защото са го допускали в миналото и са видели какво следва. И това стои в колективната ни памет (защото и ние сме европейци).

Материалът Дигитално евро, следене и ценности е публикуван за пръв път на БЛОГодаря.

Enhance Agentforce data security with Private Connect for Salesforce Data Cloud and Amazon Redshift – Part 3

Post Syndicated from Yogesh Dhimate original https://aws.amazon.com/blogs/big-data/enhance-agentforce-data-security-with-private-connect-for-salesforce-data-cloud-and-amazon-redshift-part-3/

Data protection is a high priority, particularly as organizations face increasing cybersecurity threats. Maintaining the security of customer data is top priority for AWS and Salesforce. With AWS PrivateLink, Salesforce Private Connect eliminates common security risks associated with public endpoints. Salesforce Private Connect now works with Salesforce Data Cloud to keep your customer data secure when using with key services like Agentforce.

In Part 2 of this series, we discussed the architecture and implementation details of cross-Region data sharing between Salesforce Data Cloud and AWS accounts. In this post, we discuss how to create AWS endpoint services to improve data security with Private Connect for Salesforce Data Cloud.

Solution overview

In this example, we configure PrivateLink for an Amazon Redshift instance to enable direct, private connectivity from Salesforce Data Cloud. AWS recommends that organizations use an Amazon Redshift managed VPC endpoint (powered by PrivateLink) to privately access a Redshift cluster or serverless workgroup. For details about best practices, refer to Enable private access to Amazon Redshift from your client applications in another VPC.

However, some organizations might prefer to use PrivateLink managed by themselves—for example, a Redshift managed VPC endpoint is not yet available in Salesforce Data Cloud, and you need to manage your PrivateLink connection. This post focuses on the solution to configure self-managed PrivateLink between Salesforce Data Cloud and Amazon Redshift in your AWS account to establish private connectivity.

The following architecture diagram shows the steps for setting up private connectivity between Salesforce Data Cloud and Amazon Redshift in your AWS account.

To set up private connectivity between Salesforce Data Cloud and Amazon Redshift, we use the following resources:

Prerequisites

To complete the steps in this post, you must already have Amazon Redshift running in a private subnet and have the permissions to manage it.

Create a security group for the Network Load Balancer

The security group acts as a virtual firewall. The only traffic that reaches the instance is the traffic allowed by the security group rules. To enhance the security posture, you only want to allow traffic to Redshift instances. Complete the following steps to create a security group for your Network Load Balancer (NLB):

  1. On the Amazon VPC console, choose Security groups in the navigation pane.
  2. Choose Create security group.
  3. Enter a name and description for the security group.
  4. For VPC, use the same virtual private cloud (VPC) as your Redshift cluster.
  5. For Inbound rules, add a rule to allow traffic to ingress the listening port 5439 on the load balancer.

  1. For Outbound rules, add a rule to allow traffic to your Redshift instance.

  1. Choose Create security group.

Create a target group

Complete the following steps to create a target group:

  1. On the Amazon EC2 console, under Load balancing in the navigation pane, choose Target groups.
  2. Choose Create target group.
  3. For Choose a target type, select IP addresses.

  1. For Protocol: Port, choose TCP and port 5436 (if your Redshift cluster runs on a different port, change the port accordingly).
  2. For IP address type, select IPv4.
  3. For VPC, choose the same VPC as your Redshift cluster.
  4. Choose Next.

  1. For Enter an IPv4 address from a VPC subnet, enter your Amazon Redshift IP address.

To locate this address, navigate to your cluster details on the Amazon Redshift console, choose the Properties tab, and under Network and security settings, expand VPC endpoint connection details and copy the private address of the network interface. If you’re using Amazon Redshift Serverless, navigate to the workgroup home page. The Amazon Redshift IPv4 addresses can be located in the Network and security section under Data access when you choose VPC endpoint ID.

  1. After you add the IP address, choose Include as pending below, then choose Create target group.

Create a load balancer

Complete the following steps to create a load balancer:

  1. On the Amazon EC2 console, choose Load balancers in the navigation pane.
  2. Choose Create load balancer.
  3. Choose Network.
  4. For Load balancer name, enter a name.
  5. For Scheme, select Internal.
  6. For Load balancer address type, select IPv4.
  7. For VPC, use the VPC that your target group is in.

  1. For Availably Zones, select the Availability Zone where the Redshift cluster is running.
  2. For Security groups, choose the security group you created in the previous step.
  3. For Listener details, add a listener that points to the target group created in the last step:
    1. For Protocol, choose TCP.
    2. For Port, use 5439.
    3. For Default action, choose Redshift-TargetGroup.
  4. Choose Create load balancer.

Make sure that the registered targets in the target group are healthy before proceeding. Also make sure that the target group has a target for all Availability Zones in your AWS Region or the NLB has the Cross-zone load balancing attribute enabled.

In the load balancer’s security setting, make sure that Enforce inbound rules on PrivateLink traffic is off.

Create an endpoint service

Complete the following steps to create an endpoint service:

  1. On the Amazon VPC console, choose Endpoint services in the navigation pane.
  2. Choose Create endpoint service.
  3. For Load balancer type, choose Network.
  4. For Available load balancers, select the load balancer you created in the last step
  5. From Supported Regions, select an additional region if Data Cloud isn’t hosted in the same AWS region as the Redshift instance.  For additional settings leave Acceptance required.

If this is selected, later, when the Salesforce Data Cloud endpoint is created to connect to the endpoint service, you will need to come back to this page to accept the connection. If not selected, the connection will be built directly.

  1. For Supported IP address type, select IPv4.
  2. Choose Create.

Next, you need to allow Salesforce principals.

  1. After you create the endpoint service, choose Allow principals.
  2. In another browser, navigate to Salesforce Data Cloud Setup.
  3. Under External Integrations, access the new Private Connect menu item.
  4. Create a new private network route to Amazon Redshift.

  1. Copy the principal ID.

  1. Return to the endpoint service creation page.
  2. For Principals to add, enter the principal ID.
  3. Copy the endpoint service name.
  4. Choose Allow principals.

  1. Return to the Salesforce Data Cloud private network configuration page.
  2. For Route Name, enter the endpoint service name.
  3. Choose Save.

The route status should show as Allocating.

If you opted to accept connections in the previous step, you will now need to accept the connection from Salesforce Data Cloud.

  1. On the Amazon VPC console, navigate to the endpoint service.
  2. On the Endpoint connections tab, locate your pending connection request.

  1. Accept the endpoint connection request from Salesforce Data Cloud.

Navigate to the Salesforce Data Cloud setup and wait 30 seconds, then refresh the private connect route so the status shows as Ready.

You can now use this route when creating a connection with Amazon Redshift. For additional details, refer to Part 1 of this series.

Amazon Redshift federation PrivateLink failover

Now that we have discussed how to configure PrivateLink to use with Private Connect for Salesforce Data Cloud, let’s discuss Amazon Redshift federation PrivateLink failover scenarios.

You can choose to deploy your Redshift clusters in three different deployment modes:

  • Amazon Redshift provisioned in a Single-AZ RA3 cluster
  • Amazon Redshift provisioned in a Multi-AZ RA3 cluster
  • Amazon Redshift Serverless

PrivateLink relies on a customer managed NLB connected to service endpoints using IP address target groups. The target group has the IP addresses of your Redshift instance. If there is a change in IP address targets, the NLB target group must be updated to the new IP addresses associated with the service. Failover behavior for Amazon Redshift will differ based on the deployment mode you employ.

This section describes PrivateLink failover scenarios for these three deployment modes.

Amazon Redshift provisioned in a Single-AZ RA3 cluster

RA3 nodes support provisioned cluster VPC endpoints, which decouple the backend infrastructure from the cluster endpoint used for access. When you create or restore an RA3 cluster, Amazon Redshift uses a port within the ranges of 5431–5455 or 8191–8215. When the cluster is set to a port in one of these ranges, Amazon Redshift automatically creates a VPC endpoint in your AWS account for the cluster and attaches network interfaces with a private IP for each Availability Zone in the cluster. For the PrivateLink configuration, you use the IP associated with the VPC endpoint as the target for the frontend NLB. You can identify the IP address of the VPC endpoint on the Amazon Redshift console or by doing a describe-clusters query on the Redshift cluster.

Amazon Redshift will not remove a network interface associated with a VPC endpoint unless you add an additional subnet to an existing Availability Zone or remove a subnet using Amazon Redshift APIs. We recommend that you don’t add multiple subnets to an Availability Zone to avoid disruption. There might be failover scenarios where additional network interfaces are added to a VPC endpoint.

In RA3 clusters, the nodes are automatically recovered and replaced as needed by Amazon Redshift. The cluster’s VPC endpoint will not change even if the leader node is replaced.

Cluster relocation is an optional feature that allows Amazon Redshift to move a cluster to another Availability Zone without any loss of data or changes to your applications. When cluster relocation is turned on, Amazon Redshift might choose to relocate clusters in some situations. In particular, this happens where issues in the current Availability Zone prevent optimal cluster operation or to improve service availability. You can also invoke the relocation function in cases where resource constraints in a given Availability Zone are disrupting cluster operations. When a Redshift cluster is relocated to a new Availability Zone, the new cluster has the same VPC endpoint but a new network interface is added in the new Availability Zone. The new private address should be added to the NLB’s target group to optimize availability and performance.

In the case that a cluster has failed and can’t be recovered automatically, you have to initiate a restore of the cluster from a previous snapshot. This action generates a new cluster with a new DNS name, connection string, and VPC endpoint and IP address for the cluster. You have to update the NLB with the new IP for the VPC endpoint of the new cluster.

Amazon Redshift provisioned in a Multi-AZ RA3 cluster

Amazon Redshift supports Multi-AZ deployments for provisioned RA3 clusters. By using Multi-AZ deployments, your Redshift data warehouse can continue operating in failure scenarios when an unexpected event happens in an Availability Zone. A Multi-AZ deployment deploys compute resources in two Availability Zones, and these compute resources can be accessed through a single endpoint. In the case of a failure of the primary nodes, Multi-AZ clusters will make secondary nodes primary and deploy a new secondary stack in another Availability Zone. The following diagram illustrates this architecture.

Multi-AZ clusters deploy VPC endpoints that point to network interfaces in two Availability Zones, which should be configured as a part of the NLB target group. To configure the VPC endpoints in the NLB target group, you can identify the IP addresses of the VPC endpoint using the Amazon Redshift console or by doing a describe-clusters query on the Redshift cluster. In a failover scenario, VPC endpoint IPs will not change and the NLB doesn’t require an update.

Amazon Redshift will not remove a network interface associated with a VPC endpoint unless you add an additional subnet in to an existing Availability Zone or remove a subnet using Amazon Redshift APIs. We recommend that you don’t add multiple subnets to an Availability Zone to avoid disruption.

Amazon Redshift Serverless

Redshift Serverless provides managed infrastructure. You can perform the get-workgroup query to get the workgroup’s VpcEndpoint IPs. IPs should be configured in the target group of the PrivateLink NLB. Because this is a managed service, the failover is managed by AWS. During the event of an underlying Availability Zone failure, the workgroup might get a new set of IPs. You can frequently query the workgroup configuration or DNS record for the Redshift cluster to check if IP addresses have changed and update the NLB accordingly.

Automating IP address management

In scenarios where Amazon Redshift operations might change the IP address of the endpoint needed for Amazon Redshift connectivity, you can automate the update of NLB network targets by monitoring the results for cluster DNS resolution, using describe-cluster or get-workgroup queries, and using an AWS Lambda function to update the NLB target group configuration.

You can periodically (on a schedule) query the DNS of the Redshift cluster for IP address resolution. Use a Lambda function to compare and update the IP target groups for the NLB. For an example of this solution, see Hostname-as-Target for Network Load Balancers.

For legacy DS2 clusters where the IP address of the leader node must be explicitly monitored, you can configure Amazon CloudWatch metrics to monitor the HealthStatus of the leader node. You can configure the metric to trigger an alarm, which alerts an Amazon Simple Notification Service (Amazon SNS) topic and invokes a Lambda function to reconcile the NLB target group.

For backup and restore patterns, you can create a rule in Amazon EventBridge triggered on the RestoreFromClusterSnapshot API action, which invokes a Lambda function to update the NLB with the new IP addresses of the cluster.

For a cluster relocation pattern, you can trigger an event based on the Amazon Redshift ModifyCluster availability-zone-relocation API action.

Conclusion

In this post, we discussed how to use AWS endpoint services to improve data security with Private Connect for Salesforce Data Cloud. If you are currently using the Salesforce Data Cloud zero-copy integration with Amazon Redshift, we recommend you follow the steps provided in this post to make the network connection between Salesforce and AWS secure. Reach out to your Salesforce and AWS support teams if you need additional support to implement this solution.

About the authors

Yogesh Dhimate is a Sr. Partner Solutions Architect at AWS, leading technology partnership with Salesforce. Prior to joining AWS, Yogesh worked with leading companies including Salesforce driving their industry solution initiatives. With over 20 years of experience in product management and solutions architecture Yogesh brings unique perspective in cloud computing and artificial intelligence.

Avijit Goswami is a Principal Solutions Architect at AWS specialized in data and analytics. He supports AWS strategic customers in building high-performing, secure, and scalable data lake solutions on AWS using AWS managed services and open source solutions. Outside of his work, Avijit likes to travel, hike, watch sports, and listen to music.

Ife Stewart is a Principal Solutions Architect in the Strategic ISV segment at AWS. She has been engaged with Salesforce Data Cloud over the last 2 years to help build integrated customer experiences across Salesforce and AWS. Ife has over 10 years of experience in technology. She is an advocate for diversity and inclusion in the technology field.

Mike Patterson is a Senior Customer Solutions Manager in the Strategic ISV segment at AWS. He has partnered with Salesforce Data Cloud to align business objectives with innovative AWS solutions to achieve impactful customer experiences. In his spare time, he enjoys spending time with his family, sports, and outdoor activities.

Drew Loika is a Director of Product Management at Salesforce and has spent over 15 years delivering customer value via data platforms and services. When not diving deep with customers on what would help them be more successful, he enjoys the acts of making, growing, and exploring the great outdoors.

AWS completes the 2025 Cyber Essentials Plus certification

Post Syndicated from Tariro Dongo original https://aws.amazon.com/blogs/security/aws-completes-the-2025-cyber-essentials-plus-certification/

Amazon Web Services (AWS) is pleased to announce the successful renewal of the United Kingdom Cyber Essentials Plus certification. The Cyber Essentials Plus certificate is valid for one year until March 21, 2026.

Cyber Essentials Plus is a UK Government-backed, industry-supported certification scheme intended to help organizations demonstrate organizational cybersecurity against common cybersecurity threats. An independent third-party auditor certified by Information Assurance for Small and Medium Enterprises (IASME) completed the audit. The scope of our Cyber Essentials Plus certificate covers the AWS corporate network for the United Kingdom and Ireland.

AWS compliance status is available on (1) the IASME Website by searching for “Amazon Web Services,” (2) the AWS Cyber Essentials Plus compliance page, and (3) AWS Artifact. AWS Artifact is a self-service portal for on-demand access to AWS compliance reports. Sign in to AWS Artifact in the AWS Management Console, or learn more at Getting Started with AWS Artifact.

AWS strives to continuously improve its compliance programs to help you meet your architectural and regulatory needs. Contact your AWS account team for questions.

To learn more about our compliance and security programs, see AWS Compliance Programs. As always, we value your feedback and questions; reach out to the AWS Compliance team through the Contact Us page.

If you have feedback about this post, submit comments in the Comments section below.

Tariro Dongo

Tari is a Security Assurance Program Manager at AWS, based in London. Tari is responsible for third-party and customer audits, attestations, certifications, and assessments across EMEA. Previously, Tari worked in Security Assurance and Technology Risk in the big four and financial services industry.

Announcing the General Availability of the Amazon EventBridge Scheduler L2 Construct

Post Syndicated from Svenja Raether original https://aws.amazon.com/blogs/devops/announcing-the-general-availability-of-the-amazon-eventbridge-scheduler-l2-construct/

Today we’re announcing the general availability (GA) of the Amazon EventBridge Scheduler and Targets Level 2 (L2) constructs in the AWS Cloud Development Kit (AWS CDK) construct library. EventBridge Scheduler is a serverless scheduler that enables users to schedule tasks and events at scale. Prior to the launch of these L2 constructs, developers had to define all relevant properties (via L1 constructs) across schedules and provide the glue logic between resources when defining their AWS CDK applications. The graduated constructs make it easier for users to configure EventBridge schedules, groups, and targets for AWS service integrations. They follow the AWS CDK L2 higher-level API design simplifications and provide a backwards-compatible guarantee across minor versions. Developers can use those alongside other existing stable AWS CDK constructs ready for production use.

Background

The AWS Cloud Development Kit (CDK) is an open-source software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. It contains pre-written modular and reusable cloud components known as constructs. Constructs are the basic building blocks representing one or more AWS CloudFormation resources and their configuration. They are available in different abstraction levels. L1 constructs are the lowest-level constructs which map directly to AWS CloudFormation resources without abstractions. L2 constructs are thoughtfully developed and provide a higher-level abstraction through an intuitive intent-based API. They leverage default property configurations, best practice security policies, and convenience methods that make it simpler and quicker to define and deploy resources.

Amazon EventBridge Scheduler is a serverless scheduler that allows users to create, run, and manage tasks from one central, managed service. With EventBridge Scheduler, users can create schedules using cron and rate expressions for recurring patterns, or configure one-time invocations. EventBridge supports templated and universal targets. Templated targets include common API operations across a group of core AWS services, such as publishing a message to an Amazon Simple Notification Service (Amazon SNS) topic or invoking an AWS Lambda function. Universal targets are customized triggers supporting more than 270 AWS services and over 6,000 API operations on a schedule. Users can use schedule groups to organize their schedules.

With the L2 constructs for Amazon EventBridge Scheduler and Targets, it becomes even simpler for users to configure and integrate those resources into their CDK applications. Let’s explore the benefits by looking at some examples.

Using the L2 EventBridge Scheduler construct

We introduce two use cases for the EventBridge Scheduler and Targets L2 constructs to demonstrate their usage within common scenarios. Each example is equipped with sample code, emphasizing the simplifications achieved by the L2 constructs.

Example 1 – One time reminder through Amazon SNS

In the first use case, users want to configure one-time notifications to receive reminders of their favorite conferences at a specific time, for example a user may want to set a reminder one month before the start of AWS re:Invent to be reminded of their participation.

The example below uses the EventBridge Scheduler construct with a templated Amazon SNS target. The target applies an on-time schedule configuration and is configured with an Amazon Simple Queue Service (Amazon SQS) dead-letter queue to capture and retry failed events. The schedule payload is encrypted using a customer-managed AWS Key Management Service (AWS KMS) key.

const snsTarget = new targets.SnsPublish(topic, {
   input: ScheduleTargetInput.fromObject({
     message: "Reminder: AWS re:Invent starts in one month.",
   }),
   deadLetterQueue: deadLetterQueue,
});
 
const schedule = new Schedule(this, "ReminderSchedule", {
  description:
     "This schedule publishes a one-time notification to an Amazon SNS topic.",
   schedule: ScheduleExpression.at(
     new Date(2025, 10, 1), // Nov 01, 2025
     cdk.TimeZone.AMERICA_LOS_ANGELES
   ),
   target: snsTarget,
   key: key,
});

From the code example, we can see that well-defined interfaces for ScheduleTargetInput, and ScheduleExpression make it easy to select matching configuration values.

The SnsPublish target and Schedule constructs seamlessly integrate with the existing L2 constructs for Amazon SNS, Amazon SQS, and Amazon KMS. They abstract away the gluing logic used to configure the target API operation, dead-letter queue, and encryption settings with correct references. Instead of manually crafting permissions, the construct generates an AWS Identity and Access Management (IAM) execution role with the minimum necessary permissions to interact with the templated target, as shown in the policy below.

{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Action": "sns:Publish",
 "Resource": "arn:aws:sns:us-east-1:123456789012:<TOPIC_NAME>",
 "Effect": "Allow"
 },
 {
 "Action": "kms:Decrypt",
 "Resource": "arn:aws:kms:us-east-1:123456789012:key/<UUID>",
 "Effect": "Allow"
 },
 {
 "Action": "sqs:SendMessage",
 "Resource": "arn:aws:sqs:us-east-1:123456789012:<QUEUE_NAME>",
 "Effect": "Allow"
 }
 ]
 }

The construct sets default properties. For example, it applies default configurations for the retry policy if not explicitly stated. As shown in Figure 1, the above defined schedule has been defined with a 1-day maximum event retention time and 185 maximum retries.

Default configurations for the Retry Policy

Example 2 – Start / Stop EC2 instance during business hours

In the second scenario, a recurring cron schedule is used to automatically stop Amazon EC2 instances during the business hours of a specific time zone.

The example below uses the EventBridge Scheduler construct with a universal target to perform the Amazon EC2 stopInstance API operation. It creates a custom schedule group to organize the schedules by time zone and allows an Amazon Lambda function to read all schedules in it for administrative purposes.

const group = new ScheduleGroup(this, "ScheduleGroup", {
  scheduleGroupName: "Europe-London",
});
 
new Schedule(this, "Schedule", {
  schedule: ScheduleExpression.cron({
minute: "0",
hour: "23",
timeZone: cdk.TimeZone.EUROPE_LONDON,
  }),
  target: new targets.Universal({
service: "ec2",
action: "stopInstances",
input: ScheduleTargetInput.fromObject({
  InstanceIds: [ec2Instance.instanceId],
}),
  }),
  scheduleGroup: group,
});
 
group.grantReadSchedules(lambdaFunction);

Similar to the first example, the ScheduleExpression and ScheduleTargetInput help users to define the correct input types. The universal target is one of the options allowed by the scheduler-target constructs that allow users to perform SDK API operations on AWS services such as Amazon EC2.

The ScheduleGroup construct is used to create the group, which is used as a property on the Schedule construct. The group implements convenience methods that allow simplified permissions management. The example above grants read permissions for the schedule group to an Amazon Lambda function, which is applied to the resources without additional configuration.

Community Shout-Outs

The CDK team would like to give a huge shout-out to the awesome members of the community that contributed to this construct to help get it where it is today! Thank you to:

sakurai-ryo

Kenta Goto

Hiroki Yamazaki

Joshua Weber

Manuel

Jacco Kulman

Conclusion

In this post, we introduced the general availability of the AWS CDK L2 construct for Amazon EventBridge Scheduler and Targets. We showcased practical implementations of the new construct, leveraging two example use cases. For more details on the EventBridge Scheduler L2 construct and examples of its use, see the Scheduler CDK Documentation.

If you’re new to AWS CDK and want to get started, we highly recommend checking out the CDK documentation and the CDK workshop.

[$] An update on pahole

Post Syndicated from daroc original https://lwn.net/Articles/1016243/

Pahole (originally “Poke-a-hole”) is a Swiss Army knife for exploring and
editing debug information. Pahole is also currently involved
in the kernel’s build process to rearrange the information
produced by various compilers into a form useful to the BPF verifier, although
there are plans to render it unnecessary.
Pahole maintainer Arnaldo Carvalho de Melo shared some status
updates about the project at the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF summit. Interested readers can find his slides
here.

Fifty Years of Open Source Software Supply Chain Security (Queue)

Post Syndicated from corbet original https://lwn.net/Articles/1016715/

ACM Queue looks at
the security problem in the light of a report on Multics security that
was published in 1974.

We are all struggling with a massive shift that has happened in the
past 10 or 20 years in the software industry. For decades, software
reuse was only a lofty goal. Now it’s very real. Modern
programming environments such as Go, Node, and Rust have made it
trivial to reuse work by others, but our instincts about
responsible behaviors have not yet adapted to this new reality.

The fact that the 1974 Multics review anticipated many of the
problems we face today is evidence that these problems are
fundamental and have no easy answers. We must work to make
continuous improvements to open source software supply chain
security, making attacks more and more difficult and expensive.

Amazon Nova Reel 1.1: Featuring up to 2-minutes multi-shot videos

Post Syndicated from Elizabeth Fuentes original https://aws.amazon.com/blogs/aws/amazon-nova-reel-1-1-featuring-up-to-2-minutes-multi-shot-videos/

At re:Invent 2024, we announced Amazon Nova models, a new generation of foundation models (FMs), including Amazon Nova Reel, a video generation model that creates short videos from text descriptions and optional reference images (together, the “prompt”).

Today, we introduce Amazon Nova Reel 1.1, which provides quality and latency improvements in 6-second single-shot video generation, compared to Amazon Nova Reel 1.0. This update lets you generate multi-shot videos up to 2-minutes in length with consistent style across shots. You can either provide a single prompt for up to a 2-minute video composed of 6-second shots, or design each shot individually with custom prompts. This gives you new ways to create video content through Amazon Bedrock.

Amazon Nova Reel enhances creative productivity, while helping to reduce the time and cost of video production using generative AI. You can use Amazon Nova Reel to create compelling videos for your marketing campaigns, product designs, and social media content with increased efficiency and creative control. For example, in advertising campaigns, you can produce high-quality video commercials with consistent visuals and timing using natural language.

To get started with Amazon Nova Reel 1.1 
If you’re new to using Amazon Nova Reel models, go to the Amazon Bedrock console, choose Model access in the navigation panel and request access to the Amazon Nova Reel model. When you get access to Amazon Nova Reel, it applies both to 1.0 and 1.1.

After gaining access, you can try Amazon Nova Reel 1.1 directly from the Amazon Bedrock console, AWS SDK, or AWS Command Line Interface (AWS CLI).

To test the Amazon Nova Reel 1.1 model in the console, choose Image/Video under Playgrounds in the left menu pane. Then choose Nova Reel 1.1 as the model and input your prompt to generate video.

Amazon Nova Reel 1.1 offers two modes:

  • Multishot Automated – In this mode, Amazon Nova Reel 1.1 accepts a single prompt of up to 4,000 characters and produces a multi-shot video that reflects that prompt. This mode doesn’t accept an input image.
  • Multishot Manual – For those who desire more direct control over a video’s shot composition, with manual mode (also referred to as storyboard mode), you can specify a unique prompt for each individual shot. This mode does accept an optional starting image for each shot. Images must have a resolution of 1280×720. You can provide images in base64 format or from an Amazon Simple Storage Service (Amazon S3) location.

For this demo, I use the AWS SDK for Python (Boto3) to invoke the model using the Amazon Bedrock API and StartAsyncInvoke operation to start an asynchronous invocation and generate the video. I used GetAsyncInvoke to check on the progress of a video generation job.

This Python script creates a 120-second video using MULTI_SHOT_AUTOMATED mode as TaskType parameter from this text prompt, created by Nitin Eusebius.

import random
import time

import boto3

AWS_REGION = "us-east-1"
MODEL_ID = "amazon.nova-reel-v1:1"
SLEEP_SECONDS = 15  # Interval at which to check video gen progress
S3_DESTINATION_BUCKET = "s3://<your bucket here>"

video_prompt_automated = "Norwegian fjord with still water reflecting mountains in perfect symmetry. Uninhabited wilderness of Giant sequoia forest with sunlight filtering between massive trunks. Sahara desert sand dunes with perfect ripple patterns. Alpine lake with crystal clear water and mountain reflection. Ancient redwood tree with detailed bark texture. Arctic ice cave with blue ice walls and ceiling. Bioluminescent plankton on beach shore at night. Bolivian salt flats with perfect sky reflection. Bamboo forest with tall stalks in filtered light. Cherry blossom grove against blue sky. Lavender field with purple rows to horizon. Autumn forest with red and gold leaves. Tropical coral reef with fish and colorful coral. Antelope Canyon with light beams through narrow passages. Banff lake with turquoise water and mountain backdrop. Joshua Tree desert at sunset with silhouetted trees. Iceland moss- covered lava field. Amazon lily pads with perfect symmetry. Hawaiian volcanic landscape with lava rock. New Zealand glowworm cave with blue ceiling lights. 8K nature photography, professional landscape lighting, no movement transitions, perfect exposure for each environment, natural color grading"

bedrock_runtime = boto3.client("bedrock-runtime", region_name=AWS_REGION)
model_input = {
    "taskType": "MULTI_SHOT_AUTOMATED",
    "multiShotAutomatedParams": {"text": video_prompt_automated},
    "videoGenerationConfig": {
        "durationSeconds": 120,  # Must be a multiple of 6 in range [12, 120]
        "fps": 24,
        "dimension": "1280x720",
        "seed": random.randint(0, 2147483648),
    },
}

invocation = bedrock_runtime.start_async_invoke(
    modelId=MODEL_ID,
    modelInput=model_input,
    outputDataConfig={"s3OutputDataConfig": {"s3Uri": S3_DESTINATION_BUCKET}},
)

invocation_arn = invocation["invocationArn"]
job_id = invocation_arn.split("/")[-1]
s3_location = f"{S3_DESTINATION_BUCKET}/{job_id}"
print(f"\nMonitoring job folder: {s3_location}")

while True:
    response = bedrock_runtime.get_async_invoke(invocationArn=invocation_arn)
    status = response["status"]
    print(f"Status: {status}")
    if status != "InProgress":
        break
    time.sleep(SLEEP_SECONDS)

if status == "Completed":
    print(f"\nVideo is ready at {s3_location}/output.mp4")
else:
    print(f"\nVideo generation status: {status}")

After the first invocation, the script periodically checks the status until the creation of the video has been completed. I pass a random seed to get a different result each time the code runs.

I run the script:

Status: InProgress
. . .
Status: Completed
Video is ready at s3://<your bucket here>/<job_id>/output.mp4

After a few minutes, the script is completed and prints the output Amazon S3 location. I download the output video using the AWS CLI:

aws s3 cp s3://<your bucket here>/<job_id>/output.mp4 output_automated.mp4

This is the video that this prompt generated:

In the case of MULTI_SHOT_MANUAL mode as TaskType parameter, with a prompt for multiples shots and a description for each shot, it is not necessary to add the variable durationSeconds.

Using the prompt for multiples shots, created by Sanju Sunny.

I run Python script:

import random
import time

import boto3


def image_to_base64(image_path: str):
    """
    Helper function which converts an image file to a base64 encoded string.
    """
    import base64

    with open(image_path, "rb") as image_file:
        encoded_string = base64.b64encode(image_file.read())
        return encoded_string.decode("utf-8")


AWS_REGION = "us-east-1"
MODEL_ID = "amazon.nova-reel-v1:1"
SLEEP_SECONDS = 15  # Interval at which to check video gen progress
S3_DESTINATION_BUCKET = "s3://<your bucket here>"

video_shot_prompts = [
    # Example of using an S3 image in a shot.
    {
        "text": "Epic aerial rise revealing the landscape, dramatic documentary style with dark atmospheric mood",
        "image": {
            "format": "png",
            "source": {
                "s3Location": {"uri": "s3://<your bucket here>/images/arctic_1.png"}
            },
        },
    },
    # Example of using a locally saved image in a shot
    {
        "text": "Sweeping drone shot across surface, cracks forming in ice, morning sunlight casting long shadows, documentary style",
        "image": {
            "format": "png",
            "source": {"bytes": image_to_base64("arctic_2.png")},
        },
    },
    {
        "text": "Epic aerial shot slowly soaring forward over the glacier's surface, revealing vast ice formations, cinematic drone perspective",
        "image": {
            "format": "png",
            "source": {"bytes": image_to_base64("arctic_3.png")},
        },
    },
    {
        "text": "Aerial shot slowly descending from high above, revealing the lone penguin's journey through the stark ice landscape, artic smoke washes over the land, nature documentary styled",
        "image": {
            "format": "png",
            "source": {"bytes": image_to_base64("arctic_4.png")},
        },
    },
    {
        "text": "Colossal wide shot of half the glacier face catastrophically collapsing, enormous wall of ice breaking away and crashing into the ocean. Slow motion, camera dramatically pulling back to reveal the massive scale. Monumental waves erupting from impact.",
        "image": {
            "format": "png",
            "source": {"bytes": image_to_base64("arctic_5.png")},
        },
    },
    {
        "text": "Slow motion tracking shot moving parallel to the penguin, with snow and mist swirling dramatically in the foreground and background",
        "image": {
            "format": "png",
            "source": {"bytes": image_to_base64("arctic_6.png")},
        },
    },
    {
        "text": "High-altitude drone descent over pristine glacier, capturing violent fracture chasing the camera, crystalline patterns shattering in slow motion across mirror-like ice, camera smoothly aligning with surface.",
        "image": {
            "format": "png",
            "source": {"bytes": image_to_base64("arctic_7.png")},
        },
    },
    {
        "text": "Epic aerial drone shot slowly pulling back and rising higher, revealing the vast endless ocean surrounding the solitary penguin on the ice float, cinematic reveal",
        "image": {
            "format": "png",
            "source": {"bytes": image_to_base64("arctic_8.png")},
        },
    },
]

bedrock_runtime = boto3.client("bedrock-runtime", region_name=AWS_REGION)
model_input = {
    "taskType": "MULTI_SHOT_MANUAL",
    "multiShotManualParams": {"shots": video_shot_prompts},
    "videoGenerationConfig": {
        "fps": 24,
        "dimension": "1280x720",
        "seed": random.randint(0, 2147483648),
    },
}

invocation = bedrock_runtime.start_async_invoke(
    modelId=MODEL_ID,
    modelInput=model_input,
    outputDataConfig={"s3OutputDataConfig": {"s3Uri": S3_DESTINATION_BUCKET}},
)

invocation_arn = invocation["invocationArn"]
job_id = invocation_arn.split("/")[-1]
s3_location = f"{S3_DESTINATION_BUCKET}/{job_id}"
print(f"\nMonitoring job folder: {s3_location}")

while True:
    response = bedrock_runtime.get_async_invoke(invocationArn=invocation_arn)
    status = response["status"]
    print(f"Status: {status}")
    if status != "InProgress":
        break
    time.sleep(SLEEP_SECONDS)

if status == "Completed":
    print(f"\nVideo is ready at {s3_location}/output.mp4")
else:
    print(f"\nVideo generation status: {status}")

As in the previous demo, after a few minutes, I download the output using the AWS CLI:
aws s3 cp s3://<your bucket here>/<job_id>/output.mp4 output_manual.mp4

This is the video that this prompt generated:

More creative examples
When you use Amazon Nova Reel 1.1, you’ll discover a world of creative possibilities. Here are some sample prompts to help you begin:

Color Burst, created by Nitin Eusebius

prompt = "Explosion of colored powder against black background. Start with slow-motion closeup of single purple powder burst. Dolly out revealing multiple powder clouds in vibrant hues colliding mid-air. Track across spectrum of colors mixing: magenta, yellow, cyan, orange. Zoom in on particles illuminated by sunbeams. Arc shot capturing complete color field. 4K, festival celebration, high-contrast lighting"

Shape Shifting, created by Sanju Sunny

prompt = "A simple red triangle transforms through geometric shapes in a journey of self-discovery. Clean vector graphics against white background. The triangle slides across negative space, morphing smoothly into a circle. Pan left as it encounters a blue square, they perform a geometric dance of shapes. Tracking shot as shapes combine and separate in mathematical precision. Zoom out to reveal a pattern formed by their movements. Limited color palette of primary colors. Precise, mechanical movements with perfect geometric alignments. Transitions use simple wipes and geometric shape reveals. Flat design aesthetic with sharp edges and solid colors. Final scene shows all shapes combining into a complex mandala pattern."

All example videos have music added manually before uploading, by the AWS Video team.

Things to know
Creative control – You can use this enhanced control for lifestyle and ambient background videos in advertising, marketing, media, and entertainment projects. Customize specific elements such as camera motion and shot content, or animate existing images.

Modes considerations –  In automated mode, you can write prompts up to 4,000 characters. For manual mode, each shot accepts prompts up to 512 characters, and you can include up to 20 shots in a single video. Consider planning your shots in advance, similar to creating a traditional storyboard. Input images must match the 1280×720 resolution requirement. The service automatically delivers your completed videos to your specified S3 bucket.

Pricing and availability – Amazon Nova Reel 1.1 is available in Amazon Bedrock in the US East (N. Virginia) AWS Region. You can access the model through the Amazon Bedrock console, AWS SDK, or AWS CLI. As with all Amazon Bedrock services, pricing follows a pay-as-you-go model based on your usage. For more information, refer to Amazon Bedrock pricing.

Ready to start creating with Amazon Nova Reel? Visit the Amazon Nova Reel AWS AI Service Cards to learn more and dive into the Generating videos with Amazon Nova. Explore Python code examples in the Amazon Nova model cookbook repository, enhance your results using the Amazon Nova Reel prompting best practices, and discover video examples in the Amazon Nova Reel gallery—complete with the prompts and reference images that brought them to life.

The possibilities are endless, and we look forward to seeing what you create! Join our growing community of builders at community.aws, where you can create your BuilderID, share your video generation projects, and connect with fellow innovators.

Eli

How is the News Blog doing? Take this 1 minute survey!

(This survey is hosted by an external company. AWS handles your information as described in the AWS Privacy Notice. AWS will own the data gathered via this survey and will not share the information collected with survey respondents.)

The collective thoughts of the interwebz