Post Syndicated from corbet original https://lwn.net/Articles/957188/
The 6.8 merge window has gotten off to a relatively slow start; reasons for
that include a significant scheduler performance regression that Linus
Torvalds stumbled
into and has spent time tracking down. Even so, 4,282 non-merge
changesets have found their way into the mainline repository for the 6.8
release as of this writing. These commits have brought a number of
significant changes and new features.
Post Syndicated from Michael Hamilton original https://aws.amazon.com/blogs/big-data/detect-mask-and-redact-pii-data-using-aws-glue-before-loading-into-amazon-opensearch-service/
Many organizations, small and large, are working to migrate and modernize their analytics workloads on Amazon Web Services (AWS). There are many reasons for customers to migrate to AWS, but one of the main reasons is the ability to use fully managed services rather than spending time maintaining infrastructure, patching, monitoring, backups, and more. Leadership and development teams can spend more time optimizing current solutions and even experimenting with new use cases, rather than maintaining the current infrastructure.
With the ability to move fast on AWS, you also need to be responsible with the data you’re receiving and processing as you continue to scale. These responsibilities include being compliant with data privacy laws and regulations and not storing or exposing sensitive data like personally identifiable information (PII) or protected health information (PHI) from upstream sources.
In this post, we walk through a high-level architecture and a specific use case that demonstrates how you can continue to scale your organization’s data platform without needing to spend large amounts of development time to address data privacy concerns. We use AWS Glue to detect, mask, and redact PII data before loading it into Amazon OpenSearch Service.
The following diagram illustrates the high-level solution architecture. We have defined all layers and components of our design in line with the AWS Well-Architected Framework Data Analytics Lens.
The architecture is comprised of a number of components:
Data may be coming from many tens to hundreds of sources, including databases, file transfers, logs, software as a service (SaaS) applications, and more. Organizations may not always have control over what data comes through these channels and into their downstream storage and applications.
Many organizations land their source data into their data lake in various ways, including batch, micro-batch, and streaming jobs. For example, Amazon EMR, AWS Glue, and AWS Database Migration Service (AWS DMS) can all be used to perform batch and or streaming operations that sink to a data lake on Amazon Simple Storage Service (Amazon S3). Amazon AppFlow can be used to transfer data from different SaaS applications to a data lake. AWS DataSync and AWS Transfer Family can help with moving files to and from a data lake over a number of different protocols. Amazon Kinesis and Amazon MSK also have capabilities to stream data directly to a data lake on Amazon S3.
Using Amazon S3 for your data lake is in line with the modern data strategy. It provides low-cost storage without sacrificing performance, reliability, or availability. With this approach, you can bring compute to your data as needed and only pay for capacity it needs to run.
In this architecture, raw data can come from a variety of sources (internal and external), which may contain sensitive data.
Using AWS Glue crawlers, we can discover and catalog the data, which will build the table schemas for us, and ultimately make it straightforward to use AWS Glue ETL with the PII transform to detect and mask or and redact any sensitive data that may have landed in the data lake.
To demonstrate the value of our approach, let’s imagine you’re part of a data engineering team for a financial services organization. Your requirements are to detect and mask sensitive data as it is ingested into your organization’s cloud environment. The data will be consumed by downstream analytical processes. In the future, your users will be able to safely search historical payment transactions based on data streams collected from internal banking systems. Search results from operation teams, customers, and interfacing applications must be masked in sensitive fields.
The following table shows the data structure used for the solution. For clarity, we have mapped raw to curated column names. You’ll notice that multiple fields within this schema are considered sensitive data, such as first name, last name, Social Security number (SSN), address, credit card number, phone number, email, and IPv4 address.
| Raw Column Name | Curated Column Name | Type |
| c0 | first_name | string |
| c1 | last_name | string |
| c2 | ssn | string |
| c3 | address | string |
| c4 | postcode | string |
| c5 | country | string |
| c6 | purchase_site | string |
| c7 | credit_card_number | string |
| c8 | credit_card_provider | string |
| c9 | currency | string |
| c10 | purchase_value | integer |
| c11 | transaction_date | date |
| c12 | phone_number | string |
| c13 | string | |
| c14 | ipv4 | string |
Customers who implement the following architecture have built their data lake on Amazon S3 to run different types of analytics at scale. This solution is suitable for customers who don’t require real-time ingestion to OpenSearch Service and plan to use data integration tools that run on a schedule or are triggered through events.
Before data records land on Amazon S3, we implement an ingestion layer to bring all data streams reliably and securely to the data lake. Kinesis Data Streams is deployed as an ingestion layer for accelerated intake of structured and semi-structured data streams. Examples of these are relational database changes, applications, system logs, or clickstreams. For change data capture (CDC) use cases, you can use Kinesis Data Streams as a target for AWS DMS. Applications or systems generating streams containing sensitive data are sent to the Kinesis data stream via one of the three supported methods: the Amazon Kinesis Agent, the AWS SDK for Java, or the Kinesis Producer Library. As a last step, Amazon Kinesis Data Firehose helps us reliably load near-real-time batches of data into our S3 data lake destination.
The following screenshot shows how data flows through Kinesis Data Streams via the Data Viewer and retrieves sample data that lands on the raw S3 prefix. For this architecture, we followed the data lifecycle for S3 prefixes as recommended in Data lake foundation.
As you can see from the details of the first record in the following screenshot, the JSON payload follows the same schema as in the previous section. You can see the unredacted data flowing into the Kinesis data stream, which will be obfuscated later in subsequent stages.
After the data is collected and ingested into Kinesis Data Streams and delivered to the S3 bucket using Kinesis Data Firehose, the processing layer of the architecture takes over. We use the AWS Glue PII transform to automate detection and masking of sensitive data in our pipeline. As shown in the following workflow diagram, we took a no-code, visual ETL approach to implement our transformation job in AWS Glue Studio.
First, we access the source Data Catalog table raw from the pii_data_db database. The table has the schema structure presented in the previous section. To keep track of the raw processed data, we used job bookmarks.
We use the AWS Glue DataBrew recipes in the AWS Glue Studio visual ETL job to transform two date attributes to be compatible with OpenSearch expected formats. This allows us to have a full no-code experience.
We use the Detect PII action to identify sensitive columns. We let AWS Glue determine this based on selected patterns, detection threshold, and sample portion of rows from the dataset. In our example, we used patterns that apply specifically to the United States (such as SSNs) and may not detect sensitive data from other countries. You may look for available categories and locations applicable to your use case or use regular expressions (regex) in AWS Glue to create detection entities for sensitive data from other countries.
It’s important to select the correct sampling method that AWS Glue offers. In this example, it’s known that the data coming in from the stream has sensitive data in every row, so it’s not necessary to sample 100% of the rows in the dataset. If you have a requirement where no sensitive data is allowed to downstream sources, consider sampling 100% of the data for the patterns you chose, or scan the entire dataset and act on each individual cell to ensure all sensitive data is detected. The benefit you get from sampling is reduced costs because you don’t have to scan as much data.
The Detect PII action allows you to select a default string when masking sensitive data. In our example, we use the string **********.
We use the apply mapping operation to rename and remove unnecessary columns such as ingestion_year, ingestion_month, and ingestion_day. This step also allows us to change the data type of one of the columns (purchase_value) from string to integer.
From this point on, the job splits into two output destinations: OpenSearch Service and Amazon S3.
Our provisioned OpenSearch Service cluster is connected via the OpenSearch built-in connector for Glue. We specify the OpenSearch Index we’d like to write to and the connector handles the credentials, domain and port. In the screen shot below, we write to the specified index index_os_pii.
We store the masked dataset in the curated S3 prefix. There, we have data normalized to a specific use case and safe consumption by data scientists or for ad hoc reporting needs.
For unified governance, access control, and audit trails of all datasets and Data Catalog tables, you can use AWS Lake Formation. This helps you restrict access to the AWS Glue Data Catalog tables and underlying data to only those users and roles who have been granted necessary permissions to do so.
After the batch job runs successfully, you can use OpenSearch Service to run search queries or reports. As shown in the following screenshot, the pipeline masked sensitive fields automatically with no code development efforts.
You can identify trends from the operational data, such as the amount of transactions per day filtered by credit card provider, as shown in the preceding screenshot. You can also determine the locations and domains where users make purchases. The transaction_date attribute helps us see these trends over time. The following screenshot shows a record with all of the transaction’s information redacted appropriately.
For alternate methods on how to load data into Amazon OpenSearch, refer to Loading streaming data into Amazon OpenSearch Service.
Furthermore, sensitive data can also be discovered and masked using other AWS solutions. For example, you could use Amazon Macie to detect sensitive data inside an S3 bucket, and then use Amazon Comprehend to redact the sensitive data that was detected. For more information, refer to Common techniques to detect PHI and PII data using AWS Services.
This post discussed the importance of handling sensitive data within your environment and various methods and architectures to remain compliant while also allowing your organization to scale quickly. You should now have a good understanding of how to detect, mask, or redact and load your data into Amazon OpenSearch Service.
Michael Hamilton is a Sr Analytics Solutions Architect focusing on helping enterprise customers modernize and simplify their analytics workloads on AWS. He enjoys mountain biking and spending time with his wife and three children when not working.
Daniel Rozo is a Senior Solutions Architect with AWS supporting customers in the Netherlands. His passion is engineering simple data and analytics solutions and helping customers move to modern data architectures. Outside of work, he enjoys playing tennis and biking.
Post Syndicated from LGR original https://www.youtube.com/watch?v=tK6sqxT0ttQ
Post Syndicated from corbet original https://lwn.net/Articles/958125/
Users of SourceHut will have noticed that the site has been unreachable;
Drew DeVault has now posted a report on
what is happening (it’s a distributed denial-of-service attack) and
what is being done to recover.
We deal with ordinary DDoS attacks in the normal course of
operations, and we are generally able to mitigate them on our
end. However, this is not an ordinary DDoS attack; the attacker
posesses considerable resources and is operating at a scale beyond
that which we have the means to mitigate ourselves. In response,
before we could do much ourselves to understand or mitigate the
problem, our upstream network provider null routed SourceHut
entirely, rendering both the internet at large, and SourceHut
staff, unable to reach our servers.
Post Syndicated from jake original https://lwn.net/Articles/958124/
Security updates have been issued by Debian (kernel, linux-5.10, php-phpseclib, php-phpseclib3, and phpseclib), Fedora (openssh and tinyxml), Gentoo (FreeRDP and Prometheus SNMP Exporter), Mageia (packages), Red Hat (openssl), SUSE (gstreamer-plugins-rs and python-django-grappelli), and Ubuntu (dotnet6, dotnet7, dotnet8, openssh, and xerces-c).
Post Syndicated from Christiaan Beek original https://blog.rapid7.com/2024/01/12/2023-ransomware-stats-a-look-back-to-plan-ahead/
Last year was not a year for the faint of heart. Organizations of every size found themselves faced with ransomware attacks at varying levels of sophistication, yet every one of them was damaging. And as we step into 2024, the first victims of ransomware attacks are already being reported. What can the 2023 ransomware stats tell us about the year that was, and how can we use them to plan for the year ahead?
In this blog we will dissect the multifaceted dimensions of ransomware attacks observed in 2023, providing insights and looking a bit forward to what 2024 might bring. For our data analytics, we make use of publicly available data (like posts from the ransomware groups themselves) and 2023 ransomware incident data from our MDR team, both of which we’ve enriched with context from the data gathered in Rapid7 Labs.
The 2023 Ransomware Landscape
Most ransomware groups have leak sites where they announce victims of their campaigns. These leak sites are a tactic to put more pressure on their victims to pay the ransom; if the ransom is not paid, they will leak the compromised data via that site. The frequency of posts is a good indicator of how often and which groups are active, but the ransomware landscape is larger than that.
The number of unique ransomware families these groups utilized in 2023 decreased by more than half, from 95 new families in 2022 to 43 in 2023. This tells us that the “current” ransomware families and models are working/profitable and there’s no need to develop something brand new.
Our combined sources uncovered nearly 5200 reported ransomware cases throughout the course of 2023. In reality, we believe that number was actually higher because it doesn’t account for the many attacks that likely went unreported.
Coveware, a security consulting firm, found that the average ransom payment for Q3 2023 was $850,700 USD. That is only the amount paid for the ransom; the real costs for recovering of a ransomware incident are based on a range of factors that include:
The same report mentioned a staggering 41% of victims opted to pay the ransom.
The below scatter plot shows the number of ransomware incidents attributed to the top 20 ransomware groups for 2023, based on leak site communications, public disclosures, and Rapid7 incident response data.
Zooming in on the most active groups (supported by a large ecosystem of initial access brokers), the top 5 groups we identified are:
The below polar-bar chart visualizes these groups’ frequency of postings per month on their leak sites:
Rapid7 Labs conducted an analysis of the 2023 ransomware attacks using data sourced from both external and internal reports. We compared the modus operandi of these attacks and mapped them out against the MITRE ATT&CK model. The results are visualized in the following diagram:
This diagram effectively encapsulates the common patterns and methodologies observed in the majority of ransomware attacks. It serves as a visual representation, outlining the sequence of steps typically followed by attackers from initial breach to final ransom demand. In our statistics, exploiting a public facing application and having a valid account are the top initial attack vectors we observed in ransomware-focused attacks in 2023.
In 2023, several ransomware groups ceased their operations or underwent significant transformations. Hive ransomware marked the year’s start with its disruption in January. BlackByte, after briefly reappearing with a new white logo, went offline for the last two months of 2023.
Royal ransomware rebranded itself as Black Suit, as evidenced by the matching binaries.They took down their victim portal and started posting more on their Black Suit leak site.
Vice Society, another group, became inactive for over three months, taking down their main and backup leak sites.
NoEscape, previously known as Avaddon, executed an exit scam, further indicating the volatile and shifting landscape of ransomware groups in 2023. An “exit scam” is a fraudulent scheme where a business or individual collects funds or assets from customers or investors and then suddenly ceases operations, disappearing with the collected funds.
We anticipate that the top 5 groups mentioned will still be active in 2024; however, during the course of 2023, new groups surfaced that are interesting to watch. In random order: Cactus, Rhysida, 8base, Hunters International, Akira, and the recently surfaced Werewolves group are those to keep an eye out for.
Post Syndicated from The History Guy: History Deserves to Be Remembered original https://www.youtube.com/watch?v=YfqtNznCCFs
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2024/01/on-iot-devices-and-software-liability.html
New law journal article:
Smart Device Manufacturer Liability and Redress for Third-Party Cyberattack Victims
Abstract: Smart devices are used to facilitate cyberattacks against both their users and third parties. While users are generally able to seek redress following a cyberattack via data protection legislation, there is no equivalent pathway available to third-party victims who suffer harm at the hands of a cyberattacker. Given how these cyberattacks are usually conducted by exploiting a publicly known and yet un-remediated bug in the smart device’s code, this lacuna is unreasonable. This paper scrutinises recent judgments from both the Supreme Court of the United Kingdom and the Supreme Court of the Republic of Ireland to ascertain whether these rulings pave the way for third-party victims to pursue negligence claims against the manufacturers of smart devices. From this analysis, a narrow pathway, which outlines how given a limited set of circumstances, a duty of care can be established between the third-party victim and the manufacturer of the smart device is proposed.
Post Syndicated from Matt Granger original https://www.youtube.com/watch?v=wtDn1xXh96k
Post Syndicated from Анета Василева original https://www.toest.bg/kauzata-na-kucheto-arhitekturnata-kritika-dnes/
Твърди се, че в България архитектурна критика няма. Или пък – че състоянието на съвременната българска архитектура е такова точно защото няма силна архитектурна критика. И винаги нещата се представят по фатално-трагичен начин.
Жизнената среда не е такава, каквато трябва да бъде,
пише вероятно най-активният български критик през последните десетилетия арх. Павел Попов в статията си „Каузата на кучето“, публикувана във втория януарски брой на вестник „Култура“ през 1999 г., точно преди 25 години.
Как и защо българските архитекти точно както футболистите преуспяват на гурбет или в емиграция, а на местна почва хич ги няма – до такава степен, че никоя местна сграда не попада в полезрението на света,
продължава той. Поводът за статията е среща, която секция „Теория и критика“ на Съюза на архитектите в България (САБ) организирала по Коледа с представители на радиото, телевизията и вестниците, публикуващи материали за архитектура. Съответно от критиците и теоретиците от САБ дошли всички, но от медиите – почти никой.
Мрачният рефрен „Няма критика, няма медии, средата е зле“ кънти и през следващите години.
Общоизвестно е, че в България архитектурна критика няма и не може да има,
пише през 2007 г. несъществуващият вече онлайн строителен портал Stroitelstvo.info.
Че няма архитектурна критика у нас – това е ясно. Журналистите, които пишат за архитектура, са гола вода и гъзолижат, без да им мигне окото. Обаче ме тревожи изключително много, МНОГО, казвам ви МНОГО, че липсва критичност у колегите архитекти,
коментира през 2009 г. читател с псевдонима „Плужека се възмущава“ под статията „SAW по време на свински грип“ на Николай Ангелов в блога на WhATA. Самият автор на статията прави бърз и всъщност пълен архитектурнокритически коментар на второто издание на фестивала Sofia Architecture Week, който формира алтернативната българска архитектурна сцена между първия си форум през 2008 г. в София и последното си издание през 2016 г. в Пловдив.
През 2010 г. финландският архитект и архитектурен редактор Еса Лаксонен пише необичайно емоционална статия за „липсата на архитектурна критика във Финландия“ в независимия холандски академичен журнал OASE. Той нарича това „синдром на малката страна“. „Във Финландия компетентните архитектурни критици се броят на пръстите на ръката“, оплаква се Лаксонен.
А архитектите никак не искат да пишат статии за работата на своите колеги – смята се за неетично. Професионалните кръгове във Финландия са много малки и всяко мнение предизвиква извънмерни реакции. Никой не иска да се въвлича в това.
Оказва се, че във Финландия този дебат тече от над 30 години. Всички страдат, че критиката е малко, лошо написана – и търсят виновни. Дали ще са големите национални вестници, които изобщо не искат да се занимават с архитектура, камо ли с критика за нея, дали ще са професионалните списания, които нямат никакво влияние върху архитектурната и строителната култура, дали ще е липсата на пари.
Явно обаче синдромът не е само на малката страна. Франция например никак не е малка, но ситуацията според дългогодишната френска критичка и преподавателка Франсоаз Фромоно изглежда също толкова отчайваща.
В тази страна няма алтернатива на луксозните илюстровани списания, когато стане дума за архитектура и урбанизъм. Много трудно ще се намери някой професионален журнал, в който да има внимателно написана статия за малка неизвестна сграда, откровен обзор на политическите игри зад скорошен архитектурен конкурс, рецензия на наскоро излязла книга или приличен независим анализ на поредното постижение на някой стархитект.
Фромоно е съвсем откровена. Във Франция архитектурната секция в ежедневниците е сведена до минимум, а по-интелектуалните и културно насочени издания смятат архитектурата за прекалено специализирана, техничарска и безинтересна за техните читатели.
Причините за проблемите са много – променената медийна среда, комерсиалните пресгрупи, които доминират, финансовите проблеми на професионалните списания, свели разходите си до минимум, поддържани обикновено от само един щатен редактор, който наема автори на хонорар. Повечето от тях пък не искат или не могат да си позволят да губят време в проучване заради ниските хонорари. Те използват основно подадените пресматериали от пиар пакета на съответната сграда и разчитат на безплатните рекламни пътувания до обекта, организирани от архитектите и техните клиенти. След това на никого не му се рискува да обиди домакините с критичен коментар, защото така поканите ще секнат, а достъпът до информация и чертежи ще стане съвсем труден. Още повече когато критиците са млади и искат да правят и професионална кариера като проектанти или да се развиват академично в някой архитектурен университет – негативната критика им гарантира проблеми.
Звучи съвсем обезкуражаващо. А годината отново е 2010-та.
На 5 февруари 2015 г. Харвардският магистърски факултет по дизайн (Harvard Graduate School of Design) организира кръгла маса на тема как да се пише за архитектура в епохата на интернет, бърза информация и репортажна архитектурна критика. Професорът по архитектурна теория Майкъл Хейз кани извадка от най-популярните тогава, при това много различни по възраст и подход архитектурни критици от англосаксонския свят – Кристофър Хоторн, архитектурен критик на „Лос Анджелис Таймс“, Майкъл Соркин, легендарния нюйоркски критик, активист и биткаджия, Оливър Уейнрайт, архитектурен критик на британския „Гардиън“.
Уейнрайт е най-младият от поканените, но пък пише в най-четената и глобално достъпна англоезична медия (в немалка степен и защото британският ежедневник „Гардиън“ продължава да поддържа напълно безплатно онлайн съдържание и достъп до своя архив).
Много съм поласкан, че съм поканен отново (случва ми се вече за шести път през последните две години) да говоря за т.нар. криза на архитектурната критика. И всеки път, когато получа подобна покана, леко паникьосано започвам да се чудя да не би да си върша работата зле,
започва изказването си той.
Всъщност Уейнрайт показва по забавен начин как идеята, че архитектурна критика няма или пък че тя не работи добре, е глобален феномен, който се повтаря постоянно, когато и да погледнеш назад в архитектурната история. Изглежда, че архитектите не са спокойни, освен ако няма „криза на архитектурната критика“, полушеговито продължава експозето си Уейнрайт в Харвард.
Оливър Уейнрайт има теза по въпроса:
Чудя се обаче дали т.нар. криза на критиката не е криза на самата архитектура. Архитектурата и целият архитектурен процес в момента са толкова фрагментирани, че ние, архитектите, усещаме как губим авторитет и ставаме параноични, бранейки собственото си поле. Във Великобритания често се обсъждат т.нар. design and build договори [аналог на регламентирания в българския Закон за обществените поръчки „инженеринг“ – б.а.], които оставят архитектите на дъното на хранителната верига вместо на върха ѝ. Ясно е, че архитектите вече не са „архимайсторите“. И е много лесно да обвиним за това критиците.
Уейнрайт е прав. Както са прави Лаксонен и Фромоно, че и Павел Попов в далечната 1999 година. Още по-притеснителното е, че изводите им са напълно валидни и днес, включително за ситуацията в България. Фактът, че изданията, в които се пише професионално, редовно и независимо за архитектура, са пренебрежимо малко, е силно притеснителен. А състоянието на архитектурната критика е много тясно, почти незабележимо, но напълно показателно отражение на състоянието на медиите в страната ни днес.
Post Syndicated from Patrick Kennedy original https://www.servethehome.com/hpe-announced-its-intent-to-acquire-juniper/
HPE announced that plans to acquire Juniper bolstering a business it has been pushing for almost a quarter century
The post HPE Announced its Intent to Acquire Juniper appeared first on ServeTheHome.
Post Syndicated from digiblurDIY original https://www.youtube.com/watch?v=wNwTL8pbAIE
Post Syndicated from xkcd.com original https://xkcd.com/2880/
Post Syndicated from The Atlantic original https://www.youtube.com/watch?v=jCdDU1LMzOw
Post Syndicated from Channy Yun original https://aws.amazon.com/blogs/aws/amazon-ecs-supports-a-native-integration-with-amazon-ebs-volumes-for-data-intensive-workloads/
Today we are announcing that Amazon Elastic Container Service (Amazon ECS) supports an integration with Amazon Elastic Block Store (Amazon EBS), making it easier to run a wider range of data processing workloads. You can provision Amazon EBS storage for your ECS tasks running on AWS Fargate and Amazon Elastic Compute Cloud (Amazon EC2) without needing to manage storage or compute.
Many organizations choose to deploy their applications as containerized packages, and with the introduction of Amazon ECS integration with Amazon EBS, organizations can now run more types of workloads than before.
You can run data workloads requiring storage that supports high transaction volumes and throughput, such as extract, transform, and load (ETL) jobs for big data, which need to fetch existing data, perform processing, and store this processed data for downstream use. Because the storage lifecycle is fully managed by Amazon ECS, you don’t need to build any additional scaffolding to manage infrastructure updates, and as a result, your data processing workloads are now more resilient while simultaneously requiring less effort to manage.
Now you can choose from a variety of storage options for your containerized applications running on Amazon ECS:
To learn more, see Using data volumes in Amazon ECS tasks and persistent storage best practices in the AWS documentation.
Getting started with EBS volume integration to your ECS tasks
You can configure the volume mount point for your container in the task definition and pass Amazon EBS storage requirements for your Amazon ECS task at runtime. For most use cases, you can get started by simply providing the size of the volume needed for the task. Optionally, you can configure all EBS volume attributes and the file system you want the volume formatted with.
1. Create a task definition
Go to the Amazon ECS console, navigate to Task definitions, and choose Create new task definition.
In the Storage section, choose Configure at deployment to set EBS volume as a new configuration type. You can provision and attach one volume per task for Linux file systems.
When you choose Configure at task definition creation, you can configure existing storage options such as bind mounts, Docker volumes, EFS volumes, Amazon FSx for Windows File Server volumes, or Fargate ephemeral storage.
Now you can select a container in the task definition, the source EBS volume, and provide a mount path where the volume will be mounted in the task.
You can also use $aws ecs register-task-definition --cli-input-json file://example.json command line to register a task definition to add an EBS volume. The following snippet is a sample, and task definitions are saved in JSON format.
{
"family": "nginx"
...
"containerDefinitions": [
{
...
"mountPoints": [
"containerPath": "/foo",
"sourceVoumne": "new-ebs-volume"
],
"name": "nginx",
"image": "nginx"
}
],
"volumes": [
{
"name": "/foo",
"configuredAtRuntime": true
}
]
}2. Deploy and run your task with EBS volume
Now you can run a task by selecting your task in your ECS cluster. Go to your ECS cluster and choose Run new task. Note that you can select the compute options, the launch type, and your task definition.
Note: While this example goes through deploying a standalone task with an attached EBS volume, you can also configure a new or existing ECS service to use EBS volumes with the desired configuration.
You have a new Volume section where you can configure the additional storage. The volume name, type, and mount points are those that you defined in your task definition. Choose your EBS volume types, sizes (GiB), IOPs, and the desired throughput.
You cannot attach an existing EBS volume to an ECS task. But if you want to create a volume from an existing snapshot, you have the option to choose your snapshot ID. If you want to create a new volume, then you can leave this field empty. You can choose the file system type, either ext3 or ext4 file systems on Linux.
By default, when a task is terminated, Amazon ECS deletes the attached volume. If you need the data in the EBS volume to be retained after the task exits, check Delete on termination. Also, you need to create an AWS Identity and Access Management (IAM) role for volume management that contains the relevant permissions to allow Amazon ECS to make API calls on your behalf. For more information on this policy, see infrastructure role in the AWS documentation.
You can also configure encryption on your EBS volumes using either Amazon managed keys and customer managed keys. To learn more about the options, see our Amazon EBS encryption in the AWS documentation.
After configuring all task settings, choose Create to start your task.
3. Deploy and run your task with EBS volume
Once your task has started, you can see the volume information on the task definition details page. Choose a task and select the Volumes tab to find your created EBS volume details.
Your team can organize the development and operations of EBS volumes more efficiently. For example, application developers can configure the path where your application expects storage to be available in the task definition, and DevOps engineers can configure the actual EBS volume attributes at runtime when the application is deployed.
This allows DevOps engineers to deploy the same task definition to different environments with differing EBS volume configurations, for example, gp3 volumes in the development environments and io2 volumes in production.
Now available
Amazon ECS integration with Amazon EBS is available in nine AWS Regions: US East (Ohio), US East (N. Virginia), US West (Oregon), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Europe (Frankfurt), Europe (Ireland), and Europe (Stockholm). You only pay for what you use, including EBS volumes and snapshots. To learn more, see the Amazon EBS pricing page and Amazon EBS volumes in ECS in the AWS documentation.
Give it a try now and send feedback to our public roadmap, AWS re:Post for Amazon ECS, or through your usual AWS Support contacts.
— Channy
P.S. Special thanks to Maish Saidel-Keesing, a senior enterprise developer advocate at AWS for his contribution in writing this blog post.
Post Syndicated from Raffaele Garofalo original https://aws.amazon.com/blogs/architecture/how-zurich-insurance-group-built-their-scalable-account-vending-process-using-aws-account-factory-for-terraform/
Zurich Insurance Group is a leading multi-line global insurer operating in more than 200 territories. Headquartered in Zurich, Switzerland, their main business is life and property and casualty (P&C) insurance. In 2022, Zurich began a multi-year program to accelerate their digital transformation and innovation through migration of 1,000 workloads to AWS, including core insurance and SAP workloads.
During 2022, Zurich built out their Global Cloud Foundation – a set of foundational global AWS capabilities required to begin migrating workloads to the AWS Cloud, including the Scalable Account Vending (SAV) solution that is the subject of this article.
The goal of the Global Cloud Foundation was to address common questions workload teams had when moving to the AWS Cloud:
This investment in a solid foundation is already enabling their migration program in 2023 and beyond.
As a federated global organization, Zurich Insurance Group had pockets of AWS usage in different business units in multiple geographies managed by separate regional Cloud Center of Excellence (CCOE) teams. However, there was no consistency. One of the migration program’s goals was to establish a standard set of re-usable patterns and curated services, pre-built using Terraform to minimize migration and modernization effort and maximize re-use. This required the AWS environment to be built in a consistent way.
Additionally, Zurich was moving from a managed service to self-service DevSecOps provisioning for infrastructure, and many of the workloads did not have an existing DevSecOps environment for their infrastructure, and so they needed one provisioned for them in Azure DevOps and Terraform Cloud (their DevOps toolchain), further accelerating adoption.
Therefore, the cloud workload environment needed to consist of:
Historically, these environments were created by each CCOE team through a combination of manual and semi-automated processes. The need for a scalable and automated solution came from the increase in demand for AWS Cloud workload environments. It took the CCOE up to three days to provision a single AWS account, involved manual processes by multiple employees, and meant that each workload owner needed to raise up to eight support tickets to establish their environment. In addition, pipelines often failed, and the solution did not provide the speed or flexibility required in order to scale Zurich’s cloud adoption strategy.
To address this, SAV was conceived with three main goals:
The end-to-end solution shown here was fully-implemented as infrastructure-as-code orchestrated using Zurich’s corporate-standard Azure DevOps CI/CD tooling.
Figure 1. End-to-end solution using Zurich’s tooling
A single Jira Service Management request submitted by the workload owner provisions the entire cloud workload environment, which provides all the basic resources required to start migrating a workload into AWS.
In this section we will explore two key components of the SAV architecture: Environment vending using AWS Control Tower Account Factory for Terraform, and the AFT Code promotion process.
Figure 2. Environment vending pipeline overview
The environment vending workflow is structured as follows: a request for an AWS account is entered into JIRA Service Management ITSM tool. This triggers the environment vend pipeline in Azure DevOps.
AWS Control Tower Account Factory for Terraform (AFT) works by provisioning a new AWS account in response to a request in the form of an account request Terraform configuration committed to its account request GIT repository. Each account request configuration contains all information and metadata required to classify the AWS account into the proper organization structure and cost center.
The environment vend pipeline begins provisioning multiple accounts by taking the data entered on the submission form and generating a series of AFT account request Terraform configurations using Jinja templates, and committing each request to the AFT repository. The commit triggers AFT to provision the AWS accounts and to execute the Terraform modules that will deploy the account baseline and the required customizations in each vended account.
Subsequent stages of the pipeline provision the other resources using Terraform Cloud by following the same pattern as shown here:
Figure 3. Resource provisioning using Terraform Cloud
A pipeline task executes a Python script which applies a Jinja template to generate an HCL file, which is then committed to Azure DevOps git repository. This was essential in order to support ‘day-two’ management of the resources by the CCOE or workload teams that may want to use GitOps in the future. The commit triggers a run in the corresponding Terraform Cloud workspace, which provisions the resources into the linked account.
AWS Control Tower Account Factory for Terraform (AFT) uses a GitOps approach to vending and baselining of new AWS accounts using Terraform. It has workflows for creating new accounts and for deploying resources into vended accounts through its global and account customizations, which are implemented as Terraform modules. However, when applying changes to these Terraform modules there is a risk that an erroneous change can impact many, if not all, vended accounts.
Zurich Insurance Group mitigated the risk by implementing GitFlow. To modify a production configuration a process of pull request, review, and merge is triggered to ensure no breaking changes are introduced. The changes are tested in lower environments before deployment into production.
This process is illustrated here:
Figure 4. Terraform Cloud code promotion using GitFlow
By adopting AWS Control Tower Account Factory for Terraform, Zurich were able to achieve the scalability, resilience and performance to support provisioning of a projected 3000+ accounts. By compressing the process to a single ITSM request Zurich Insurance Group CCOE have been able to improve their SLA and customer satisfaction, reduce CCOE support time and effort, and secure their AWS environment with automated DevSecOps activities.
According to Eamonn Carey, Head of Cloud Engineering at Zurich Insurance Group:
“For Zurich and its journey to public cloud, scalability and compliance are crucial aspects of building and managing our cloud environments. Day-2 management plays a pivotal role in achieving both. Our scalable account vending processes and pre-created repos for day-2 management brings numerous benefits. It enables rapid delivery of our AWS accounts, enhances scalability, and promotes standardization. It ensures efficient resource provisioning, while standardized configurations ensure compliance with regulations and best practices. By combining these elements, Zurich can streamline our operations, reduce risks, and achieve optimal scalability and compliance in our cloud environments.”
Post Syndicated from Edward Sun original https://aws.amazon.com/blogs/security/how-to-customize-access-tokens-in-amazon-cognito-user-pools/
With Amazon Cognito, you can implement customer identity and access management (CIAM) into your web and mobile applications. You can add user authentication and access control to your applications in minutes.
In this post, I introduce you to the new access token customization feature for Amazon Cognito user pools and show you how to use it. Access token customization is included in the advanced security features (ASF) of Amazon Cognito. Note that ASF is subject to additional pricing as described on the Amazon Cognito pricing page.
When a user signs in to your app, Amazon Cognito verifies their sign-in information, and if the user is authenticated successfully, returns the ID, access, and refresh tokens. The access token, which uses the JSON Web Token (JWT) format following the RFC7519 standard, contains claims in the token payload that identify the principal being authenticated, and session attributes such as authentication time and token expiration time. More importantly, the access token also contains authorization attributes in the form of user group memberships and OAuth scopes. Your applications or API resource servers can evaluate the token claims to authorize specific actions on behalf of users.
With access token customization, you can add application-specific claims to the standard access token and then make fine-grained authorization decisions to provide a differentiated end-user experience. You can refine the original scope claims to further restrict access to your resources and enforce the least privileged access. You can also enrich access tokens with claims from other sources, such as user subscription information stored in an Amazon DynamoDB table. Your application can use this enriched claim to determine the level of access and content available to the user. This reduces the need to build a custom solution to look up attributes in your application’s code, thereby reducing application complexity, improving performance, and smoothing the integration experience with downstream applications.
Amazon Cognito works with AWS Lambda functions to modify your user pool’s authentication behavior and end-user experience. In this section, you’ll learn how to configure a pre token generation Lambda trigger function and invoke it during the Amazon Cognito authentication process. I’ll also show you an example function to help you write your own Lambda function.
During a user authentication, you can choose to have Amazon Cognito invoke a pre token generation trigger to enrich and customize your tokens.
Figure 1: Pre token generation trigger flow
Figure 1 illustrates the pre token generation trigger flow. This flow has the following steps:
The pre token generation trigger flow supports OAuth 2.0 grant types, such as the authorization code grant flow and implicit grant flow, and also supports user authentication through the AWS SDK.
Your Amazon Cognito user pool delivers two different versions of the pre token generation trigger event to your Lambda function. Trigger event version 1 includes userAttributes, groupConfiguration, and clientMetadata in the event request, which you can use to customize ID token claims. Trigger event version 2 adds scope in the event request, which you can use to customize scopes in the access token in addition to customizing other claims.
In this section, I’ll show you how to update your user pool to trigger event version 2 and enable access token customization.
To enable access token customization
Figure 2: Add Lambda trigger
Figure 3: Select Lambda trigger
Figure 4: Add Lambda trigger
Now that you have enabled access token customization, I’ll walk you through a code example of the pre token generation Lambda trigger, and the version 2 trigger event. This code example examines the trigger event request, and adds a new custom claim and a custom OAuth scope in the response for Amazon Cognito to customize the access token to suit various authorization scheme.
Here is an example version 2 trigger event. The event request contains the user attributes from the Amazon Cognito user pool, the original scope claims, and the original group configurations. It has two custom attributes—membership and location—which are collected during the user registration process and stored in the Cognito user pool.
{
"version": "2",
"triggerSource": "TokenGeneration_HostedAuth",
"region": "us-east-1",
"userPoolId": "us-east-1_01EXAMPLE",
"userName": "mytestuser",
"callerContext": {
"awsSdkVersion": "aws-sdk-unknown-unknown",
"clientId": "1example23456789"
},
"request": {
"userAttributes": {
"sub": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"cognito:user_status": "CONFIRMED",
"email": "[email protected]",
"email_verified": "true",
"custom:membership": "Premium",
"custom:location": "USA"
},
"groupConfiguration": {
"groupsToOverride": [],
"iamRolesToOverride": [],
"preferredRole": null
},
"scopes": [
"openid",
"profile",
"email"
]
},
"response": {
"claimsAndScopeOverrideDetails": null
}
}In the following code example, I transformed the user’s location attribute and membership attribute to add a custom claim and a custom scope. I used the claimsToAddOrOverride field to create a new custom claim called demo:membershipLevel with a membership value of Premium from the event request. I also constructed a new scope with the value of membership:USA.Premium through the scopesToAdd claim, and added the new claim and scope in the event response.
export const handler = function(event, context) {
// Retrieve user attribute from event request
const userAttributes = event.request.userAttributes;
// Add scope to event response
event.response = {
"claimsAndScopeOverrideDetails": {
"idTokenGeneration": {},
"accessTokenGeneration": {
"claimsToAddOrOverride": {
"demo:membershipLevel": userAttributes['custom:membership']
},
"scopesToAdd": ["membership:" + userAttributes['custom:location'] + "." + userAttributes['custom:membership']]
}
}
};
// Return to Amazon Cognito
context.done(null, event);
};With the preceding code, the Lambda trigger sends the following response back to Amazon Cognito to indicate the customization that was needed for the access tokens.
"response": {
"claimsAndScopeOverrideDetails": {
"idTokenGeneration": {},
"accessTokenGeneration": {
"claimsToAddOrOverride": {
"demo:membershipLevel": "Premium"
},
"scopesToAdd": [
"membership:USA.Premium"
]
}
}
}Then Amazon Cognito issues tokens with these customizations at runtime:
{
"sub": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_01EXAMPLE",
"version": 2,
"client_id": "1example23456789",
"event_id": "01faa385-562d-4730-8c3b-458e5c8f537b",
"token_use": "access",
"demo:membershipLevel": "Premium",
"scope": "openid profile email membership:USA.Premium",
"auth_time": 1702270800,
"exp": 1702271100,
"iat": 1702270800,
"jti": "d903dcdf-8c73-45e3-bf44-51bf7c395e06",
"username": "mytestuser"
}Your application can then use the newly-minted, custom scope and claim to authorize users and provide them with a personalized experience.
There are four general considerations and best practices that you can follow:
In this post, you learned how to integrate a pre token generation Lambda trigger with your Amazon Cognito user pool to customize access tokens. You can use the access token customization feature to provide differentiated services to your end users based on claims and OAuth scopes. For more information, see pre token generation Lambda trigger in the Amazon Cognito Developer Guide.
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, contact AWS Support.
Want more AWS Security news? Follow us on Twitter.
Post Syndicated from Home Assistant original https://www.youtube.com/watch?v=99lGuB4J-4o
Post Syndicated from Александър Нуцов original https://www.toest.bg/nevidimata-detsentralizatsiya-v-bulgaria/
Кой движи света напред? Кой води войните? Къде е концентрирана властта? В индивида, държавата, наднационалните институции? В политическите науки и международните отношения това са философски въпроси, от чиито корени черпят своето начало различни научни течения и школи. Но едва ли има единствен, цялостен и правилен отговор на тях. Докато хората на власт изпълват управленските структури със своята идентичност, позиции и идеи, същите структури влияят на хората в тях и ги ограничават с установените си рамки, инструменти и норми на съществуване.
Безспорно обаче най-голям властови ресурс – административен, финансов и военен – е съсредоточен в националната държава. Държавата съществува със своите структури, модели на поведение и „инстинкти“. Подобно на човека, първичното стремление на всяка власт е самосъхранението и възпроизвеждането. Държавите и техните структури също като нас се адаптират към променящата се среда и трансформират елементи от себе си, за да оцелеят. Така историческите събития ги подтикват да делегират част от правомощията си нагоре, към наднационални институции като ООН и Европейския съюз, и надолу – към местната власт, гражданите и частния сектор.
Процеси по децентрализация текат навсякъде по света още от времето на Студената война. Първоначално те се състоят преди всичко в предаване на правомощия и функции от централната към местната власт и различни локални структури с идеята да предоставят по-качествени и ефективни услуги на своите граждани. Тук можем да включим и случаите на федерализация и засилване на федералните власти в страни с такова управление.
С падането на желязната завеса – особено в страните от бившия Източен блок – децентрализацията поема към по-значително включване на частния сектор в публичните дела и икономиката заради масовата приватизация. Отварянето на пазарите и стимулирането на частната инициатива се осъществява в по-широкия контекст на демократизация на обществата.
Впоследствие „разпръскването“ на власт придобива все по-широк смисъл. Вече говорим за включване на все повече обществени кръгове във вземането на политически решения – граждани, неправителствени организации, бизнес. Тоест от тясното разбиране за делегиране на правомощия от централната към местната власт постепенно стигаме до по-широката тема за създаване на по-справедливо и ефективно държавно управление. Именно в този по-общ смисъл ще си поговорим за децентрализацията в България.
За разлика от много други страни по света, в България липсва държавна стратегия или целенасочена държавна политика за децентрализация на властта. У нас тя се развива по-скоро по естествен път, в съзвучие със сложните социално-икономически, политически и исторически обстоятелства на средата.
Парадоксално, политическата нестабилност през последните години, незначителната избирателна активност и ниската легитимност на властта от белег за немощ на българската демокрация могат да се превърнат в първопричината за нейното надграждане.
Фрагментираният парламент без единствена доминираща партия доведе до няколко ключови последици. Първата е липсата на единен център, който да създава и променя законодателството. Това, от една страна, създава поле за битка на повече и различни гледни точки. От друга обаче, означава невъзможност за водене на единна и стабилна политика, тъй като твърде многото интереси и компромиси водят до забавяне на законодателния процес или до осакатяване на реформите.
Вторият важен момент е, че немалка част от политическите фигури, като Бойко Борисов и Румен Радев, които дълго време концентрираха огромна власт в ръцете си, постепенно загубиха този свой прерогатив. И докато самият парламент се разпокъса отвътре, конфронтацията между парламента и Президентството доведе до конституционните промени, които орязват някои правомощия на президента.
При тази липса на единни самодостатъчни властови ядра законодателният процес и политиците се нуждаят от обединяващ фактор, който да надмогне кавгите и управленската разпокъсаност. И тук все по-съществена роля играят частният и гражданският сектор. Защото бизнесите и гражданските организации предлагат надпартийни решения отвъд институционалните борби, които нямат цвят, а решават проблеми на обществената среда.
На този фон администрацията остава изключително ретроградна, а политиците често нямат време, експертност и воля да реформират закостенялото законодателство. Тези дефицити все повече се запълват от активната роля на бизнес асоциациите, неправителствените организации и гражданите с експертни познания в различни области.
Освен това държавният апарат изостава драстично от технологичното развитие на глобално ниво, което забавя модернизацията на всички сектори от обществено значение – от образование и здравеопазване до електронно правителство и дигитализация на обществените услуги. Оттам идва и нарастващата зависимост на държавата от предприемачите, които създават, развиват и предоставят технологиите.
В условията на глобализация и ускорено технологично развитие частният и гражданският сектор придобиват все по-голяма тежест и лостове за влияние върху политиците.
Нарастващата роля на бизнеса и гражданите трябва да се превърне в тенденция, така че те да участват все по-активно в политическите процеси и вземането на стратегически решения. Тук говорим за „разпръскване“ на власт от парламента и партиите, както и от правителството и министерствата надолу – към обществото.
По-силният глас на модерните бизнеси и гражданския сектор гарантира повече контрол върху дейността на политиците, повече и по-добри идеи за реформи от хора и организации с експертно знание и по-ефективни решения на конкретни проблеми на средата. А колкото по-силни и разпознаваеми сред обществото са добрите примери на хора и организации от неправителствения сектор, толкова по-голямо внимание получават те от медиите. И ако политиците откажат да се съобразяват с тях, именно медиите са тези, които могат да разобличат нередностите и да осъществяват натиск, което неизбежно води до загуба на доверие и електорат.
По отношение на дигитализацията бизнесът предоставя технологии и ноу-хау в най-различни сектори, част от които вече споменахме. През миналата година например България най-накрая създаде своя национален електронен идентификатор благодарение на разработената от Evrotrust Technologies дигитална схема Evrotrust eID.
Най-големите пробойни на държавата бизнесът се опитва да попълни в образованието. За първи път 25 бизнес организации излязоха с обща позиция за нуждата от дълбока реформа в образованието. Все повече предприемачи споделят за развитието на собствени академии, стажове и семинари, с които да обучават собствени кадри поради липса на добра подготовка на кандидатите. Инвестициите в учебната инфраструктура, като например научни лаборатории, също говорят за големия принос на бизнеса. Социални предприемачи пък развиват собствени платформи за обучение и осигуряват финансов стимул за успелите ученици и студенти.
В здравеопазването имаме все повече дигитални платформи, които улесняват достъпа до специалисти в най-различни области, осигуряват ценна информация, дигитализират работата на институциите, помагат при подбора на персонал и т.н.
В земеделието български компании предоставят технологични решения за нуждите на земеделците. Например произвеждат високотехнологична роботика за най-различни дейности, като умно косене и плевене, разработват автоматизиране на капковото напояване, осъществяват контрол на климата в закрити и открити площи при отглеждането на култури, осигуряват софтуер и специалисти, които правят измервания и анализи и прилагат добри практики за устойчиво развитие на земеделието и оптимизиране на разходите.
Сигурността и отбраната също все по-силно зависят от модерните предприемачи, най-вече при надпреварата в иновациите. НАТО има собствен иновационен акселератор – DIANA, който предоставя ресурси и тестова база за иновативните стартъпи и ги свързва с учените и крайните потребители при създаването на „дълбоки технологии“ (deep tech) с т.нар. двойна употреба за страните от Съюза. Един от ключовите партньори на DIANA в България като тестов център е институтът „Големи данни в полза на интелигентно общество“ (GATE) към СУ „Св. Климент Охридски“, който осъществява и връзката между българските компании и натовската акселераторска програма.
Това са само няколко примера за нарастващата роля на бизнеса в традиционни за държавата сфери, което постепенно ще се превърне в тенденция в контекста на технологичното развитие.
На фона на политическата нестабилност и слабата държавност българските граждани и предприемачи ще придобиват все по-ключова позиция, която ще им позволи да държат политиците отговорни и да изсветляват управленските нередности и корупционни схеми.
Децентрализацията обаче не е лек сама по себе си. Тя трябва да улесни процеса на реформиране на законодателството и модернизиране на средата, като подпомогне комуникацията между политиците и експертите/практиците от частния и гражданския сектор, така че всички да участват дейно в политическите и публичните дела.
Необходимо е създаването на повече профилирани неправителствени и граждански организации, които обединяват широки обществени кръгове, застъпват се за каузи и черпят креативни идеи и решения от практиката. Те трябва да инициират и улесняват разговора между по-широк кръг лица от гражданския, частния и държавния сектор, за да се отговори на нуждите на обществото по най-смислен и ефективен начин. И най-важното – трябва да предоставят конкретни решения на конкретни проблеми, издигайки на пиедестал идеята всяка отделна сфера от живота ни да е по-добра за всички.
Децентрализацията в България ще продължи да се реализира по-скоро по естествен път, движен от нестабилната политическа обстановка и ускореното технологично развитие. Това е шанс за създаване на по-устойчива, макар и несъвършена демокрация, с повече съвестни управленци в по-благоприятна среда за правене на политика.
Post Syndicated from digiblurDIY original https://www.youtube.com/watch?v=aFs9x0rhO1Y