Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2023/11/using-generative-ai-for-surveillance.html
Generative AI is going to be a powerful tool for data analysis and summarization. Here’s an example of it being used for sentiment analysis. My guess is that it isn’t very good yet, but that it will get better.
Post Syndicated from Bonnie Sheppard original https://www.raspberrypi.org/blog/support-new-computing-teachers-debugging-scratch-litterbox/
We all know that learning to program, and specifically learning how to debug or fix code, can be frustrating and leave beginners overwhelmed and disheartened. In a recent blog article, our PhD student Lauria at the Raspberry Pi Computing Education Research Centre highlighted the pivotal role that teachers play in shaping students’ attitudes towards debugging. But what about teachers who are coding novices themselves?
In many countries, primary school teachers are holistic educators and often find themselves teaching computing despite having little or no experience in the field. In a recent seminar of our series on computing education for primary-aged children, Luisa Greifenstein told attendees that struggling with debugging and negative attitudes towards programming were among the top ten challenges mentioned by teachers.
Luisa is a researcher at the University of Passau, Germany, and has been working closely with both teacher trainees and experienced primary school teachers in Germany. She’s found that giving feedback to students can be difficult for primary school teachers, and especially for teacher trainees, as programming is still new to them. Luisa’s seminar introduced a tool to help.
To address this issue, the University of Passau has initiated the primary::programming project. One of its flagship tools, LitterBox, offers a unique solution to debugging and is specifically designed for Scratch, a beginners’ programming language widely used in primary schools.
LitterBox serves as a static code debugging tool that transforms code examination into an engaging experience. With a nod to the Scratch cat, the tool visualises the debugging of Scratch code as checking the ‘litterbox’, categorising issues into ‘bugs’ and ‘smells’:
What sets LitterBox apart is that it also rewards correct code by displaying ‘perfumes’. For instance, it will praise correct broadcasting or the use of custom blocks. For every identified problem or achievement, the tool provides short and direct feedback.
Luisa and her team conducted a study to gauge the effectiveness of LitterBox. In the study, teachers were given fictitious student code with bugs and were asked to first debug the code themselves and then explain in a manner appropriate to a student how to do the debugging.
The results were promising: teachers using LitterBox outperformed a control group with no access to the tool. However, the team also found that not all hints proved equally helpful. When hints lacked direct relevance to the code at hand, teachers found them confusing, which highlighted the importance of refining the tool’s feedback mechanisms.
Despite its limitations, LitterBox proved helpful in another important aspect of the teachers’ work: coding task creation. Novice students require structured tasks and help sheets when learning to code, and teachers often invest substantial time in developing these resources. While LitterBox does not guide educators in generating new tasks or adapting them to their students’ needs, in a second study conducted by Luisa’s team, teachers who had access to LitterBox not only received support in debugging their own code but also provided more scaffolding in task instructions they created for their students compared to teachers without LitterBox.
One important realisation that we had in the Q&A phase of Luisa’s seminar was that many different research teams are working on solutions for similar challenges, and that the impact of this research can be maximised by integrating new findings and resources. For instance, what the LitterBox tool cannot offer could be filled by:
As we navigate the evolving landscape of programming education, it’s clear that innovative tools like LitterBox can make a significant difference in the journey of both educators and students. By equipping educators with effective debugging and task creation solutions, we can create a more positive and engaging learning experience for students.
If you’re an educator, consider exploring how such tools can enhance your teaching and empower your students in their coding endeavours.
You can watch the recording of Luisa’s seminar here:
If you’re interested in the latest developments in computing education, join us at one of our free, monthly seminars. In these sessions, researchers from all over the world share their innovative ideas and are eager to discuss them with educators and students. In our December seminar, Anaclara Gerosa (University of Edinburgh) will share her findings about how to design and structure early-years computing activities.
This will be the final seminar in our series about primary computing education. Look out for news about the theme of our 2024 seminar series, which are coming soon.
The post Support for new computing teachers: A tool to find Scratch programming errors appeared first on Raspberry Pi Foundation.
Post Syndicated from LastWeekTonight original https://www.youtube.com/watch?v=p4QGOHahiVM
Post Syndicated from Rohit Kumar original https://www.servethehome.com/cornelis-networks-shows-off-576-port-400gbps-omni-path-cn5000-at-sc23/
At SC23, we saw the Cornelis Networks 576-port 400Gbps Omni-Path CN5000 director switch with a whopping 48kW of power supplies
The post Cornelis Networks Shows off 576-Port 400Gbps Omni-Path CN5000 at SC23 appeared first on ServeTheHome.
Post Syndicated from corbet original https://lwn.net/Articles/951907/
The second 6.7 kernel prepatch is out for
testing. “The most noticeable thing is probably the turbostat tool
”
update, which actually came in during the merge window, but was delayed by
just waiting for getting the pull request properly signed.
Post Syndicated from Explosm.net original https://explosm.net/comics/millennial-criminal
New Cyanide and Happiness Comic
Post Syndicated from xkcd.com original https://xkcd.com/2857/
Post Syndicated from digiblurDIY original https://www.youtube.com/watch?v=VxxNBGVJrQs
Post Syndicated from Talks at Google original https://www.youtube.com/watch?v=JQHnT4Q9ZzE
Post Syndicated from BeardedTinker original https://www.youtube.com/watch?v=wLyXUIhfA-8
Post Syndicated from Григор original http://www.gatchev.info/blog/?p=2611
Една статия в BBC (https://www.bbc.com/news/world-europe-67427422) ме върна към спомен, който може би беше по-добре да бях забравил… Но пък може би ще е от полза за някого.
(Ако статията в BBC един ден не е достъпна: разказва за една съвременна руска доносничка, под името Анна Коробкова, и за жертвите ѝ. Топени, вероятно често и клеветени, че не подкрепят „специалната военна операция“ – руската агресия в Украйна. Тъй де, ако агресията не успее, може да се наложи Русия да изплаща репарации. Стандартът и доходите на Коробкова ще спаднат, може дори да ѝ се наложи да мине на пълно работно време. Така че тя не само има тези възгледи, има и интерес…)
Познавах такава „Анна Коробкова“ тук, в България. И за нея донасянето беше и доход, и смисълът на живота ѝ. Очите ѝ блестяха и пръскаше слюнки от кеф, докато разказваше. Как е пращала „където им е мястото“ всякакви „изроди“. „Капиталистически агенти“, разказвали политически вицове. „Безсрамни хлапета“, целували се на обществено място. „Смотаняк“ съсед, който не ѝ позволил да си свърже кухнята към неговия електромер. „Пижони“ с бради или къси полички. „Градска кокона“, която слагала саксии с цветя по стълбището на входа. „Пияница“, който се „скатавал“ от манифестация на 9 септември. „Забравил се“ съсед по вилно място, не разбрал, че мястото му се полага на нея и мъжа ѝ, а не на такива като него…
Тя нямаше компютър и база данни кого е натопила и какво му се е случило, като Коробкова. Имаше картотека с листче в нея за всяка жертва. „Ейййй такава!“, показваше гордо с ръце близо метър дължина. „Когото съм почнала, доде не го свърша, не съм го оставяла! Един няма да съм помилвала! Всичко си пишех там – кога за кого съм писала, какво съм написала, какво кога съм му докарала…“
Ненавистта ѝ към промените нямаше как да бъде предадена с думи. Те ѝ бяха отнели абсолютно всичко. Не, не хубавия апартамент, нито пък вилата. Нито дори бижутата на „градската кокона“, оказали се незнайно как у нея. Заради тези неща тя беше съсипвала и смазвала хора, но всъщност те бяха само израз на истински ценното ѝ – възможността да тъпче и съсипва който поиска. Промените ѝ бяха отнели именно него – отмъщаването на по-свестните от нея за това, че са по-свестни…
Гледах я, стопена от болестта до скелет в кожа, пръскащ ненавист, и изведнъж си я представих като Ам-гъл. Сдобил се с Пръстена на всевластието, но поискал и получил от него по своята нищожна мяра. Да може безнаказано да хапе по краката и да стиска за гушите по-читавите от него…
Беше стигнала дотам в последните си часове да може единствено да сподели, и така преживее отново, това си щастие. С човек, за който не знаеше на практика нищо, освен че се е опитал преди години да спаси мъжа ѝ. Сигурно в изнемощението си приравняваше това до споделяне на „ценностите“ ѝ… Едва се сдържах да не избухна, да си тръгна и да не я видя никога повече. Спираше ме единствено някакво едва доловимо усещане в дъното на ума ми, че дори такъв човек заслужава една последна милост. Някой да го изслуша, преди да си е тръгнал. Да му даде възможността да си припомни и преживее пак каквото е имал за щастие. И заради него, и още повече заради собствената си съвест…
… Дълго време си мислех – какво ли е подходящото определение за такъв човек. Чак когато статията в BBC ми върна спомена, името „Коробкова“ изведнъж намери мястото си в пъзела. Тази жена беше нашенска тоталитарна Коробочка. Изкривена дотам да събира в картотека – материален израз на истинската ѝ същност, точно както заключените шкафове с натрупани неща са истинската същност на Гоголевата Коробочка – единственото щастие, което е могла да има. Ужасяващо с безчовечността си..
Чудех се – какво ли я е направило такава? Може би произход или преживяно – и до днес не зная нищичко и за двете, нито има вече как да науча. Но знам за устройството и работата на мозъка повече от немалко неврофизиолози. Вероятно дефицит в латералния стриатум, по-точно в еферентите на кортико-таламо-стриато-кортикалния кръг. Водещ до неоснователно, но безмилостно усещане за собствена незначимост. Което причинява страдание, силно като това от жестока болка, ако и с различен източник. (За който не знае – усещането за болка и изпитването на страдание от нея са два различни механизма. Подобно страдание може да носи всяко усещане, което говори за някаква опасност, ако е достатъчно силно.)
И тя е търсела как да облекчи това усещане, според каквото е знаела и виждала. А комунистическото общество е имало нужда и е предлагало нужното ѝ облекчение срещу писане на доноси… Но тъй като усещането е болестно, няма как да се задоволи трайно. И в търсене на облекчение тя е слизала все по-надолу по спиралата. Научила се е да вярва в глупости, да мрази каквото всъщност не ѝ вреди. Да се самооправдава за причинявана на другите болка – тоест, отначало вероятно дори е изпитвала угризения… Всъщност тя беше пациент, страдалец, не злодей по същност. Злодей я бяха направили болестта ѝ и болното общество.
Да, сигурно всеки злодей си има причина да е такъв. Да, злодеите трябва да бъдат спирани непоколебимо, преди да причинят зло на други хора и може би да ги превърнат също в злодеи. Но в същността си те имат нужда от лечение, от помощ. Наказанието може би понякога е нужната им помощ, но сигурно не винаги.
Глупости? Може би. Но един лекар е длъжен да мисли така. Юридическото право да бъдеш лекар го дава дипломата, но моралното право го дава този начин на мислене.
Post Syndicated from Explosm.net original https://explosm.net/comics/no-nut
New Cyanide and Happiness Comic
Post Syndicated from Oglaf! -- Comics. Often dirty. original https://www.oglaf.com/eyeroll/
Post Syndicated from The Hook Up original https://www.youtube.com/watch?v=F7IhSKJ41rU
Post Syndicated from Will Taillac original https://www.servethehome.com/silicon-power-ud90-4tb-nvme-ssd-review/
In our Silicon Power UD90 review, we see how this 4TB NVMe SSD performs since it is the cheapest 4TB NVMe SSD we could find
The post Silicon Power UD90 Review The Cheapest 4TB M.2 NVMe SSD appeared first on ServeTheHome.
Post Syndicated from Techmoan original https://www.youtube.com/watch?v=xRWFH3tnWaY
Post Syndicated from Йовко Ламбрев original https://www.toest.bg/sedmitsata-13-18-noemvri/
Не лесно да бъдат изброени темите на седмицата, които ангажираха обществената енергия във вътрешнополитически план. Отзвукът от местните избори още не е отшумял и ще продължи да определя контекста и посоката на много от събитията и през идните няколко седмици.
Може би само драмата с властта в БФС няма връзка с изборите, защото продължава отдавна и беше очаквано да ескалира. Иначе, сблъсъците в София между полицията и футболните фенове показаха за пореден път, че МВР отдавна има нужда от сериозна реформа и някак естествено му идва да залита към полицейски произвол. Разбира се, от окървавените кадри не пропуснаха да се възползват политиците.
В крайна сметка сякаш най-важното от седмицата за България в политическата плоскост е напрежението в т.нар. сглобка, породено от разместванията на пластовете след изборите и наближаващата ротация на премиерите и силите. Емилия Милчева подробно обследва по-важните детайли по темата в анализа си „Игрите с дерогацията и „Лукойл“.
„Счупеното правосъдие и прекършената хуманност“ пък е заглавието на материала на Светла Енчева, която чрез няколко нашумели случая доказва общото впечатление, че правосъдната система е майка за едни, но мащеха за други. И ни връща към темата за възстановителното правосъдие, което, уви, е почти невъзможен инструмент в среда с все по-голям дефицит на хуманност.
В новия си разговор за здравеопазването Надежда Цекулова ни запознава както с д-р Антоанета Тончева, така и с проблемите с достъпа до медицински храни в България. В интервюто се разказва за дългогодишните усилия на лекари, пациенти, семействата им и няколко граждански организации, които успяват да обърнат ситуацията у нас от „тук няма нищо“ до това НЗОК да включи по-тежките форми на малнутриция в списъка със заболявания, за които се заплащат терапии.
Преходът от здравеопазване към научни новини би трябвало да е някак естествен. Още повече че Михаил Ангелов тази седмица е подготвил много интересен материал, пълен с прелюбопитни теми. Дали наистина знаете какво гледат слънчогледите, следвайки слънцето? Понеже се оказва, че това не е толкова очевидно, както и някои детайли около изчезването на динозаврите. А знаете ли за кризата на възпроизводимостта в науката или как ще се борим със застрашаващи ни астероиди? Всичко това ще научите в най-новия текст в рубриката ни „Научни новини“.
Тазседмичната ни препоръка в „На второ четене“ е някак едновременно в политиката и литературата, по същия начин, по който самата книга е едновременно литература и журналистика. Стефан Иванов ни връща към пътешествието на полския репортер Яцек Хуго-Бадер от Варшава до Владивосток, описано в солидното му изследване „Алкохолен делир“ с подзаглавие „Литературни репортажи за Русия от XXI век“. Текстът на Стефан е много интересен и затова не бих искал да издавам нищо повече за него. Но споделям напълно оценката, че адски много липсват такива книги и такива репортажи за България.
И разбира се, накрая една голяма изненада. Нева Мичева се завръща на (уеб)страниците на „Тоест“ със страхотен материал за нов музей в Барселона, който показва над 200 цензурирани и заклеймени творби. А Нева ни разхожда задочно сред експозицията, споделяйки толкова много детайли, че проследяването им ще ви разкаже със сигурност неща, които не сте знаели. Не пропускайте препратките в нейните текстове. Никога!
Приятно четене!
Post Syndicated from Raghu Kuppala original https://aws.amazon.com/blogs/big-data/use-custom-domain-names-with-amazon-redshift/
Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. With Amazon Redshift, you can analyze all your data to derive holistic insights about your business and your customers.
Amazon Redshift now supports custom URLs or custom domain names for your data warehouse. You might want to use a custom domain name or CNAME (Canonical Name) for the following reasons:
In this post, we discuss how you can modify your data warehouse to use custom domain names and how to connect to a data warehouse that has been configured with a custom URL.
To get started, you need a registered domain name. You can use Amazon Route 53 or a third-party domain registrar to register a domain.
You also need a validated Secure Sockets Layer (SSL) certificate for your custom endpoints. This is to verify ownership of the domain name and secure communication. You can use AWS Certificate Manager (ACM) to provision, manage, and deploy public SSL/TLS certificates. You need to use verify-full mode, which ensures that the connections are encrypted and verifies that the hostname of the server matches the hostname in the certificate.
Lastly, you need to attach the necessary permissions to the AWS Identity and Access Management (IAM) role that’s assigned to the relevant users and groups that will manage your Redshift data warehouse. These vary depending on if you’re using Amazon Redshift provisioned or Amazon Redshift Serverless. The permissions needed for the required actions are listed in the following table.
| Action | IAM Permission | |
| Redshift Provisioned | Redshift Serverless | |
| Create custom domain for datawarehouse |
redshift:CreateCustomDomainAssociation acm:DescribeCertificate |
redshiftServerless:CreateCustomDomainAssociation acm:DescribeCertificate |
| Renaming cluster that has custom domain name | acm:DescribeCertificate | Not needed |
| Changing certificate for association |
redshift:ModifyCustomDomainAssociation acm:DescribeCertificate |
redshiftServerless:UpdateCustomDomainAssociation acm:DescribeCertificate |
| Deleting custom domain | redshift:DeleteCustomDomainAssociation | redshiftServerless:DeleteCustomDomainAssociation |
| Connecting to the data warehouse using custom domain name | redshift:DescribeCustomDomainAssociations | Not needed |
The following screenshot shows an example of creating an IAM policy on the IAM console.
The custom domain name typically includes the root domain and a subdomain, like mycluster.mycompany.com. You can either register a new root domain or use an existing one. For more information about registering a new domain with Route 53, refer to Registering a new domain.
After you set that up, you can add a DNS record that points your custom CNAME to the Redshift endpoint. You can find the data warehouse endpoint on the Amazon Redshift console on the cluster detail page.
The following screenshot illustrates locating a provisioned endpoint.
The following screenshot illustrates locating a serverless endpoint.
Now that you have created the CNAME entry, you can request a certificate from ACM. Complete the following steps:
The status should be Issued.
Now that you have created the CNAME record and certificate, you can create the custom domain URL for your Redshift cluster using the Amazon Redshift console.
To create a custom domain for a provisioned instance, complete the following steps:
You should now have a custom domain name associated to your provisioned data warehouse. The custom domain name and custom domain certificate ARN values should now be populated with your entries.
Note that sslmode=verify-full will only work for the new custom endpoint. You can’t use this mode with the default endpoint; you can connect to the default endpoint by using other SSL modes like sslmode=verify-ca.
To create a custom domain for a serverless instance, complete the following steps:
You should now have a custom domain name associated to your serverless workgroup. The custom domain name and custom domain certificate ARN values should now be populated with your entries.
Note that, as with a provisioned instance, sslmode=verify-full will only work for the new custom endpoint. You can’t use this mode with the default endpoint; you can connect to the default endpoint by using other SSL modes like sslmode=verify-ca.
You can now connect to your cluster using the custom domain name. The JDBC URL would be similar to jdbc:redshift://prefix.rootdomain.com:5439/dev?sslmode=verify-full, where prefix.rootdomain.com is your custom domain name and dev is the default database. Use your preferred editor to connect to this URL using your user name and password.
To update the certificate association using the Amazon Redshift console, navigate to your provisioned cluster details page and on the Actions menu, choose Edit custom domain name. Update the domain name and ACM certificate, then choose Save changes.
To change the cluster’s ACM certificate associated to the custom domain using the AWS Command Line Interface (AWS CLI), use the following command:
To update the certificate using the Amazon Redshift console, navigate to your serverless workgroup details page and on the Actions menu, choose Edit custom domain name. Update the domain name and ACM certificate, then choose Save changes.
To change the serverless workgroup’s ACM certificate associated to the custom domain using the AWS CLI, use the following command:
To delete your custom domain, navigate to the provisioned cluster details page. On the Actions menu, choose Delete custom domain name. Enter delete to confirm, then choose Delete.
To use the AWS CLI, use the following code:
To delete your custom domain, navigate to the serverless workgroup details page. On the Actions menu, choose Delete custom domain name. Enter delete to confirm, then choose Delete.
To use the AWS CLI, use the following code:
In this post, we discussed the benefits of using custom domain names for your Redshift data warehouse and the steps needed to associate a custom domain name with the Redshift endpoint. For more information, refer to Using a custom domain name for client connections.
Raghu Kuppala is an Analytics Specialist Solutions Architect experienced working in the databases, data warehousing, and analytics space. Outside of work, he enjoys trying different cuisines and spending time with his family and friends.
Sam Selvan is a Principal Analytics Solution Architect with Amazon Web Services.
Yanzhu Ji is a Product Manager in the Amazon Redshift team. She has experience in product vision and strategy in industry-leading data products and platforms. She has outstanding skill in building substantial software products using web development, system design, database, and distributed programming techniques. In her personal life, Yanzhu likes painting, photography, and playing tennis.
Nikhitha Loyapally is a Senior Software Development Engineer for Amazon Redshift.
Post Syndicated from Explosm.net original https://explosm.net/comics/spiders
New Cyanide and Happiness Comic
Post Syndicated from Eric Johnson original https://aws.amazon.com/blogs/compute/introducing-support-for-read-only-management-events-in-amazon-eventbridge/
This post is written by Pawan Puthran, Principal Specialist TAM, Serverless and Heeki Park, Principal Solutions Architect, Serverless
Today, AWS is announcing support for read-only management events in Amazon EventBridge. This feature enables customers to build rich event-driven responses from any action taken on AWS infrastructure to detect security vulnerabilities or identify suspicious activity in near real-time. You can now gain insight into all activity across all your AWS accounts and respond to those events as is appropriate.
EventBridge is a serverless event bus used to decouple event producers and consumers. Event producers publish events onto an event bus, which then uses rules to determine where to send those events. The rules determine the downstream targets that receive and process the events, and EventBridge routes the events accordingly.
EventBridge allows customers to monitor, audit, and react, in near real-time, to changes in their AWS environments through events generated by AWS CloudTrail for AWS API calls. CloudTrail records actions taken by a user, role, or an AWS service as events in a trail. Events include actions taken in the AWS Management Console, AWS Command Line Interface (CLI), and AWS SDKs and APIs.
Previously, only mutating API calls are published from CloudTrail to EventBridge for control plane changes. Events for mutating API calls include those that create, update, or delete resources. Control plane changes are also referred to as management events. EventBridge now supports non-mutating or read-only API calls for management events at no additional cost. These include those that list, get, or describe resources.
CloudTrail events in EventBridge enable you to build rich event-driven responses from any action taken on AWS infrastructure in real time. Previously, customers and partners often used a polling model to iterate over a batch of CloudTrail logs from Amazon S3 buckets to detect issues, making it slower to respond. The launch of read-only management events enables you to detect and remediate issues in near real-time and thus improve the overall security posture.
You can start receiving read-only management events if a CloudTrail is configured in your account and if the event selector for that CloudTrail is configured with ReadWriteType of either All or ReadOnly. This ensures that the read-only management events are logged in the CloudTrail and are then passed to EventBridge.
For example, you can receive an alert if a production account lists resources from an IP address outside of your VPC. Another example could be if an entity, such as a principal (AWS account root user, IAM role, or IAM user), calls the ListInstanceProfilesForRole or DescribeInstances APIs without any prior record of doing so. A malicious actor could use stolen credentials for conducting this reconnaissance to find more valuable credentials or determine the capabilities of the credentials they have.
To enable read-only management events with an EventBridge rule, in addition to the existing mutating events, use the new ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS state when creating the rule.
Resources:
SampleMgmtRule:
Type: 'AWS::Events::Rule'
Properties:
Description: 'Example for enabling read-only management events'
State: ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS
EventPattern:
source:
- aws.s3
detail:
- AWS API Call via CloudTrail
Targets:
- Arn: 'arn:aws:sns:us-east-1:123456789012:notificationTopic'
Id: 'NotificationTarget'
You can also create a rule on an event bus to specify a particular API action by using the eventName attribute under the detail key:
aws events put-rule --name "SampleTestRule" \
--event-pattern '{"detail": {"eventName": ["ListBuckets"]}}' \
--state ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS --region us-east-1
The following section describes a couple of the scenarios where you can set up EventBridge rules and take actions on non-mutating or read-only management events.
Consider the security team of your organization that wants a notification whenever GetSecretValue API calls for AWS Secrets Manager are made through the CLI. They can then investigate if these calls are made by entities outside their organization or by an unauthorized user and take corrective actions to deny such requests.
When the application calls the GetSecretValue API to retrieve the secrets via a CLI, it generates an event like this:
{
"version": "0",
"id": "d3368cc1-e6d6-e4bf-e58e-030f03b6eae3",
"detail-type": "AWS API Call via CloudTrail",
"source": "aws.secretsmanager",
"account": "111111111111",
"time": "2023-11-08T19:58:38Z",
"region": "us-east-1",
"resources": [],
"detail": {
"eventVersion": "1.08",
"userIdentity": {
"type": "IAMUser",
"principalId": "AAAAAAAAAAAAA",
"arn": "arn:aws:iam:: 111111111111:user/USERNAME"
// ... additional detail fields
},
"eventTime": "2023-11-08T19:58:38Z",
"eventSource": "secretsmanager.amazonaws.com",
"eventName": "GetSecretValue",
"awsRegion": "us-east-1",
"userAgent": "aws-cli/2.13.15 Python/3.11.4 Darwin/22.6.0 exe/x86_64 prompt/off command/secretsmanager.get-secret-value"
// ... additional detail fields
}
}You set the following event pattern on the rule to filter incoming events to specific consumers. This example also uses the recently launched wildcard filter for event matching.
{
"source": [
"aws.secretsmanager"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventName": [
"GetSecretValue"
],
"userAgent": [
{
"wildcard": "aws-cli/*"
}
]
}
}You can create a rule matching a combination of these event properties. In this case, you are matching for aws.secretsmanager as source, AWS API Call via CloudTrail as detail-type, GetSecretValue as detail.eventName and wildcard pattern on detail.userAgent for aws-cli/*. You can filter detail.userAgent with a wildcard to catch events that come from a particular application or user.
You can then route these events to a target like an Amazon CloudWatch Logs stream to record the change. You can also route them to Amazon SNS to get notified via email subscription. You can alternatively route them to an AWS Lambda function in which you perform custom business logic.
aws events put-rule --name "monitor-secretsmanager" \
--event-pattern '{"source": ["aws.secretsmanager"], "detail-type": ["AWS API Call via CloudTrail"], "detail": {"eventName": ["GetSecretValue"], "userAgent": [{ "wildcard": "aws-cli/*"} ]}}' \
--state ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS --region us-east-1
Rule details
aws events put-targets --rule monitor-secretsmanager --targets Id=1,Arn=arn:aws:logs:us-east-1:ACCOUNT_ID:log-group:/aws/events/getsecretvaluelogs --region us-east-1
Target details
You can then use CloudWatch Log Insights to search and analyze log data using the CloudWatch Log Insights query syntax where you can retrieve the user who performed these calls.
Consider the security or data perimeter team who wants to secure data residing in Amazon S3 buckets. The team requires notifications whenever API calls to list S3 buckets or to list S3 objects are made.
When a user or application calls the ListBuckets API to discover the available buckets, it generates the following CloudTrail event:
{
"version": "0",
"id": "345ca690-6510-85b2-ff02-090493a33cf1",
"detail-type": "AWS API Call via CloudTrail",
"source": "aws.s3",
"account": "111111111111",
"time": "2023-11-14T17:25:30Z",
"region": "us-east-1",
"resources": [],
"detail": {
"eventVersion": "1.09",
"userIdentity": {
"type": "IAMUser",
"principalId": "principal-identity-uuid",
"arn": "arn:aws:iam::111111111111:user/exploited-user",
"accountId": "111111111111",
"accessKeyId": "AAAABBBBCCCCDDDDEEEE",
"userName": "exploited-user"
},
"eventTime": "2023-11-14T17:25:30Z",
"eventSource": "s3.amazonaws.com",
"eventName": "ListBuckets",
"awsRegion": "us-east-1",
"sourceIPAddress": "11.22.33.44",
"userAgent": "[aws-cli/2.13.29 Python/3.11.6 Darwin/22.6.0 exe/x86_64 prompt/off command/s3api.list-buckets]",
"requestParameters": {
"Host": "s3.us-east-1.amazonaws.com"
},
"readOnly": true,
"eventType": "AwsApiCall",
"managementEvent": true
// additional detail fields
}
}In this scenario, you can create an EventBridge rule matching for aws.s3 for the source field, and ListBuckets for the eventName.
{
"source": [
"aws.s3"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventName": [
"ListBuckets "
]
}
}However, listing objects alone might only be the beginning of a potential data exfiltration attempt. You may also want to check for ListObjects or ListObjectsV2 as the next action, followed by a large number of GetObject API calls. You can create the following rule to match those actions.
{
"source": [
"aws.s3"
],
"detail-type": [
"AWS API Call via CloudTrail"
],
"detail": {
"eventName": [
"ListObjects",
"ListObjectsV2",
"GetObject"
]
}
}You could potentially forward this log information to your central security logging solution or use anomaly detection machine learning models to evaluate these events to determine the appropriate response to these events.
You can also create rules to receive the read-only events to cross account or cross-Region to centralize your AWS events into one Region or one AWS account for auditing and monitoring purposes. For example, capture all workload events from multiple Regions in eu-west-1 for compliance reporting.
Cross Account example for default event bus and custom event bus
To do this, create a rule using the new ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS state on the default bus of the source account or the Region, targeting either default event bus or a custom event bus of the target account or Region. You must also ensure you have a rule configured with ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS to be able to invoke the targets in the destination account or Region.
Cross-Region setup for CloudTrail read-only events
This blog shows how customers can build rich event-driven responses with the newly launched support for read-only events. You can now observe events as potential signals of reconnaissance and data exfiltration activities from any action taken on AWS infrastructure in near real time. You can also use the cross-Region and cross-account functionality to deliver the read-only events to a centralized AWS account or Region, enhancing the capability for auditing and monitoring across all your AWS environments.
For more serverless learning resources, visit Serverless Land.