Multi-account, multicloud, and hackers want your keys!
Jun 08, 2023 • 5 Minute Read
This week, we’ve got another slice of piping hot AWS news straight from the oven. Transit Gateway Network Manager goes multi-account, AWS DataSync goes multicloud — sort of, and a timely reminder that hackers desperately want your AWS access keys. Let's get into the AWS news this week.
Accelerate your career
Get started with ACG and transform your career with courses and real hands-on labs in AWS, Microsoft Azure, Google Cloud, and beyond.
AWS DataSync goes multicloud
Well, it's not often that AWS even acknowledges the likes of Azure or GCP, but that’s just what happened this week. AWS DataSync can now count Google Cloud Storage and Azure Files storage as potential endpoints — allowing you to use the managed service to shuffle data between even more locations.
Now before you get all excited that AWS has finally come around to the multicloud lifestyle, you should know this support isn’t exactly native. AWS DataSync uses GCP’s S3-compatible API to access Google Cloud Storage and uses the existing SMB protocol to access Azure Files.
As of press time, details on how this all might work aren’t very clear, so I can’t vouch for how well or how wonky it might be. But to paraphrase Lloyd Christmas, it does seem like AWS is telling us there’s a (multi)cloudy chance.
Transit Gateway Network Manager goes multi-account
Good news this week for those who manage large multi-account networks on AWS. AWS Transit Gateway Network Manager now supports multiple accounts within organizations created using AWS Organizations. This now gives us the ability to have one consolidated Network Manager dashboard across all our accounts versus having to hop from account to account.
This unification also includes CloudWatch metrics and events to watch over your global networking empire for any funny business. And yes, you can now see all your networks across all accounts on a single global geographic map, which no doubt will be projected onto a 7-foot screen in your network operations center for no other practical reason than to impress people during data center tours.
“Repo jacking” steals AWS keys
In the “Don't we have enough to worry about” category this week, a popular Python package ctx and a PHP package called Phpass were hacked in an apparent effort to steal environment variables, including AWS keys, and exfiltrate them to a Heroku URL under the perpetrator’s control.
The attacker used a method called repo jacking, whereby someone gains unauthorized access to a legitimate repo and can insert malicious code into a new version. It only took a few hours for security researchers to notice the anomaly, but an estimated twenty-thousand versions of the hacked code had already been downloaded. This attack vector is particularly sneaky in that many will blindly upgrade a library or package whenever a new version gets released.
How can we defend against something like this?
Well, one measure is to lock your libraries into specific versions, so you control when and how they update. Where possible, use IAM roles instead of access keys and lockdown outbound traffic to only trusted destinations — which probably would have mitigated this particular attack. But, at a bare minimum, if you haven’t yet enabled CloudTrail logging, do it now! No, I’m serious. Stop reading this and go enable it now — then come back, of course.
Are you looking to begin your AWS career or take your skills to the next level? Our AWS learning paths offers customized paths to excel your cloud journey!
As we wrap up, just a little tidbit for those riding the EC2 train, you can now add Stop Protection to your instances to prevent them from unintentional stop actions from the console, CLI, or API. Might be a handy little feature to keep an EC2 instance from being stopped or terminated on you in the case of a CloudFormation delete or automated cost control measures. That, my friends, is all the AWS news fit to print this week.