Securing and Rotating WordPress Database Credentials with AWS Secrets Manager

AWS Secrets Manager is a simple and powerful way to handle secrets (such as database username/password credentials). It provides support for storing, retrieving, managing, and rotating credentials at an affordable cost (currently $0.40 per secret per month). However, it’s not terribly easy to use with WordPress. I have not been able to find any documentation … Continue reading Securing and Rotating WordPress Database Credentials with AWS Secrets Manager

AWS Secrets Manager Rotation in CloudFormation

I found AWS’s documentation for how to setup Secrets Manager secret rotation in CloudFormation to be severely lacking as no AWS documentation explains how to use the secret rotation templates provided by AWS within CloudFormation. Automating Secret Creation in AWS CloudFormation gives an example of how to setup the CloudFormation resources for the secret and … Continue reading AWS Secrets Manager Rotation in CloudFormation

Using Dynamic References to AWS Systems Manager Parameter Store Secure Strings with Elastic Beanstalk

Dynamic references in CloudFormation to secure strings are very handy, providing a simple way to keep secrets (such as passwords) secure. However, SSM Secure String Parameters are only supported in a limited set of places and Elastic Beanstalk environment variables are not one of them (feature request for adding support). Therefore, if you want to … Continue reading Using Dynamic References to AWS Systems Manager Parameter Store Secure Strings with Elastic Beanstalk

Improve Security and Reduce Costs with AWS SSM Session Manager

AWS recently enhanced its Systems Manager offering with shell access to EC2 instances and then they enhanced it further with SSH tunnel support. With these improvements, it’s now possible to improve your application’s security posture while reducing it’s operational costs and simplifying setup/maintenance. Systems Manager vs Bastion Hosts Minimizing the attack surface, simplifying as much … Continue reading Improve Security and Reduce Costs with AWS SSM Session Manager

Improve Security with Mount Options

“Defense in Depth” is a key concept of information security; if an attacker can get through one security control, there should be others waiting to thwart him. Mount options are an oftentimes overlooked way to implement defense in depth which are easy to implement, simple to understand, and widely applicable to many situations. The directory … Continue reading Improve Security with Mount Options

Trusting AWS RDS Certificates in Docker and Beanstalk

To connect to AWS RDS databases using TLS/SSL, the client must trust the certificate provided by RDS; RDS doesn’t use certificates trusted by the CAs (Certificate Authorities) included by operating systems. Without TLS/SSL, the connection to the database isn’t secure, meaning an attacker on the network between the client (running in EC2) and the database … Continue reading Trusting AWS RDS Certificates in Docker and Beanstalk

End to End Encryption with Beanstalk

Beanstalk is often configured to terminate SSL at the load balancer then make the connection to the web server/application instances using unencrypted HTTP. That’s usually okay as the AWS network is designed to keep such traffic private, but under certain conditions, such as those requiring PCI compliance, DoD/government rules, or simply out of an abundance … Continue reading End to End Encryption with Beanstalk

DNSSEC on OpenWrt 18.06, 19.07, and 21.01

DNSSEC ensures that the results of DNS queries (for DNSSEC enabled domains) are authentic. For example, integralblue.com uses DNSSEC, so if an attacker (using a man in the middle or spoofing attack) changes the IP address that www.integralblue.com resolves to, then a DNS resolver supporting DNSSEC will be able to tell and return an error. … Continue reading DNSSEC on OpenWrt 18.06, 19.07, and 21.01

DNS Over TLS on OpenWrt 18.06, 19.07, and 21.01

DNS over TLS encrypts DNS queries so no one between you and the DNS server you’re using (which, by default using these steps, will be Cloudflare’s 1.1.1.1), can tell what DNS queries/responses are being exchanged. DNS over TLS provides confidentiality but not integrity or authenticity. For those, you need to setup DNSSEC which I’ve described … Continue reading DNS Over TLS on OpenWrt 18.06, 19.07, and 21.01

Spring Boot, HTTPS required, and Elastic Beanstalk health checks

Spring Boot can be very easily configured to require HTTPS for all requests. In application.properties, simply set security.require-ssl=true And that works great – until you’re running the Spring Boot application on AWS Elastic Beanstalk with both HTTP and HTTPS listeners: In that case, Elastic Beanstalk’s health check is always done over HTTP. The configuration page … Continue reading Spring Boot, HTTPS required, and Elastic Beanstalk health checks