https://www.latacora.com/categories/infrastructure-security/Recent content in Infrastructure Security on LatacoraHugo -- gohugo.ioen-usTue, 27 Jan 2026 15:00:00 -0600https://www.latacora.com/blog/2026/01/27/aws-advanced-tier-status/Tue, 27 Jan 2026 15:00:00 -0600https://www.latacora.com/blog/2026/01/27/aws-advanced-tier-status/<p>We are thrilled to announce a major milestone for Latacora: we have achieved the <strong>Amazon Web Services (AWS) Advanced Tier Services Partner status</strong> within the AWS Partner Network (APN).</p> <p>This designation reflects Latacora’s technical expertise and diligence in delivering exceptional cloud security and compliance solutions to our clients, and confirms that we have successfully completed a rigorous validation process demonstrating a proven track record of customer success delivered by a team of AWS-certified professionals with specialized technical capabilities.</p>https://www.latacora.com/blog/2025/10/02/ecs-on-ec2-covering-gaps-in-imds-hardening/Thu, 02 Oct 2025 11:18:59 -0700https://www.latacora.com/blog/2025/10/02/ecs-on-ec2-covering-gaps-in-imds-hardening/<h2 id="introduction" class="heading-with-anchor"> <a href="#introduction" class="heading-anchor-link" aria-label="Link to Introduction"> Introduction <span class="heading-anchor-icon" aria-hidden="true">#</span> </a> </h2> <p>AWS ECS is a widely-adopted service across industries. To illustrate the scale and ubiquity of this service, over 2.4 billion Amazon Elastic Container Service tasks are launched every week (<a href="https://containersonaws.com" target="_blank" rel="noopener noreferrer">source</a>) and over 65% of all new AWS containers customers use Amazon ECS (<a href="https://www.youtube.com/watch?v=C7HUkG_tu90" target="_blank" rel="noopener noreferrer">source</a>).</p> <p>There are two primary <a href="https://docs.aws.amazon.com/AmazonECS/latest/developerguide/launch_types.html" target="_blank" rel="noopener noreferrer">launch types</a> for ECS: Fargate and EC2. The choice between them depends on <a href="https://containersonaws.com/blog/2023/ec2-or-aws-fargate/" target="_blank" rel="noopener noreferrer">factors</a> like <a href="https://aws.amazon.com/blogs/containers/theoretical-cost-optimization-by-amazon-ecs-launch-type-fargate-vs-ec2/" target="_blank" rel="noopener noreferrer">cost</a>, performance, operational overhead, and the variability of your workload.</p>https://www.latacora.com/blog/2025/09/22/introducing-replik8s/Mon, 22 Sep 2025 12:00:00 -0400https://www.latacora.com/blog/2025/09/22/introducing-replik8s/<h2 id="introduction" class="heading-with-anchor"> <a href="#introduction" class="heading-anchor-link" aria-label="Link to Introduction"> Introduction <span class="heading-anchor-icon" aria-hidden="true">#</span> </a> </h2> <p>Security tools are often designed to highlight specific issues by consuming APIs and applying predefined logic. Each tool implements its own data structures, storage formats, and evaluation logic. While effective in narrow contexts, this approach creates challenges for teams managing a diverse toolset. Moreover, most tools are optimized to fetch only the data needed for specific findings, limiting their utility in broader contexts such as incident response or historical analysis.</p>https://www.latacora.com/blog/2024/09/13/datomic-and-content-addressable-techniques/Fri, 13 Sep 2024 12:00:00 -0500https://www.latacora.com/blog/2024/09/13/datomic-and-content-addressable-techniques/<p>Latacora collects and analyzes data about services our clients use. You may have read about <a href="https://www.latacora.com/blog/2023/11/01/our-approach-to-building-security-tooling/" target="_self" rel="">our approach to building security tooling</a>, but the tl;dr is we make requests to all the (configuration metadata) read-only APIs available to us and store the results in S3. We leverage the data to understand our clients' infrastructure and identify security issues and misconfigurations. We retain the files (&ldquo;snapshots&rdquo;) to support future IR/forensics efforts.</p> <p>This approach has served us well, but the limited scope of a snapshot meant there was always a problem of first needing to figure out which files to look at. We love <code>aws s3 sync</code> and <code>grep</code> as much as anyone but security analysis requires looking for complex relationships between resources; text search is, at best, only a Bloom filter. What we really wanted was a performant way to ask any question across all the data we have for a client that would support complex queries using logic programming.</p>https://www.latacora.com/blog/2021/08/11/remediating-aws-imdsv1/Wed, 11 Aug 2021 12:16:23 -0400https://www.latacora.com/blog/2021/08/11/remediating-aws-imdsv1/<p><em>2024-12-17 Updated to include <a href="#declarative-policies" target="_self" rel="">Declarative Policies</a></em></p> <p>Compute resources in AWS (for example, EC2 instances, ECS tasks/services, etc.) get access to AWS credentials, such as temporary instance role credentials, via the <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html" target="_blank" rel="noopener noreferrer">Instance Metadata Service (IMDS)</a>. The compute resources use these credentials to access other AWS services such as SQS, DynamoDB and Secrets Manager.</p> <h2 id="introduction-problems-with-imdsv1" class="heading-with-anchor"> <a href="#introduction-problems-with-imdsv1" class="heading-anchor-link" aria-label="Link to Introduction: Problems with IMDSv1"> Introduction: Problems with IMDSv1 <span class="heading-anchor-icon" aria-hidden="true">#</span> </a> </h2> <p>There was originally only one version of IMDS, now called &ldquo;v1,&rdquo; which unfortunately many people still use. The technical risks and high profile incidents (the Capital One breach comes to mind) associated with v1, as well as the existence of <a href="https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/" target="_blank" rel="noopener noreferrer">v2</a> are well-documented. When an application hosted on an EC2 instance is vulnerable to <a href="https://owasp.org/www-community/attacks/Server_Side_Request_Forgery" target="_blank" rel="noopener noreferrer">SSRF</a>, <a href="https://owasp.org/www-community/vulnerabilities/XML_External_Entity_%28XXE%29_Processing" target="_blank" rel="noopener noreferrer">XXE</a> or <a href="https://owasp.org/www-community/attacks/Code_Injection" target="_blank" rel="noopener noreferrer">RCE</a>, attackers can likely steal the temporary AWS credentials of the <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html" target="_blank" rel="noopener noreferrer">IAM role</a> configured for the instance. This service is a particularly interesting target for attackers:</p>https://www.latacora.com/blog/2018/05/29/gripes-with-google-groups/Tue, 29 May 2018 17:14:00 -0400https://www.latacora.com/blog/2018/05/29/gripes-with-google-groups/<p>If you&rsquo;re like me, you think of Google Groups as the Usenet client turned mailing list manager. If you&rsquo;re a GCP (Google Cloud Platform) user or maybe one of a handful of SAML (Security Assertion Markup Language) users you probably know Google Groups as an access control mechanism. The bad news is we&rsquo;re both right.</p> <p>This can blow up if permissions on those groups aren&rsquo;t set right. Your groups were probably originally created by a sleep-deprived founder way before anyone was worried about access control. It’s been lovingly handcrafted and never audited ever since. Let’s say their configuration is, uh, “inconsistent”. If an administrator adds people to the right groups as part of their on-boarding, it’s not obvious when group membership is secretly self-service. Even if someone can’t <em>join</em> a group, they might still be able to read it.</p>