Active Notes from AWS re:Invent 2015 | (SEC308) Wrangling Security Events in The Cloud – Try this at home

These are active notes from AWS re:Invent 2015 | (SEC308) Wrangling Security Events in The Cloud. I’m re-watching the video and following along with the steps discussed in the talk and implementing them as a learning exercise.

Updates <2015-10-24 Sat>
Add bits about using CloudFormation, Templates, and CloudWatch alarms

1 Do These Things

1.1 DONE Sign up a free-tier AWS account

I set up an AWS Free Tier account to follow along and re-implement the exercises described as a learning process.

1.2 DONE Do initial setup of non-root users using IAM

Consider this:

I did the following (basic steps, not step-by-step):

  • Created two users
  • Assigned admin access policy to one of them
  • set passwords for both
  • enable access to billing for account
  • enable MFA on root account
  • Create a “users” group, assign one user to the group (for now the group “users” has admin acccess)

1.3 DONE Turn On CloudTrail

… to be continued …

1.4 DONE Stand up a wordpress blog stack with cloudformation

  • select default wordpress template
  • generate keypairs if needed
  • Fill out parameters
  • launch

1.5 DONE Turn on CloudWatchLogs

Video at 8:12 Cloud Watch Logs

1.6 DONE Using an AWS CloudFormation Template to Create CloudWatch Alarms

Do this:

to set up alerting for:

The example template defines metric filters that monitor creation and deletion of, or updates to, security groups, network ACLs, internet gateways, Amazon EC2 instances, and IAM policies. For each filter, the template describes a corresponding alarm that enables to you to receive email notifications when a call to one of the APIs being monitored by the filter is made.

See for details.

This will send notifications (email, SNS, whatever) when specific events related to an account occur.

1.7 DONE Create versioned files in S3

  • Go to S3 in the console
  • Create a folder
  • Versioning
  • upload a file
  • upload a modified version of the file

1.8 DONE Install, configure and test the aws command line tools

sudo pip install awscli
complete -C aws_completer
aws configure
#    AWS Access Key ID: foo
# AWS Secret Access Key: bar
# Default region name [us-west-2]: us-east-1
# Default output format [None]:
   george@octo $ aws iam list-users 
    "Users": [
            "UserName": "george", 
            "PasswordLastUsed": "2015-10-25T08:27:03Z", 
            "CreateDate": "2015-10-14T22:21:17Z", 
            "UserId": "xxxAIPTQ2UR42GYKHUyyy", 
            "Path": "/", 
            "Arn": "arn:aws:iam::zzz852060zzz:user/george"
            "UserName": "gmj", 
            "Path": "/", 
            "CreateDate": "2015-10-14T22:21:17Z", 
            "UserId": "xxxAIOW2BLABYLSLBOyyy", 
            "Arn": "arn:aws:iam::zzz852060zzz:user/gmj"

1.9 DONE list objects in a bucket, versions, and copy an older version to the current name

I’ve created an S3 bucket called and placed a signle file,, in it. Versioning is turned on for the bucket. The commands below list the objects in the bucket, list the versions (output omitted) and copy a specific version of to

george@octo $ aws s3api list-objects --bucket
    "CommonPrefixes": [], 
    "Contents": [
            "LastModified": "2015-10-24T12:32:57.000Z", 
            "ETag": "\"8b911a67d3bc10d617e7b0295e95b70d\"", 
            "StorageClass": "STANDARD", 
            "Key": "", 
            "Owner": {
                "DisplayName": "gmj", 
                "ID": "b640606004e307d81b7227699470f08f3ca828698f7e3875173115b886ec9224"
            "Size": 57061
george@octo $ aws s3api list-object-versions --bucket

$ aws s3api copy-object --bucket --copy-source --key
    "CopySourceVersionId": "UoFiJ.2kprX7K8myCVgCZf3CJr2k0O2P", 
    "CopyObjectResult": {
        "LastModified": "2015-10-25T09:45:16.000Z", 
        "ETag": "\"83f36e9186453794c3c20f3f6125b797\""
    "VersionId": "uXbcrYX20otfsat7705EwxtXv6DTxfhE"

1.10 DONE Look at cli s3api options

Looks like the s3api is exposed via the cli

   $ aws s3api [TAB-TO-COMPLETE]
abort-multipart-upload                  delete-object                           get-bucket-request-payment              list-object-versions                    put-bucket-tagging 
complete-multipart-upload               delete-objects                          get-bucket-tagging                      list-parts                              put-bucket-versioning 
copy-object                             get-bucket-acl                          get-bucket-versioning                   put-bucket-acl                          put-bucket-website 
create-bucket                           get-bucket-cors                         get-bucket-website                      put-bucket-cors                         put-object 
create-multipart-upload                 get-bucket-lifecycle                    get-object                              put-bucket-lifecycle                    put-object-acl 
delete-bucket                           get-bucket-lifecycle-configuration      get-object-acl                          put-bucket-lifecycle-configuration      restore-object 
delete-bucket-cors                      get-bucket-location                     get-object-torrent                      put-bucket-logging                      upload-part 
delete-bucket-lifecycle                 get-bucket-logging                      head-bucket                             put-bucket-notification                 upload-part-copy 
delete-bucket-policy                    get-bucket-notification                 head-object                             put-bucket-notification-configuration   wait
delete-bucket-replication               get-bucket-notification-configuration   list-buckets                            put-bucket-policy                       
delete-bucket-tagging                   get-bucket-policy                       list-multipart-uploads                  put-bucket-replication                  
delete-bucket-website                   get-bucket-replication                  list-objects                            put-bucket-request-payment

1.11 DONE Test static web hosting hosting of this writeup

1.12 TODO Pick up here next

[[ at 21:30] Anomaly Detection

[5/6] Write up some possible stuff to talk about during Emacs Chat 2015-10-14

SCHEDULED: <2015-10-10 Sat>

[2015-10-10 Sat 08:13]

The raw source for this file is here:

Possible stuff to talk about during Emacs Chat 2015-10-14, mostly things I’ve done in/to my configs recently
I think some of it might be interesting to others, I’m pretty sure I’ll get useful feedback, I’m not very good at talking extemporaneously, sometimes sharing things live creates problems (things you did not mean to share), org mode (and git) work pretty well to organize and share config snippits.
Mostly links to git commit/diffs of my emacs configs
Posted online now <2015-10-10 Sat>, possible fodder for discussion at 2015-10-14 emacs chat
Anybody that shows up to the chat or cares to read this info.
After ~36 years of using various emacsen I’m still a piker…


Move all the things into .git. The actions listed below will currently do the following:

  • find all repos under BASEDIR
  • list the remotes (or lack of them) for each repo
  • Add .dir-locals.el to each repo for use with
  • Find recently modified files (last RECENT days) that are not in a git repo or not in a directory listed to be ignored (IGNOREDIRS)
  • List the need to push or pull repos (after git fetch --all)
I’m moving my existence into git. I have hap-hazard repos of some of my stuff spread across github, aws code commit, bare repos on shared hosting, local backup drives and a lot of stuff that’s not in git that needs to be there). This will give me visibility and let me make decisions about where to commit stuff, what’s in now, what needs to be added, etc.
Org babel stuff calling git:
Code on github now. Gitificatation of all the things in progress.

2 DONE gmjShell function

function to start a shell on remote system when remote file open (tramp)
I work on a lot of remote systems and need shells there quickly.

3 DONE Move custom-set-variables out of ~/.emacs.d/init.el

Move custom-set-variables out of ~/.emacs.d/init.el
I want to share most of my emacs config, but custom-set-variables keeps saving things I don’t want in public git repos.

Put this in ~/.emacs.d/init.el (or wherever):

; because junk I don't want to share in git keeps showing up here
(setq custom-file "~/secrets/emacs-custom.el")
(load custom-file)

4 DONE building Emacs from src with org babel

Build emacs from source using org babel
Things are fixed in the latest source release.
Org babel version of of Xah Lee’s
As needed.

5 IN-PROGRESS Pulling/installing latest org mode with babel

Install latest org mode from source.
Because stuff is getting fixed and added all the time.
For now, this: In the future, an org babel version.
See “How”

6 DONE git-autocommit

Make every save a git commit because, really, what changes should NOT be saved?
Lightning talk from SF Emacs conference mentioned it. Thought it sounded like a good idea.
Do this:

  • Install git-auto-commit-mode
  • Add .dir-locals.el with this ((nil . ((eval git-auto-commit-mode 1)))) in it to directories you want to autocommit
  • Consider adding the following or similar to your .init.el (or org startup):

    (setq gac-automatically-push-p t)
    (setq gac-ask-for-summary-p t)
    (add-hook 'certain-hook 'git-auto-commit-mode)
    (setq enable-remote-dir-locals t)

    See How to Write a Git Commit Message for great advice on writing commit messages.

    In truth, after several days of using it, I’m not sure. I save far to often for trivial reasons (like 30 years of muscle memory and paranoia telling me I must hit ^X^S every few seconds).

    The git commit/log model seems to be geared around each commit being a minimally useful improvement that can be described briefly and thoughtfully. Autosave does not play into that model.

    The source is here and, tellingly, the commit history looks like it was done thoughtfully.

Every save.