View Blog Post

DataOps: Self-Service Databases with Amazon Aurora and Stelligent’s database-artifact-factory

Development against Legacy Databases A “legacy” relational production database can be a challenge to develop new software against, whether it be “reports” or a feature for a web application.  The schema sets a minimum for what to expect, but the actual data content may be “dirty” or inconsistent.  There can be any number of curiosities Read more…

View Blog Post

Generating Least Privileged IAM Roles for CloudFormation and Service Catalog with cfn-leaprog

CloudFormation Development Process and Privilege As a developer works through the development of a CloudFormation template, they are likely working in a “sandbox” account where they have significant “power user” privileges.  This is convenient in order to allow the developer to focus on the business needs, but what happens when the same template is converged Read more…

View Blog Post

AWS Integration Testing for boto with potemkin-decorator

Test Automation for Integrating with External Services Developing test automation code for an interface to an “external” service is always a difficult proposition.  There is a spectrum of techniques for developing reproducible tests against an external service. On one end of the spectrum are “mocking” techniques and on the other far end of the spectrum Read more…

View Blog Post

Thought Experiment: Proposed Complexity Metric for IAM Policy Documents

Code Complexity Metrics When a professional software developer writes code, they measure the complexity of the code they write.  The contrapositive holds true as well that those who don’t measure the complexity of their code are not professional.  There are a variety of code complexity metrics available to the professional developer. The “better” metrics are Read more…

View Blog Post

Custom Rule Distribution Enhancements for cfn_nag

Introduction The cfn_nag tool is a static analysis tool for finding obvious security weaknesses in CloudFormation templates.   The core product includes rules that apply universally across environments and enterprises.  That said, the product supports the development of custom rules to allow enterprise-specific rules for compliance and security controls. For more information on developing custom rules Read more…

View Blog Post

Deployment Pipeline Compliance and Control – a Service-based Approach

Deployment Pipelines – Introduction The software “deployment pipeline” has become a common mechanism in the modern enterprise.  A deployment pipeline is a sequence of automation that produces or deploys a software artifact.  This artifact can take many forms, for example, a programming library, a web application, or even automation to converge infrastructure and security controls.  Read more…

View Blog Post

Finding Security Problems Early in the Development Process of a CloudFormation Template with "cfn-nag"

Continuous Security: Security in the Continuous Delivery Pipeline is a series of articles addressing security concerns and testing in the Continuous Delivery pipeline. This is the second article in the series. CloudFormation Background CloudFormation templates are a great way to provision AWS resources.  They allow an infrastructure developer to declare what resources are to be Read more…