DEV Community: noweder The latest articles on DEV Community by noweder (@noweder). https://dev.to/noweder https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F444682%2F74bf9461-d803-41f8-a974-e2a26de79ed9.png DEV Community: noweder https://dev.to/noweder en Using AWS Lambda to Revert Unauthorized Security Group Changes noweder Sun, 15 Jan 2023 21:04:03 +0000 https://dev.to/aws-builders/using-aws-lambda-to-revert-unauthorized-security-group-changes-5hke https://dev.to/aws-builders/using-aws-lambda-to-revert-unauthorized-security-group-changes-5hke <h1> Introduction </h1> <p>In this blog, we will demonstrate how to proactively monitor a web server EC2 security group for any traffic rule changes using Lambda along with a few other services. If we detect <em>any</em> unauthorized changes, we will then undo them using Lambda. There will also be an SNS notification sent out to the admins, which is us.</p> <p>In this activity we will be working with the following AWS services:</p> <ul> <li><p>Lambda</p></li> <li><p>SNS</p></li> <li><p>CloudTrail</p></li> <li><p>CloudWatch</p></li> <li><p>CloudFormation</p></li> <li><p>EC2</p></li> <li><p>VPC</p></li> <li><p>S3</p></li> </ul> <p>This scenario is a working example of how we can use Lambda to perform various operational tasks within our account, especially ones that maintain our security posture.</p> <h1> Architecture </h1> <p>The below diagram illustrates the high-level architecture and the steps to be followed in sequence.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq65jyuwmtk77s3r9jihl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fq65jyuwmtk77s3r9jihl.png" alt="Image description" width="800" height="1020"></a></p> <h1> Prerequisites </h1> <ul> <li><p>An AWS account</p></li> <li><p>An existing VPC such as the default VPC</p></li> </ul> <h1> Steps </h1> <h2> Create Your CloudTrail Trail </h2> <p>Navigate to the <code>CloudTrail</code> service. From the left-hand menu, access <code>Trails</code> and click on <code>Create trail</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7x9psko5fr8bo8nwmcm1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7x9psko5fr8bo8nwmcm1.png" alt="Image description" width="800" height="254"></a></p> <ol> <li><p>Specify your desired name for the trail</p></li> <li><p>For <code>Storage location</code> section, choose <code>New S3 bucket</code> and keep the default generated name. This will create an S3 bucket to load API event trail logs.</p></li> <li><p>Enable <code>CloudWatch Logs</code> to create a log group to which the trail will send events.</p></li> <li><p>Choose <code>Event type</code> as <code>Management events</code></p></li> <li><p>Choose <code>API activity</code> to log both <code>Read</code> and <code>Write</code> activities.</p></li> <li><p>Leave other settings as is and finally click <code>Create trail</code>.</p></li> </ol> <h2> Deploy the CloudFormation Template </h2> <p>The CloudFormation template will create several resources:</p> <ul> <li><p>A web security group that is monitored for any changes</p></li> <li><p>An IAM role attached to the Lambda function as an execution role with permissions to remove any changes to the security group inbound rules.</p></li> <li><p>A Lambda Permission which allows CloudWatch Events to invoke the Lambda function</p></li> <li><p>A Lambda function that revokes any changes to the web security group and publishes a message to an SNS topic</p></li> <li><p>A CloudWatch Event Rule that captures security group change events and triggers the Lambda function (<strong>Note</strong>: CloudWatch Events is now Amazon EventBridge)</p></li> <li><p>SNS topic with an email subscription to send an email notification when the Lambda function is invoked</p></li> </ul> <p>Follow the below steps to deploy these resources:</p> <ol> <li>Using your preferred code editor, create a <code>.yaml</code> file with the below CloudFormation template. </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="nn">---</span> <span class="na">AWSTemplateFormatVersion</span><span class="pi">:</span> <span class="s">2010-09-09</span> <span class="na">Description</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">Creates the resources necessary to create a rule to monitor and</span> <span class="s">auto-mitigate security group change events</span> <span class="na">Metadata</span><span class="pi">:</span> <span class="na">License</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">Copyright 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.</span> <span class="s">Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at</span> <span class="s">http://aws.amazon.com/apache2.0/</span> <span class="s">or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.</span> <span class="na">AWS::CloudFormation::Interface</span><span class="pi">:</span> <span class="na">ParameterGroups</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Label</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="s">Settings</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">NotificationEmailAddress</span> <span class="na">ParameterLabels</span><span class="pi">:</span> <span class="na">NotificationEmailAddress</span><span class="pi">:</span> <span class="na">default</span><span class="pi">:</span> <span class="s">Send notifications to</span> <span class="na">Parameters</span><span class="pi">:</span> <span class="na">NotificationEmailAddress</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">This is the email address that will receive change notifications. You will</span> <span class="s">receive a confirmation email that you must accept before you will receive</span> <span class="s">notifications.</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">String</span> <span class="na">Conditions</span><span class="pi">:</span> <span class="na">AddEmailNotificationSubscription</span><span class="pi">:</span> <span class="kt">!Not</span> <span class="pi">[</span><span class="kt">!Equals</span> <span class="pi">[</span><span class="kt">!Ref</span> <span class="nv">NotificationEmailAddress</span><span class="pi">,</span> <span class="s2">"</span><span class="s">"</span><span class="pi">]]</span> <span class="na">Resources</span><span class="pi">:</span> <span class="na">WebServerSecurityGroup</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::EC2::SecurityGroup</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">GroupDescription</span><span class="pi">:</span> <span class="s">Allow HTTPS access to web servers</span> <span class="na">SecurityGroupIngress</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">IpProtocol</span><span class="pi">:</span> <span class="s">tcp</span> <span class="na">FromPort</span><span class="pi">:</span> <span class="m">443</span> <span class="na">ToPort</span><span class="pi">:</span> <span class="m">443</span> <span class="na">CidrIp</span><span class="pi">:</span> <span class="s">0.0.0.0/0</span> <span class="na">Tags</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Key</span><span class="pi">:</span> <span class="s">Name</span> <span class="na">Value</span><span class="pi">:</span> <span class="s">Web Server Security Group</span> <span class="na">SecurityGroupChangeAutoResponseRole</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::IAM::Role</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">AssumeRolePolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s">2012-10-17</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Principal</span><span class="pi">:</span> <span class="na">Service</span><span class="pi">:</span> <span class="s">lambda.amazonaws.com</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sts:AssumeRole</span> <span class="na">ManagedPolicyArns</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole</span> <span class="na">Policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">PolicyName</span><span class="pi">:</span> <span class="s">SecurityGroupModification</span> <span class="na">PolicyDocument</span><span class="pi">:</span> <span class="na">Version</span><span class="pi">:</span> <span class="s">2012-10-17</span> <span class="na">Statement</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s">AllowSecurityGroupActions</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ec2:RevokeSecurityGroupIngress</span> <span class="na">Resource</span><span class="pi">:</span> <span class="kt">!Sub</span> <span class="s">arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:security-group/${WebServerSecurityGroup.GroupId}</span> <span class="pi">-</span> <span class="na">Sid</span><span class="pi">:</span> <span class="s">AllowSnsActions</span> <span class="na">Effect</span><span class="pi">:</span> <span class="s">Allow</span> <span class="na">Action</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">sns:Publish</span> <span class="na">Resource</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">SnsTopicForCloudWatchEvent</span> <span class="na">SecurityGroupChangeAutoResponse</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Lambda::Function</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Responds to security group changes</span> <span class="na">Handler</span><span class="pi">:</span> <span class="s">index.lambda_handler</span> <span class="na">MemorySize</span><span class="pi">:</span> <span class="m">1024</span> <span class="na">Role</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">SecurityGroupChangeAutoResponseRole.Arn</span> <span class="na">Runtime</span><span class="pi">:</span> <span class="s">python3.9</span> <span class="na">Timeout</span><span class="pi">:</span> <span class="m">60</span> <span class="na">Environment</span><span class="pi">:</span> <span class="na">Variables</span><span class="pi">:</span> <span class="na">security_group_id</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">WebServerSecurityGroup.GroupId</span> <span class="na">sns_topic_arn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">SnsTopicForCloudWatchEvent</span> <span class="na">Code</span><span class="pi">:</span> <span class="na">ZipFile</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">import os, json, boto3</span> <span class="s">#===============================================================================</span> <span class="s">def lambda_handler(event, context):</span> <span class="s">print(event)</span> <span class="s"># Ensure that we have an event name to evaluate.</span> <span class="s">if 'detail' not in event or ('detail' in event and 'eventName' not in event['detail']):</span> <span class="s">return {"Result": "Failure", "Message": "Lambda not triggered by an event"}</span> <span class="s"># Remove the rule only if the event was to authorize the ingress rule for the given</span> <span class="s"># security group that was injected during CloudFormation execution.</span> <span class="s">if (event['detail']['eventName'] == 'AuthorizeSecurityGroupIngress' and</span> <span class="s">event['detail']['requestParameters']['groupId'] == os.environ['security_group_id']):</span> <span class="s">result = revoke_security_group_ingress(event['detail'])</span> <span class="s">message = "AUTO-MITIGATED: Ingress rule removed from security group: {} that was added by {}: {}".format(</span> <span class="s">result['group_id'],</span> <span class="s">result['user_name'],</span> <span class="s">json.dumps(result['ip_permissions'])</span> <span class="s">)</span> <span class="s">boto3.client('sns').publish(</span> <span class="s">TargetArn = os.environ['sns_topic_arn'],</span> <span class="s">Message = message,</span> <span class="s">Subject = "Auto-mitigation successful"</span> <span class="s">)</span> <span class="s">#===============================================================================</span> <span class="s">def revoke_security_group_ingress(event_detail):</span> <span class="s">request_parameters = event_detail['requestParameters']</span> <span class="s"># Build the normalized IP permission JSON struture.</span> <span class="s">ip_permissions = normalize_paramter_names(request_parameters['ipPermissions']['items'])</span> <span class="s">response = boto3.client('ec2').revoke_security_group_ingress(</span> <span class="s">GroupId = request_parameters['groupId'],</span> <span class="s">IpPermissions = ip_permissions</span> <span class="s">)</span> <span class="s"># Build the result</span> <span class="s">result = {}</span> <span class="s">result['group_id'] = request_parameters['groupId']</span> <span class="s">result['user_name'] = event_detail['userIdentity']['arn']</span> <span class="s">result['ip_permissions'] = ip_permissions</span> <span class="s">return result</span> <span class="s">#===============================================================================</span> <span class="s">def normalize_paramter_names(ip_items):</span> <span class="s"># Start building the permissions items list.</span> <span class="s">new_ip_items = []</span> <span class="s"># First, build the basic parameter list.</span> <span class="s">for ip_item in ip_items:</span> <span class="s">new_ip_item = {</span> <span class="s">"IpProtocol": ip_item['ipProtocol'],</span> <span class="s">"FromPort": ip_item['fromPort'],</span> <span class="s">"ToPort": ip_item['toPort']</span> <span class="s">}</span> <span class="s">#CidrIp or CidrIpv6 (IPv4 or IPv6)?</span> <span class="s">if 'ipv6Ranges' in ip_item and ip_item['ipv6Ranges']:</span> <span class="s"># This is an IPv6 permission range, so change the key names.</span> <span class="s">ipv_range_list_name = 'ipv6Ranges'</span> <span class="s">ipv_address_value = 'cidrIpv6'</span> <span class="s">ipv_range_list_name_capitalized = 'Ipv6Ranges'</span> <span class="s">ipv_address_value_capitalized = 'CidrIpv6'</span> <span class="s">else:</span> <span class="s">ipv_range_list_name = 'ipRanges'</span> <span class="s">ipv_address_value = 'cidrIp'</span> <span class="s">ipv_range_list_name_capitalized = 'IpRanges'</span> <span class="s">ipv_address_value_capitalized = 'CidrIp'</span> <span class="s">ip_ranges = []</span> <span class="s"># Next, build the IP permission list.</span> <span class="s">for item in ip_item[ipv_range_list_name]['items']:</span> <span class="s">ip_ranges.append(</span> <span class="s">{ipv_address_value_capitalized : item[ipv_address_value]}</span> <span class="s">)</span> <span class="s">new_ip_item[ipv_range_list_name_capitalized] = ip_ranges</span> <span class="s">new_ip_items.append(new_ip_item)</span> <span class="s">return new_ip_items</span> <span class="na">SecurityGroupChangeAutoResponseLambdaPermission</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Lambda::Permission</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">Action</span><span class="pi">:</span> <span class="s">lambda:InvokeFunction</span> <span class="na">Principal</span><span class="pi">:</span> <span class="s">events.amazonaws.com</span> <span class="na">FunctionName</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">SecurityGroupChangeAutoResponse</span> <span class="na">TriggeredRuleForSecurityGroupChangeAutoResponse</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::Events::Rule</span> <span class="na">Properties</span><span class="pi">:</span> <span class="c1">#Name: SecurityGroupChangeAutoResponse</span> <span class="na">Description</span><span class="pi">:</span> <span class="s">Responds to security group change events</span> <span class="na">EventPattern</span><span class="pi">:</span> <span class="na">detail</span><span class="pi">:</span> <span class="na">eventSource</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">ec2.amazonaws.com</span> <span class="na">eventName</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">AuthorizeSecurityGroupIngress</span> <span class="pi">-</span> <span class="s">AuthorizeSecurityGroupEgress</span> <span class="pi">-</span> <span class="s">RevokeSecurityGroupEgress</span> <span class="pi">-</span> <span class="s">RevokeSecurityGroupIngress</span> <span class="pi">-</span> <span class="s">CreateSecurityGroup</span> <span class="pi">-</span> <span class="s">DeleteSecurityGroup</span> <span class="na">State</span><span class="pi">:</span> <span class="s">ENABLED</span> <span class="na">Targets</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">Arn</span><span class="pi">:</span> <span class="kt">!GetAtt</span> <span class="s">SecurityGroupChangeAutoResponse.Arn</span> <span class="na">Id</span><span class="pi">:</span> <span class="s">TargetFunctionV1</span> <span class="na">SnsTopicForCloudWatchEvent</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::SNS::Topic</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">DisplayName</span><span class="pi">:</span> <span class="s">Broadcasts message to subscribers</span> <span class="na">SnsTopicSubscriptionForCloudWatchEvent</span><span class="pi">:</span> <span class="na">Type</span><span class="pi">:</span> <span class="s">AWS::SNS::Subscription</span> <span class="na">Condition</span><span class="pi">:</span> <span class="s">AddEmailNotificationSubscription</span> <span class="na">Properties</span><span class="pi">:</span> <span class="na">TopicArn</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">SnsTopicForCloudWatchEvent</span> <span class="na">Endpoint</span><span class="pi">:</span> <span class="kt">!Ref</span> <span class="s">NotificationEmailAddress</span> <span class="na">Protocol</span><span class="pi">:</span> <span class="s">email</span> </code></pre> </div> <ol> <li><p>Navigate to <code>CloudFormation</code> service and click on <code>Create stack</code>.</p></li> <li><p>Click on <code>Upload a template file</code> from the <code>Specify template</code> section and choose the locally created <code>.yaml</code> file, then click <code>Next</code>.</p></li> <li><p>Specify your desired name of the stack.</p></li> <li><p>Enter your email address in the <code>Parameters</code> section under <code>Send notifications to</code> parameter.</p></li> </ol> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F51in40s66gybxueavyqv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F51in40s66gybxueavyqv.png" alt="Image description" width="800" height="256"></a></p> <ol> <li><p>Leave everything else as is and click on <code>Submit</code> at the end.</p></li> <li><p>Once the stack status changes to <code>CREATE_COMPLETE</code>, you should receive an email from AWS to confirm the subscription to the SNS topic. Click on <code>Confirm subscription</code> link within the email bod</p></li> </ol> <h2> Test and Verify The Solution </h2> <p>Head to <code>EC2</code> in the console and access <code>Security Groups</code> under <code>Network &amp; Security</code>. Select the created <code>Web Server Security Group</code> and click on <code>Edit inbound rules</code>.</p> <p>Click on <code>Add rule</code>. Select <code>SSH</code> as Type and <code>Anywhere-IPv4</code> as the Source. Then click on <code>Save rules</code>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnhn7qn8boemkwjmp1lok.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fnhn7qn8boemkwjmp1lok.png" alt="Image description" width="800" height="306"></a></p> <p>Once this change is done, CloudTrail will catch this event and send it to CloudWatch, which will trigger the deployed event rule and pass the data to the Lambda function. The function will parse that data and do two things; it will remove the rule we added, and also publish to the SNS topic which will send an email to the defined email address.</p> <p>Refresh the inbound rules and you will notice the newly added rule has been immediately removed!</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0f5y1yd3asl1835yw1el.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0f5y1yd3asl1835yw1el.png" alt="Image description" width="800" height="148"></a></p> <p>You will also receive a notification email mentioning that the added ingress rule has been removed as shown below.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi2fpv3k8q6e9ly0v68qo.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi2fpv3k8q6e9ly0v68qo.png" alt="Image description" width="800" height="285"></a></p> <p>We can also view the metrics of the successful lambda function invocation from the <code>Monitor</code> menu of the function as shown below.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzn5bh75maghxk7zv5bj8.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fzn5bh75maghxk7zv5bj8.png" alt="Image description" width="800" height="425"></a></p> <p>Until next time...</p> <p>Thanks for reading!</p> watercooler