DEV Community: Oleg Chursin

Mastering CSS Balance: "text-wrap: balance"

Oleg Chursin — Mon, 23 Oct 2023 14:44:51 +0000

When it comes to web design, one aspect that often requires careful consideration is how text flows within a layout. While CSS offers various properties to control text wrapping and line breaking, the text-wrap property stands out for its unique approach to handling long strings of text. In this blog post, we'll delve into the text-wrap property, with a specific focus on text-wrap: balance.

Understanding Text-Wrap

The text-wrap property, introduced in CSS3, is a valuable tool for controlling how text wraps within its containing element. It allows you to specify how text should break and wrap when it encounters the edge of its container. The property can take several values, including wrap, nowrap, balance, stable, pretty.

text-wrap = 
  wrap     |
  nowrap   |
  balance  |
  stable   |
  pretty

Source: MDN: text-wrap

The `text-wrap: balance` Value

The text-wrap: balance value is a relatively lesser-known aspect of the text-wrap property, but it can significantly impact how text is presented on your web page. This value is especially useful when dealing with narrow columns of text, as it optimizes the text distribution to maintain a balanced appearance.

By setting text-wrap to balance, you are instructing the browser to distribute the text within the container, avoiding uneven gaps between lines and achieving a more uniform appearance.

Advantages of `text-wrap: balance`

Now, let's explore some of the key advantages of using text-wrap: balance:

1. Improved Readability

Balanced text wrapping helps enhance the readability of your content. By minimizing uneven gaps and preventing overly long lines, users can smoothly read through your text without feeling overwhelmed or distracted.

2. Enhanced Aesthetics

Aesthetics are crucial in web design, and balanced text wrapping plays a significant role in achieving a polished and professional look. It prevents the visual clutter that can occur with irregular text distribution.

3. Consistency Across Devices

text-wrap: balance can be particularly helpful in creating a consistent reading experience across different devices and screen sizes. It ensures that text remains visually appealing and legible, whether your audience is viewing your content on a large desktop monitor or a small mobile screen.

Pretty vs. Balance

text-wrap:pretty avoids typographic orphans,
text-wrap:balance tries to make the lengths of all lines balanced as much as possible. Source: Design docs

Browser Compatibility

Before fully implementing text-wrap: balance, it's essential to check the browser compatibility. text-wrap: balance property is not widely supported. Let's hope this changes as browsers catch up with with CSS Text Level 4

Conclusion

The text-wrap: balance CSS property is a valuable addition to your web design toolkit, especially when aiming for a clean and professional text layout. By using text-wrap: balance, you can ensure that text is distributed in an eye-pleasing way, improving readability and enhancing the overall aesthetics of your web pages. Keep in mind that while this property offers aesthetics benefits, it's crucial to verify its compatibility with your target audience's browsers to ensure a seamless user experience.

More information

MDN
CSS text-wrap: balance
CSS Text Level 4
Score-based Paragraph-level Line Breaking

Communicate Risk with Git Commits

Oleg Chursin — Wed, 19 Oct 2022 18:44:00 +0000

Our web dev team at Aon Cyber Solutions uses Tagging as a Process (TaaP) flow as introduced in DigDeepRoots training. This post is a go-to gist.

Following the principles below will help you become more risk aware by:

Reviewing code in minutes instead of hours/days.
Knowing which code reviews/commits require attention.
Introducing fewer bugs on the most common refactorings.
Becoming more aware of the risks that lead to bugs.

TL;DR

Work in movements. Make smaller commits inside a movement (8-10 LOC).
Merge commit should state the purpose of the overall movement/PR.
Communicate risk with a one-letter prefix (e.g. F - Added new feature).
Increase risk sensitivity with bangs (e.g. F!! - Added a potentially risky feature. Reviewer beware.)
Use provable refactorings (e.g. r - Extracted method)

Cheatsheets

MD Table

May Change Behavior	Won't Change Behavior	High Risk
F - Feature (< 9 LOC)	t - Test	F!! Feature (> 8 LOC)
B - Bug (< 9 LOC>)	d - Documentation	B!! Bug (> 8 LOC)
R - Test Supported Refactoring	a - Auto-tool	R!! Non-provable Refactoring
	r - Provable Refactoring

Image

:::info Conventional commits

Yes, our team loves conventional commits, but found that they do not communicate risk

:::

Reduce Risk with Micro-Commits

Accomplish each purpose with a sequence of micro-commits. Put a series of micro-commits on a branch, then merge them in with a commit that states the purpose you achieved.

Practice

Make safer commits by checking in smaller chunks of code per commit. 8-10 lines of code.

Step 1: 3+ commit chain within 5m at least 1x day
Step 2: 5+ commit chain within 3m at least 3x day
Step 3: 10+ commit chain within 2m at least 8x day

Insights

Most of this value comes from increasing your focus. You can deeply focus on one tiny thing at a time, then come back up to re-gain your context and pick the next thing to do. Each commit allows you to finish one step, the branch provides your context, and the final merge commit allows you to verify that you completed your objective. You can enhance this effect by naming the branch after your intention and renaming it each time you learn something that shifts your intention.

These branches also allow you to make commits smaller while conveying intention more clearly. Smaller commits reduce your error rate, and both small commits and clear intention speed up code review. Now you can start each review by understanding the intention and then assess whether the steps make sense. You can also focus more on the ones that need individual review (risky or surprising steps).

Make Risks Obvious

Communicate the intention behind each change with your team. You will use a simple letter code in each commit message to indicate which one type of change you made in that commit.

Tagging each commit provides 3 distinct pieces of value:

You write fewer bugs.
You become more aware of risk.
Code review is faster and more useful.

Practice

Every time you commit, start the commit message with one of these six letters followed by space dash space.

F - Feature
B - Bug
R - Refactor
t - Test
d - Documentation
a - Auto-tool

Insights

Just writing the risk codes provides significant value. It makes you stop to think about the intention of your commit (either before making the change or before committing). This will usually cause you to separate refactorings and test-only changes from bug fixes and features. Small commits that each complete one clear intention are less likely to have bugs than larger commits with multiple intentions.

Risk codes also provide value when you see your own commit log. Before it was not always obvious when you were taking on a small (or large) risk. Now each commit shows the risk, and your log shows how risky your coding approach is. Later shifts in this habit will build on this new awareness, helping you do something about the now-visible risks.

Finally, the codes help you quickly understand others’ code. Knowing the author’s intention allows you to assess each commit differently. You can have one mindset when checking a refactoring, another for a behavior change, and a third for a test-only change.

Increase Risk Sensitivity

Use new tags to denote high risk commits. Start using F!!, B!!, and R!! to denote commits, unless you have evidence to prove you did it in a lower-risk way.

Tagging high-risk commits provides two important but higher-level sources of value:

Make better choices about risk.
See opportunities to increase safety.

Practice

Perform the following tasks when committing:

Replace all R‘s with R!! unless you have strong test support and follow the written steps for that refactoring.
Replace any F‘s or B‘s that have more than 8 lines of change with F!! or B!!.
Any times you have to notate with a X!! (high risk), consider alternatives that avoid the !! commit flag

:::tip
There is only one space after a X!! code, so your log lines up like this:

R - Extract Method
F!! I should have refactored more
R!! Edited a bunch trying to refactor

:::

Insights

It might take you and your teammates time to really start using X!! whenever it applies. However, even as you get started, each X!! gives the team a chance to find and fix an obstacle. Something in your code, process, or skills makes it hard to do the lower-risk route, so the higher-risk option made sense in this case. Fix that obstacle so everyone will take lower-risk options in the future.

There will always be some !! commits in the log, and there will always be some commits that are marked with a capital letter that should be !!. Both of these provide ongoing opportunities for your team to make its practice and environment safer.

Increase Safety

Perform safe and provable refactoring. Use provable r refactorings instead of test-supported R or unprovable R!! refactorings.

Using provable refactorings makes refactoring safe:

Refactor without writing bugs.
Get untestable code under test without writing bugs.

Practice

Consider R!! and R commits, and try a safe refactoring r

Recipe Option: Extract Method, Rename, others, or extend the catalog.
Tool Option: JetBrains IDEs and plugins, Visual Studio, or some others.

Read by Refactoring

In addition to solving this critical problem, provable refactorings are the foundation of Read by Refactoring. Read by Refactoring is a technique for reading code by first safely refactoring it to make it easy to understand, and then reading the result. This works because you can prove that your refactorings are safe even though you don’t understand the code you are refactoring.

Insights

The provable refactorings fundamentally prevent bugs, allowing an entirely different approach to coding. Right now we will use that to get code under test without introducing bugs in the process.

Future habits will apply provable refactoring to address a wide variety to architectural and design problems. This shift familiarizes you with a widely-applicable technique.

External Links

Notes on Better User Stories Course

Oleg Chursin — Thu, 17 Feb 2022 01:25:59 +0000

Better User Stories is a video course from Mike Cohn of Mountain Goat Software designed to help you with user stories in your organization.

https://www.mountaingoatsoftware.com/training/courses/better-user-stories

Below are my notes on this course.

Course Modules

What Stories Are
Users, User Roles and Personas
Story Mapping and Story-Writing Workshops
Adding Detail with Conditions of Satisfaction or Acceptance Criteria
INVEST in Good Stories
Splitting Stories
Overcoming Common Problems
Things That Are Not User Stories

What Stories Are

User story - short simple statement told from the perspective of a user.

A story can be improved with a so that clause.

Story template:

As a <type of user>,
I <want/can/need/am required to> <some goal>
so that <some reason>

Qs answered by using the template:
1. Who wants it?
2. What is it they want?
3. Why?

3Cs of a user Story

Card
Conversation
Confirmation

Card

A starting point of a story.
Represents the following:
* A promise from the development team to ask questions
* A promise from the product owner to be available for clarification
* An opportunity for the product owner to avoid writing long specification documents

Conversation

Starts with a two-way promise represented by a story Card:
- from the dev team - a promise to ask Qs
- from the product owner - a promise to be available to answer Qs (As a product owner, I write just enough that the team and I have good conversation so that we can be agile.)

Confirmation

Product owner’s way of telling the team what needs to be done in order for the story to be considered complete.
- what are conditions of satisfactions

Adding detail to a user story

Multiple ways of doing it:
1. split the story into smaller stories
2. addict to a story a list of the things that a product owner expects to be true about the completed story (acceptance criteria)

A story is a pointer to a requirement

- attach additional supporting information/diagrams to the story

Users, User Roles and Personas

User role is:
- a collection of characteristic needs, interests, expectations, and behaviors in relation to a particular system
- users who share common needs, interests or behaviors
- combination of users who have enough in common that we may think of their needs as largely similar

Context, Characteristics, and Criteria

To identify user roles, consider user similarities in:
- context
- physical environment
- social environment
- domain knowledge
- proficiency (developer vs grandma)
- system access (slow vs high internet connection speed)
- characteristics
- frequency of interaction with the system
- regularity of interaction
- complexity of work performed
- the volume of work performed
- user’s mental state (using the system under stress vs not)
- criteria
- user’s main goal
- secondary goals
- ease of use
- reliability
- accuracy of results

How to Do User Role Modeling

The process will provide meaningful; insights into who the product users are, how they differ, and what functionality they need

4 Role Modeling Steps:

Brainstorm an initial set of users roles
- done once in the beginning of the project
- the whole team is present
- fast and furious - no judgement
Organize the initial set
- group similar roles together
- identify aggregate roles
Consolidate
- look at each role and see if they can be combined
- rename the combined role
Refine
- eliminate roles that are unimportant for the product
- remove roles that are too broad

Documenting a User Role Model

Outcome documents include:
- model itself - a diagram representing hierarchal relationship among user roles
- one page description for each role
Structure:

    User role title
        - Context (category 1)
            - attribute 1.1
                - description
            - attribute 1.2
                - description
            - attribute 1.3
                - description
        - Characteristics (category 2)
            - attribute 2.1
                - description
            - attribute 2.2
                - description
            - attribute 2.3
                - description
        - Criteria (category 3)
            - attribute 3.1
                - description
            - attribute 3.2
                - description
            - attribute 3.3
                - description

User role template link [].

Personas (Intro)

- Highly descriptive and detail archetypes representing each user role.
- user role on steroids
- it’s given a name, specific goals, attitudes, and an environment

IMPORTANT:
- If you get a persona wrong, you end up building the absolutely right product for the absolutely wrong type of person.
- Without the data to backup the details, a persona is just a guess

Create a persona when:
1. You are creating a high-consideration product.
- a product the requires a lot of thought either before a user buys it or while using it
2. You aren’t guessing at the extra detail.
- use data on users of current products
- do research on likely users of a product
- talk to actual users
- observe real users

Attributes to Consider When Creating a Persona

Consider ONLY the attributes that are important for your product.

Set of attributes to look at when defining a persona:
- Demographic (quantitative)
- age
- gender
- geography
- income level
- education
- Psychographic (qualitative)
- fears
- preferences
- attitudes
- opinions
- lifestyle
- values

Documenting a Persona

Give persona a name, you may also attach a photo, and a dd a quote from real user interviews.

Describe their:
- Demographics
- Personal
- Goals
- Skills or experience
- Fears
- Attitudes and feelings
- Environment

Persona template link [].

Decorated User Roles

User role types:
- first-class citizens
- decorated user roles (as in decorated symbols in maths)
- create by adding a descriptive introduction to a first-class citizen name, as in:
- first-time user, first-time visitor, first-time registered member
- forgetful registered member
- as a user who has completed CyQu, I can download a report

Writing User Stories for the Right User

Principles:
- do not write all stories using the role at the top of the hierarchy (aggregate role)
- use a role most likely to perform a story. This:
- prevents every story from being “As a user, …”
- puts us in the mindset of that user
- if you feel constantly compelled to write the same story for different user roles, this could be an indicator that you should rethink the user roles you have identified
- put multiple roles into the story when:
- roles are equally likely to perform the story
- roles are so different that one may be forgotten
- roles will use the functionality in slightly different ways

Story Mapping and Story-Writing

The Four Times to Write Stories

1. Whenever a new idea occurs to you
2. During iteration review meetings
3. During product backlog refinement/grooming meetings
4. During story-writing workshop - the most strategic
    - attended by the whole team
    - attended by important stakeholders
    - being help quarterly

A Significant Objective Focuses the Scope of a Story-Writing Workshop

Define a significant objective for the quarter: an MVP or an MMF

MVP vs MMF (Minimum Marketable Feature)

MMF - a chunk of functionality that delivers a subset of the customer’s requirements, and that s capable of returning value to the customer when released as an independent entity.

Significant objective includes:
- business objective
- user objective

Significant objective:
- provides focus
- leads to greater creativity

Story-Writing Workshop Attendees, Duration and Preparation

Important Qs:
1. Who runs the workshop?
- scrum master/coach
2. Who attends?
- product owner
- entire dev team
- stakeholders
- users/customers
3. How long does it last?
- 4-5 hours with breaks
- influenced by:
- number of participants
- whether there’s a shared vision
- whether the work is new
4. What preparation is done in advance?
- basic meeting stuff
- product should already have user roles/personas identified
- print out user roles/personas and attach them to the wall
- product owner should be ready to present the significant objective for the quarter
- sticky notes, pens, markers

The Story-Writing Workshop Agenda

5 Steps:
1. Product owner presents the significant objective
2. Discuss user roles and personas relevant to the goals of the workshop
3. Story generation - all stories that achieve the significant objective
4. Story selection - which stories will best fulfill the significant objective
5. Schedule follow-up sessions if needed

Story Mapping

Adding a second dimension (sequence/narrative) to the backlog list (usually unidirectional and prioritized from most to least important)

Story map concepts/terms:
- Narrative - a sequence of items read across the story map
- Backbone - the topmost one or two narratives
- Step - any item on the map
- Activity - a collection of steps that are performed to achieve a goal

Making Decisions with a Story Map

Story maps can help:
- identify missing functionality
- plan a release to determine an MVP
- create a product road map

Qs to ask in regards to each step:
1. What else might a user want to do?
2. What additional info might a user find helpful?
3. What could go wrong?

Adding Detail with Conditions of Satisfaction or Acceptance Criteria

Progressive Refinement - Adding Detail over Time

Stories are initially vague on purpose. They open up a conversation.

When starting a project, include large, placeholder stories for functionality you are aware will need to be built but which will not be started until well into the future. Then refine those stories into progressively smaller and smaller stories over the course of the entire project. Going through a list of stories only once at the start of a project will not be sufficient.

Progressive refinement of a story includes:
- splitting story into smaller stories
- adding details to a story

Epics and Themes

Epic - single large user story. A story that is bigger than one team can do in one iteration.

Theme - a collection of related stories.
- a story can be in two themes at the same time

Two Ways of Adding Detail to a Story

1. Ask product owner questions and split into smaller stories accordingly
2. Add tests to the stories

Both approaches are functionally equivalent. Anything that can be written as test to a story, could be written as a substory and vice versa.

When chose one over the other?
- When you have a bigger story, split it.
- When you have a small enough story already, add tests.

Condition of Satisfaction

To be considered done, a user story must fulfill the product owner’s expectations. The best way to determine those is through one or more conversations with the product owner. If team members have specific needs from a story, it is fine to meet and discuss the story with them, too, but a first step should be a conversation with the product owner.

How Much Detail Is Appropriate

Just enough detail that the team can finish the story in the iteration.

Working with a Team That Wants too Much Detail

- Product owners should not specify every small detail.
- Product owner may not be the best person to make a decision.

A Definition of Ready and Why Having One Could Be Dangerous

- A **Definition of Ready** enables a team to specify certain pre-conditions that must be fulfilled before a story is admitted into an iteration.
- Goal - prevent problems before they start.
- Each team decided on their own Definition of Ready for each story to be included into an iteration.
- Some of the rules can cause trouble and prevent the team from being agile locking it into a stage-gate flow (one thing cannot start until another thing is done).

If a Definition of Ready is needed, it will be best if it focuses on guidelines rather than hard-and-fast rules. And with a Definition of Ready, the team will need to take care to emphasize working concurrently. For example, a little coding is going on even while some design is still occurring. This avoids creating a stage-gate process in which all of one activity must be completed before ANY of the next activity can begin.

Agile teams should practice concurrent engineering in which activities overlap -> most teams should not even use the definition of ready.

INVEST in Good Stories

Attributes of a good story:
- Independent
- Negotiable
- a story opens up a conversation between product owner and dev team
- Valuable
- to customer
- to user
- to stakeholder
- Estimatable
- a story should not be too big to estimate
- if a story is not estimable today, leave it and come back to it later
- Sized appropriately or Small
- top of the backlog always contained smaller stories that are ready to go into the next iteration
- Testable
- being able to identify confirmation criteria

Splitting Stories

Why split a story?
- different priorities
- lack of time
- size - too big to be completed in one iteration

2 types of large story:
- complex - fundamentally large and cannot be split: these are rare
- compound - combines multiple user actions into one: can be split

The SPIDR Approach to Splitting Stories

- Spikes
    - research activity intended to build knowledge
    - timeboxed
    - should only be used to remove excess uncertainty from a story -> do not overuse spikes
- Paths
    - drill down to find underlying steps/paths
- Interfaces
    - story that has multiple user interfaces
- Data
    - split by the data handled by the story
- Rules
    - look at the conditions of satisfaction and pull out any rules that make the story too big

Tracer Bullet Story

A story is a tracer bullet through a system technology stack

Advantages:
- reduce architectural risk
- easier to prioritize
- make early releases possible

Closed Stories

When splitting stories try to create a closed story

Closed story - the one that finishes with the user having achieved a meaningful goal

Three Things to Do when You Can’t Split a Story

1. Try harder
    - most stories are compound rather than complex
    - walk through the SPIDR approach
2. Let it take more than one iteration
3. Feel guilty
    - if you allow a story to span more than one iteration, feel guilty

Overcoming Common Problems

Managing Dependencies Between Stories

Techniques for dealing with dependencies between stories:
1. Combine stories
2. Split stories as late as possible
3. Reconsider the way in which stories were split
4. Annotate stories with important dependencies

Do not document obvious dependencies

Stories with Too Much Detail

- when you first write the story, focus on WHAT the user wants to achieve and HOW they want to achieve it
- initially leave UI assumptions out

Just in time and Just enough
- developers need just enough information provided to them just in time

Spending Too Much Time Splitting Stories

If you spend too much time splitting stories, consider the following:
- assess whether stories are too detailed
- consider whether stories are small enough already
- consider changing to a longer iteration length (avoid iterations longer than 4 weeks)

Stories Involving More than One Team

- Indicate all the team need/can work on a story
- mark appropriate dependencies

Stories that Are Really Tasks

Bad habit - creating tasks that masquerade as stories

Stories vs Tasks
- story
- generally something that is worked on by more than one person
- contains multiple types of work
- task
- generally worked on by just one person
- contains single type of work

Stories that are really tasks create problems:
1. The duo not deliver value
2. They are risky
3. They lead to phased development

Not Everything Needs to Be a User Story

Nonfunctional Requirements

Requirements that have to do with operation of the system rather than its specific behaviors

Often called —ilities
- portability
- maintainability
- testability
- scalability
- usability

They are constraints on how the system is developed

Stories and Bugs

Reporting a bug and asking for a new feature is fundamentally/conceptually the same thing - a desire to introduce changes to the system

Bugs should not be written in a story syntax.

Features from Feature-Driven Development

FDD - feature driven development
- feature list = Scrum’s product backlog
- syntax: <action> the <result> <by|for|of|to> a(n) <object>

FDD feature syntax can be helpful:
- when the is no immediate user present.
- for more technical parts of the system
- for API development tasks

Job Stories

Variation on User stories

Job stories are addressing two problems identified with user stories:

Many users have the same goal
Users do not know the solution to their problem

Template for Job stories:

When ______ I want to ______ so I can ______ .

When to use job stories:

When knowing a user’s motivation is more important than knowing details about the user
When dev team members and user already talk often

Native datetime formatter

Oleg Chursin — Thu, 16 Dec 2021 07:47:12 +0000

The simpler the better. Here's a dead simple date formatter snippet that works in all modern browsers as well as node apps.

// define formatter
const locale = 'en-US';
const options = {
  year: 'numeric',
  month: 'short',
  day: 'numeric',
  hour: 'numeric',
  minute: '2-digit'
};
const formatter = new Intl.DateTimeFormat(locale, options);

// use
const date = new Date();
const formattedDate = formatter.format(date);

Typed version is also here:

What's going on above? We grab the current date with new Date(), instantiate the formatter with Intl.DateTimeFormat providing the locale string and date format options object.

Tiny playground file:

datetime-format.js

const date = new Date();
const locales = ['en-US', 'en-GB', 'en-CA'];
const options = {
  year: 'numeric',
  month: 'short',
  day: 'numeric',
  hour: 'numeric',
  minute: '2-digit'
};

for (let locale of locales) {
  const formatter = new Intl.DateTimeFormat(locale, options);
  const formattedDate = formatter.format(date);
  console.log(`formattedDate: ${locale} -->`, formattedDate);
}

Running it in node will produce the following result:

~/dev/node-playground » node datetime-format.js
formattedDate: en-US --> Dec 16, 2021, 2:28 AM
formattedDate: en-GB --> 16 Dec 2021, 2:28
formattedDate: en-CA --> Dec. 16, 2021, 2:28 a.m.

Sweet. No deps. Just using the platform.

More info on MDN: DateTimeFormat

AWS Certified Security Specialty Exam - Practice Questions

Oleg Chursin — Tue, 14 Dec 2021 16:52:22 +0000

A list of practice questions with answers to help prepping yourself for AWS Certified Security Specialty Exam.

A security engineer must ensure that all infrastructure that is launched in the company AWS account is monitored for changes from the compliance rules. All Amazon EC2 instances must be launched from one of a specified list of Amazon Machine Images (AMIs), and all attached Amazon Elastic Block Storage (Amazon EBS) volumes must be encrypted. Instances that are not in compliance must be terminated. Which combination of steps should the security engineer implement to meet these requirements?

Monitor compliance with AWS Config rules. AWS Config is used to monitor the configuration of AWS resources in your AWS account. It ensures compliance with internal policies and best practices by auditing and troubleshooting configuration changes.
Create a custom remediation action by using AWS Systems Manager Automation runbooks. You can set up remediation actions through the AWS Config console or API. Choose the remediation action you want to associate from a pre-populated list, or create your own custom remediation actions by using Systems Manager Automation runbooks.

For more information about using AWS Config rules for automatic remediation, see Use AWS Config Rules to Automatically Remediate Non-compliant Resources .

For more information about AWS Systems Manager Automation runbooks, see AWS System Manger Automation .

For more information about how to create runbooks, see Creating a runbook that runs a script (console) .

A company policy requires that no insecure server protocols are used on its Amazon EC2 instances. These protocols include FTP, Telnet, and HTTP. The company’s security team wants to evaluate compliance with this requirement by using a scheduled Amazon EventBridge (Amazon CloudWatch Events) event to review the current infrastructure and create a regular report about the EC2 instances. Which process will check the compliance of the company’s EC2 instances?

Run an Amazon Inspector assessment by using the Network Reachability rules package against the instances.

Amazon Inspector tests the network accessibility of your EC2 instances and the security state of your applications that run on those instances. Amazon Inspector assesses applications for exposure, vulnerabilities, and deviations from best practices. The rules in the Network Reachability package analyze your network configurations to find security vulnerabilities of your EC2 instances.

For more information about Amazon Inspector, see What is Amazon Inspector?

For more information about the Network Reachability rules for Amazon Inspector, see Network Reachability .

A company has a legacy application that outputs all logs to a local text file. Logs from all applications that run on AWS must be continually monitored for security related messages. What should the company do to deploy the legacy application on Amazon EC2 and still meet the monitoring requirement?

Send the local text log files to Amazon CloudWatch Logs, and configure a CloudWatch metric filter. Set CloudWatch alarms based on the metrics.

You can see all of your logs, regardless of their source, as a single and consistent flow of events ordered in time by using CloudWatch Logs. You can query and sort your logs based on other dimensions, group them by specific fields, create custom computations by using a query language, and visualize log data on the dashboards.

For more information about CloudWatch Logs, see What is Amazon CloudWatch Logs?

For more information about CloudWatch metric filters, see Creating metrics from log events using filters .

A company is using AWS CloudTrail to log all AWS API activity for all AWS Regions in all of its accounts. The company wants to protect the integrity of the log files in a central location. Which combination of steps will protect the log files from alteration? (TWO)

Create a central Amazon S3 bucket in a dedicated log account. In the member accounts, grant CloudTrail access to write logs to this bucket.

This solution meets the requirement to log all AWS API activity to a central location by providing all the AWS accounts the ability to push their logs to a central S3 bucket.

Enable AWS Organizations for all AWS accounts. Enable CloudTrail with log file integrity validation while creating an organization trail. Direct logs from this trail to a central Amazon S3 bucket.

Create a central S3 bucket in a dedicated log account. To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation. CloudTrail log file integrity validation ensures the integrity of the log files by reporting if a log file has been deleted or changed. When you set up an organization trail within Organizations, you can enable log file integrity validation. The trail logs activity for all organization accounts in the same S3 bucket. Member accounts will not be able to delete or modify the organization trail. Only the management account will be able to delete or modify the trail for the organization.

A company has an external vendor that must deliver files to the company. The vendor has cross-account access that gives them permission to upload objects to an Amazon S3 bucket owned by the company. The company wants to have complete control of the objects after they have been uploaded by the vendor. Which combination of steps must the vendor follow to successfully deliver a file to the company? (TWO)

Configure S3 Object Ownership for the S3 upload bucket.

S3 Object Ownership is an S3 feature that enables bucket owners to automatically assume ownership of objects that are uploaded to their buckets by other AWS accounts.
For more information about S3 Object Ownership, see Controlling ownership of uploaded objects using S3 Object Ownership .

Upload the file to the company's S3 bucket as an object by using the Write-S3Object command.

You can use the Write-S3Object Tools for Windows PowerShell command to upload an object.

For more information about granting object permissions, see Bucket owner granting permissions to objects it does not own .

A company will deploy a new application on Amazon EC2 instances in private subnets. The application will transfer sensitive data to and from an Amazon S3 bucket. According to compliance requirements, the data must not traverse the public internet. Which solution meets the compliance requirement?

Access the S3 bucket through a VPC endpoint for S3.

A VPC endpoint is correct because it enables you to privately connect your VPC to supported AWS services. A VPC endpoint, powered by AWS PrivateLink, does not require the use of an internet gateway, NAT device, VPN connection, or AWS Direct Connect.

An application that runs on Amazon EC2 instances in a VPC must access sensitive data in an on-premises data center. No network connections are present other than the internet. The connection must be encrypted with IPsec encryption in transit and have consistent low latency. Which hybrid architecture meets these requirements?

Set up a VPN between the VPC and the data center over an AWS Direct Connect connection.

This solution combines the benefits of the secure IPsec connection with the low latency and increased bandwidth of Direct Connect. This solution provides a more consistent network experience than internet-based VPN connections. A BGP connection is established between Direct Connect and your router on the public VIF. Another BGP session or a static router will be established between the virtual private gateway and your router on the IPsec VPN tunnel.

An AWS customer performs DDoS testing with a large simulated attack on its web application, which is running on Amazon EC2 instances. Later, AWS contacts the customer and informs the customer that the testing violated the AWS Customer Agreement. How can the customer perform future testing without violating the agreement?

Work with an AWS Partner Network (APN) Partner to perform the simulation.

A DDoS simulation can only be performed with the assistance of an APN Partner. If a customer conducts a simulation without the APN Partner, the customer is in violation of the AWS Customer Agreement.

For more information about DDoS simulations, see DDoS Simulation Testing Policy .

An application that runs on Amazon EC2 instances in a VPC must call an external web service by using TLS (port 443). The EC2 instances run in public subnets. Which configurations allow the application to function and minimize the exposure of the instances? (TWO)

A network ACL with rules that allow outgoing traffic on port 443 and incoming traffic on the ephemeral ports

A network ACL is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. Network ACLs are stateless. Responses to allowed inbound traffic are subject to the rules for outbound traffic, and responses to allowed outbound traffic are subject to the rules for inbound traffic. Based on its stateless property, outgoing traffic on port 443 and incoming traffic on ephemeral ports must be allowed. Ephemeral ports are for the return traffic to the client.

A security group with a rule that allows outgoing traffic on port 443

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. A security group is stateful, which means that if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. So, you need to only allow outgoing traffic on port 443.

A company wants to make available an Amazon S3 bucket to a vendor so that the vendor can analyze the log files in the S3 bucket. The company has created an IAM role that grants access to the S3 bucket. The company also has to set up a trust policy that specifies the vendor account. Which pieces of information are required as arguments in the API calls to access the S3 bucket? (TWO)

The Amazon Resource Name (ARN) of the IAM role in the company's account

The ARN of the IAM role you want to assume needs to be specified as an argument in the API call. The IAM role is created in the company’s account. A trust policy is established and attached to the IAM role so that the vendor can assume the role.

For more information about assuming an IAM role, see AssumeRole .

For more information about delegating access across AWS accounts by using IAM roles, see IAM tutorial: Delegate access across AWS accounts using IAM roles .

An external ID originally provided by the vendor to the company

You must always specify the external ID in your AssumeRole API calls. The external ID allows the user that is assuming the role to assert the circumstances in which they are operating. It also provides a way for the account owner to permit the role to be assumed only under specific circumstances.

For more information about using an external ID when granting access to your AWS resources, see How to use an external ID when granting access to your AWS resources to a third party .

Every application in a company’s portfolio has a separate AWS account for development and production. These accounts are centrally managed and governed within AWS Organizations. The security team wants to make sure all IAM users in the production accounts are not allowed to manually modify or update the AWS Key Management Service (AWS KMS) encryption keys. How can the security team control this functionality?

Create an SCP that denies access to the services. Assemble all production accounts in an OU. Apply the policy to that OU.

SCPs are a type of organization policy that you can use to manage permissions in your organization. By using an SCP, your accounts stay within your organization’s access control guidelines. Because the requirement is for all IAM users in the production accounts, the policy should be applied to the hierarchy OU of those production accounts.

For more information about SCPs, see Managing the AWS accounts in your organization .

For more information about Organizations, see What is AWS Organizations?

An AWS Lambda function reads metadata from an Amazon S3 object and stores the metadata in an Amazon DynamoDB table. The function runs whenever an object is stored within the S3 bucket. How should a security engineer give the Lambda function access to the DynamoDB table?

Create an IAM service role with permissions to write to the DynamoDB table. Associate that role with the Lambda function.

This method is a valid way to create an IAM role that has the required permissions and to associate the IAM role with the Lambda function. You specify the IAM role when you create your Lambda function. You can choose an existing managed policy or create your own policy with permissions. The permissions you grant to this role determine what the Lambda function can do when it assumes the role.

For more information about the Lambda execution role, see AWS Lambda execution role .

For more information about resource-based policies for Lambda, see Using resource-based policies for AWS Lambda .

A company wants to enable SSO so that its employees can sign in to the AWS Management Console by using the company’s SAML provider. Which combination of steps are required as part of the process? (TWO)

Create IAM policies that can be mapped to group memberships in the corporate directory.

The IAM policies are assigned to the IAM role that is authenticated by the SAML assertion.

For more information about assuming a role with SAML, see AssumeRoleWithSAML .

Create an IAM role that establishes a trust relationship between IAM and the corporate SAML identity provider (IdP).

This step is to create an IAM role that establishes a trust relationship between IAM and your IdP. This role must identify your IdP as a principal (trusted entity) for purposes of federation.

For more information about the trust relationship, see Enabling SAML 2.0 federated users to access the AWS Management Console .

For more information about the federation IAM role, see Prerequisites for creating a role for SAML .

A company generates sensitive records that it stores in an Amazon S3 bucket. The company encrypts all objects in the S3 bucket by using one of the company’s CMKs for server-side encryption with AWS KMS managed encryption keys (SSE-KMS). Compliance policies require the company to use a different encryption key for each month of data. Which solution will meet these requirements?

Use Amazon EventBridge (Amazon CloudWatch Events) to schedule a monthly AWS Lambda function that creates a new CMK and updates the S3 bucket to use the new CMK as an S3 Bucket Key.

EventBridge (CloudWatch Events) is a serverless event bus service that makes it easy to connect your applications with data from a variety of sources. A Lambda function can be invoked by EventBridge (CloudWatch Events) to create a new CMK.

For more information about S3 Bucket Keys, see Reducing the cost of SSE-KMS with Amazon S3 Bucket Keys .

For more information about EventBridge (CloudWatch Events), see What is Amazon EventBridge?

A company has several CMKs. Some of the CMKs have imported key material. The company’s security team must rotate each CMK annually. Which methods can the security team use to rotate each CMK? (TWO)

Enable automatic key rotation for a CMK.

Automatic key rotation is disabled by default on customer managed CMKs. When you enable (or re-enable) key rotation, AWS KMS automatically rotates the CMK 365 days after the enable date and every 365 days thereafter.

Import new key material to a new CMK. Point the key alias to reference the new CMK.

You can either rotate the key automatically or manually. To rotate the key manually, import new key material to a new CMK and update the alias to the new CMK.

For more information about rotating CMKs, see Rotating AWS KMS keys .

An application that runs on Amazon EC2 instances must use a user name and password to access a legacy application. A developer has stored those secrets in AWS Systems Manager Parameter Store with type SecureString by using the default AWS Key Management Service (AWS KMS) CMK. Which combination of configuration steps will allow the application to access the secrets through the API? (TWO)

Add a permission to the EC2 instance role that allows it to read the Systems Manager parameter.

For the application to use the credentials, the following IAM policies are assigned to the instance role:

{
    “Version”:”2012-10-17”,
    “Statement”:[
        {
            “Effect”:”Allow”,
            “Action”:[
                “ssm:GetParameters”
            ],
            “Resource”:[
                “arn:aws:ssm:region:account-id:parameter/prod-*”
            ]
        },
        {
            “Effect”:”Allow”,
            “Action”:[
                “kms:Decrypt”
            ],
            “Resource”:[
                “arn:aws:kms:region:account-id:key/KMSkey”
            ]
        }
    ]
}

The policies grant permission to the EC2 instance role so that it can read the Systems Manager parameter and decrypt the parameter with the KMS encryption key.

For more information about how to restrict access to Systems Manager parameters by using IAM policies, see Restricting access to Systems Manager parameters using IAM policies .

Add a permission to the EC2 instance role that allows it to decrypt the KMS encryption key.

Original source: https://amazonwebservices.benchprep.com/

AWS Certified Security - Specialty | Infrastructure Security (notes)

Oleg Chursin — Sat, 11 Dec 2021 16:15:11 +0000

While getting ready to sit AWS Certified Security - Specialty exam, I jotted down a few notes. Breaking them into sections corresponding to the exam domains. Here's Infrastructure Security domain.

Each note starts with a problem/situation statement in bold followed up with either a service description or a list of practical actions to be taken in response to the stated problem.

Migrating an application from on-prem to AWS (two regions). What to do with custom SSL certs?

Import the existing certificate and private key into Certificate Manager in both regions. Assign that imported certificate to the Application Load Balancers using their respective regionally imported certificate.

You can import private certificates into Certificate Manager and assign them to all the same resources you can with generated certificates, including an ALB. Also note that Certificate Manager is a regional service so certificates must be imported in each region where they will be used.

Solution to protect your website against DDoS attacks, SQL injection and cross-site scripting attacks.

Use AWS WAF to protect against SQL injection
Use AWS Shield to protect against DDoS attacks
Use AWS WAF to protect against cross-site scripting
Use AWS WAF to protect against DDoS attacks

You would like to protect your application from attacks such as SQL injection and cross-site scripting.

CloudFront
AWS WAF
Application Load Balancer AWS WAF protects websites against SQL injection and cross-site scripting attacks. WAF is closely integrated with CloudFront and Application Load Balancer.

Configuring the bastion host.

Limit inbound connections to the bastion host to the CIDR range that will be used by your administrators
Deploy the bastion host in the public subnet of your VPC
Configure your Security Group to allow inbound connections on port 22 Access to bastion hosts should be locked down to known CIDR ranges for ingress. Ports should be limited to allow only the necessary access to the bastion hosts. For Linux bastion hosts, TCP port 22 for SSH connections is typically the only port allowed. Bastion hosts are deployed in the public subnets of the VPC.

Replacing A Lost Key Pair

Stop the instance, detach its root volume and attach it to another instance as a data volume, modify the authorized_keys file, move the volume back to the original instance. Restart the instance.

If you lose the private key for an EBS-backed instance, you can regain access to your instance. You must stop the instance, detach its root volume and attach it to another instance as a data volume, modify the authorized_keys file, move the volume back to the original instance, and restart the instance.

Test failover capability of Multi-AZ RDS instance. Initiated a reboot with failover expecting only a short outage while the standby instance was promoted and the DNS path was updated. After the failover, DB was unreachable rom on-prem network despite being in an “Available” state.

The subnets in the subnet group did not have the same routing rules. The standby subnet did not have a valid route back to the on-prem network so the database could not be reached despite being available.

A compromised Linux based EC2 instance has initiated a DOS attack. Steps to isolate the instance and perform additional analysis.

Update the security group to prevent all outbound traffic.
Update the instances’ security group to only allow inbound traffic on port 22 and limit incoming traffic from only your internal IP addresses for analysis.

Setting up a new VPC from scratch. Not able to reach the Amazon Linux web server instance launched in VPC from on-prem network using a web browser. You have verified the internet gateway is attached and the main route table is configured to route 0.0.0.0/0 to the internet gateway properly. What’s going on?

The instance is deployed in a subnet associated with a network ACL that only allows outbound traffic on port 80 ad 22.

For an HTTP connection to be successful, you need to allow port 80 inbound and allow the ephemeral ports outbound. Additionally, it is possible that the subnet is not associated with the route table containing the default route to the internet.

Design a solution to perform deep packet inspection.

Use AWS Network Firewall

You can filter network traffic at the perimeter of your VPC using AWS Network Firewall. Network Firewall is a stateful, managed, network firewall and intrusion detection and prevention service. Rule groups in AWS Network Firewall provide detailed criteria for packet inspection and specify what to do when a packet matches the criteria. When Network Firewall finds a match between the criteria and a packet, the packet matches the rule group.

Implement end-to-end encryption in transit for all network communication between your users and your application servers.

Use a Network Load Balancer and terminate TLS on the EC2 instance

Application Load Balancers load balance at the HTTP and HTTPS level. Network Load Balancers work at the TCP and TLS level. For end-to-end encryption, you need to terminate SSL /TLS on the EC2 instance and this is only possible using the Network Load Balancer or Classic Load Balancer.

Deliver content over HTTPS and users will only be able to access the website using CloudFront. In which region do you request an SSL cert?

If you want to require HTTPS between viewers and CloudFront, you must change the AWS region to US East 1 (N. Virginia) in the AWS Certificate Manager console before you request or import a certificate.

Protecting against SQL injection and cross-site scripting attacks.

AWS WAF is a web application firewall that helps protect web applications from attacks by allowing you to configure rules that allow, block, or monitor web requests based on conditions that you define. These conditions include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection and cross-site scripting.

Implement a solution to help protect the website from DDoS attacks. Services to use:

AWS Shield
AWS WAF
Amazon CloudFront

When attempting to protect your application against DDoS attacks, services such as Route 53, Amazon CloudFront, Elastic Load Balancing, and AWS WAF can all be used to control and absorb traffic, and deflect unwanted requests. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.

Help an IT organization meet security audit requirements imposed on them by a prospective customer.

Employ Amazon Inspector to periodically assess applications for vulnerabilities or deviations from best practices.

Most efficiently protect against SQL injection attacks.

Use AWS WAF to deny requests that contain SQL code

Website uses an S3 bucket configured as a website endpoint behind a CloudFront distribution, using a custom domain name. Make sure users are only allowed to access the website using HTTPS.

Provide a custom SSL Certificate in CloudFront and configure CloudFront to use HTTPS to get files from your S3 bucket (origin)

Stateful/stateless sec groups and ACLs.

Security Groups are stateful, so only an outbound rule is required. Network ACLs are stateless, so both an inbound and outbound rule is required. The third party will not reply using the same port, instead it will use ephemeral ports. So the Network ACL will need to allow the reply to come through using ephemeral ports.

Auto patches of Windows Server EC2 instance.

Make use of Patch Manager and the AWS-DefaultPatchBaseline pre-defined baseline

The default predefined patch baseline for Windows servers in Patch Manager is AWS-DefaultPatchBaseline.

Bucket policy keys used in a conditional to test for encrypted connections.

aws:SecureTransport

The key aws:SecureTransport can be used in a conditional statement to determine if the connection is encrypted (Condition: {Bool: {aws:SecureTransport: true}} for example).

Protect your website against DDoS attacks, SQL injection and cross-site scripting attacks. Services to be used:

Use AWS WAF to protect against SQL injection
Use AWS WAF to protect against DDoS attacks
Use AWS WAF to protect against cross-site scripting
Use AWS Shield to protect against DDoS attacks

AWS Shield protects against DDoS, AWS WAF protects against SQL injection and cross-site scripting. AWS WAF rules can block common web-based attacks.

AWS Certified Security - Specialty | Logging and Monitoring (notes)

Oleg Chursin — Mon, 06 Dec 2021 21:58:19 +0000

While getting ready to sit AWS Certified Security - Specialty exams, I jotted down a few notes. Breaking them into sections corresponding to the exam domains. Here's Logging and Monitoring domain.

Each note starts with a problem/situation statement in bold followed up with either a service description or a list of practical actions to be taken in response to the stated problem.

Application crashed but no logs exist for this application. What’s going on?

The CloudWatch Logs agent is not installed
The CloudWatch Logs agent is not running
The Instance role does not have permission to write to CloudWatch Logs Access to AWS resources requires permissions. You need to create an IAM role that includes the permissions you need for the CloudWatch agent to write logs to CloudWatch. The CloudWatch agent must be installed and running in order for the EC2 instance to send application logs to CloudWatch Logs.

The existing trail configuration needs to be modified to stop management events from being logged in the S3 bucket

Update the Management Events option to None. Since a trail configuration can only reference a single S3 bucket, a new trail must be created. The new trail needs to be configured to log only management events to a different S3 bucket. Additionally, a bucket policy is required to give CloudTrail the necessary permissions to write logs to the specified S3 bucket. CloudTrail trail configurations do not inherit from other trails and editing a trail configuration is not against best practices.

You are not able to access the application from the internet, from your other VPC or from your own data centre. Security groups and network ACLs are configured correctly.

Use VPC Flow Logs to analyze the traffic. VPC Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow logs can help you with a number of tasks; for example, to troubleshoot why specific traffic is not reaching an instance, which in turn helps you diagnose overly restrictive security group rules.

You need to create a new AWS account to stream all important CloudWatch events from various AWS accounts to a single account to centralize security efforts.

You can deliver the events to other accounts through a new CloudWatch Events resource called Event Bus. All AWS accounts have one default event bus. To send events to another account, you simply write rules to match the events of interest and attach an event bus in the receiving account as the target to the rule. CloudWatch Event Rules are used to trigger predefined actions based on a given type of event and are not used to send events to other accounts.

Data events for Lambda and S3 are not available in Amazon CloudWatch Events. What could be the reason for this?

Your Lambda function and S3 resources haven’t been added to a CloudTrail trail.
Data events are not logged by default. Data events provide visibility into the resource operations performed on or within a resource. Data events are not logged by default when you create a trail. To record CloudTrail data events, you must explicitly add the supported resources or resource types for which you want to collect activity to a trail.

Analyze the API activity in your AWS account and have the ability to isolate activity by attributes, such as source IP address and user. Which services can you use?

Athena
CloudTrail CloudTrail is used to record all API activity in your account. Using Athena with CloudTrail logs is a powerful way to enhance your analysis of AWS service activity. For example, you can use standard SQL queries to identify trends and further query activity by attributes, such as source IP address or user.

You are unable to access CloudTrail logs. You have checked your IAM permissions, and your user account is allowed to describe CloudTrail logs and look up events. What could be the problem?

You do not have read permission for the S3 bucket.
You do not have permission to use the CMK to decrypt the logs. You must have S3 read permission on the bucket. If you are using KMS to encrypt the logs, any user who accesses the logs must be granted decrypt permission by the CMK policy.

Multiple separate AWS accounts are configured to send CloudTrail logs to the same S3 bucket. However some of the accounts have not been sending any logs. What is the problem?

The accounts do not have permission to write to the S3 bucket You can have CloudTrail deliver log files from multiple AWS accounts into a single Amazon S3 bucket. To accomplish this, turn on CloudTrail in the account where the destination bucket will belong, configure the bucket policy to allow cross-account permission. Turn on CloudTrail in the other accounts, configure all accounts to log to the destination bucket.

Which AWS CLI fragment command can be used to determine the integrity of the CloudTrail log files.

aws cloudtrail validate-logs The CLI command fragment, aws cloudtrail validate-logs will identify if any of the CloudTrail logs have been modified or deleted. The other choices are incorrect.

You have noticed some unusual activity in your AWS account. You need to quickly assess the situation, understand the extent of the problem and would like to continually monitor your infrastructure.

GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to identify malicious activity. For example, GuardDuty can detect unusual behavior like sending spam emails, querying a domain name associated with a known command and control server, generating a large volume of outbound TCP traffic - all signs that the instance is being controlled by a malicious actor.

You need to separate data and management events in CloudTrail logs. What is the best way to configure this so that everyone gets the access they need on a least privilege basis?

Configure two CloudTrails, one to log data events and one to log management events with each trail logging to a different S3 bucket. Create 2 different IAM policies and attach them to the appropriate groups, one allowing read only access to the data events CloudTrail and associated S3 bucket and one allowing read only access to the management events CloudTrail and associated S3 bucket.

Management and Data events are handled by separate CloudTrails. You should log the events to separate buckets, then configure access to the CloudTrail and read only access to the S3 bucket using an IAM policy attached to the user or group. Give each class of user only the access they need. Log Groups are related to CloudWatch not CloudTrail.

You suspect that one of your instances has been compromised and is attempting to communicate with a command and control server. Which services can you use to investigate this?

Amazon Inspector
VPC Flow Logs
GuardDuty

You can use Amazon Inspector to assess your assessment targets (collections of AWS resources) for potential security issues and vulnerabilities. Amazon Inspector compares the behavior and the security configuration of the assessment targets to selected security rules packages. In the context of Amazon Inspector, a rule is a security check that Amazon Inspector performs during the assessment run. The rules in the Network Reachability package analyze your network configurations to find security vulnerabilities of your EC2 instances. These rules help automate the monitoring of your AWS networks and identify where network access to your EC2 instances might be misconfigured.

VPC Flow Logs can be used as a security tool to monitor the traffic that is reaching your instance, to profile your network traffic, and to look for abnormal traffic behaviors. You can use VPC Flow Logs to watch for abnormal and unexpected denied outbound connection requests, which could be an indication of a misconfigured or compromised EC2 instance.

GuardDuty continuously analyzes VPC Flow Logs and DNS requests and responses to identify malicious, unauthorized, or unexpected behavior in your AWS accounts and workloads.

Have CloudTrail deliver log files from multiple AWS accounts into a single Amazon S3 bucket. Two approaches.

To accomplish this, turn on CloudTrail in the account where the destination bucket will belong, configure the bucket policy to allow cross-account permission. Turn on CloudTrail in the other accounts, configure all accounts to log to the destination bucket. You cannot configure cross account access using the bucket ACL.
Use AWS CloudTrail and a user in a management account to create an organization trail that logs all events for all AWS accounts in that organization in the same Amazon S3 bucket.

Determine if any EC2 instances are used for bitcoin mining.

Use AWS GuardDuty to see if any of your instances are querying a domain name that is associated with cryptocurrency-related activity

GuardDuty is a continuous security monitoring service that analyzes and processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs, and DNS logs. It uses threat intelligence feeds, such as lists of malicious IPs and domains, and machine learning to identify malicious activity. This can include issues like escalations of privileges, uses of exposed credentials, or communication with malicious IPs, URLs, or domains. For example, GuardDuty can detect compromised EC2 instances serving malware or mining bitcoin.

AWS Certified Security - Specialty | Incident response (notes)

Oleg Chursin — Mon, 06 Dec 2021 17:39:34 +0000

While getting ready to sit AWS Certified Security - Specialty exams, I jotted down a few notes. Breaking them into sections corresponding to the exam domains. Let's start with Incident Response in this post.

Each note starts with a problem/situation statement in bold followed up with either a service description or a list of practical actions to be taken in response to the stated problem.

Your AWS account has been compromised. Your immediate actions.

Change your AWS account root user password.
Delete or rotate all root and AWS Identity and Access Management (IAM) access keys.
Delete any potentially compromised IAM users, and change the password for all other IAM users.
Delete any resources on your account you didn’t create, such as EC2 instances and AMIs, EBS volumes and snapshots, and IAM users.

Isolate any compromised instances so that they cannot communicate with any other instances in your VPC or with any third party command and control server.

Create a restrictive Security Group which only allows SSH from a single forensic workstation. Use Lambda to replace the existing Security Group with the newly created restrictive Security Group as soon as the instance is detected as being compromised. You cannot apply a Network ACL to an instance because ACLs apply to the whole subnet.

Enable CloudTrail logging in all regions where you currently have AWS infrastructure

Enable multi-region CloudTrail. You can configure CloudTrail to deliver log files from multiple regions to a single S3 bucket for a single account. When a new region launches in the AWS partition, CloudTrail automatically creates a trail for you in the new region with the same settings as your original trail.

Service that uses machine learning to help monitor malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in S3.

Amazon GuardDuty is the only solution that that uses machine learning to help monitor malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in S3. It has a build-in list of suspect IP addresses and you can also upload your own lists of IPs. GuardDuty can trigger CloudWatch events which can then be used for a variety of activities like notifications or automatically responding to a threat. AWS Macie is a service to discovery and classify potentially sensitive information. CloudWatch alone lacks the business rules that are provided with GuardDuty.

Quickly block this malicious activity from a specific range of IP addresses.

Create a Network ACL to deny access to any traffic coming from this IP range. A Network Access Control List is an optional layer of security for your VPC which acts as a firewall, controlling traffic in and out of one or more subnets. Security Groups cannot be used to explicitly deny traffic from a known IP range. Flow Logs are used to monitor network traffic, but cannot be used to block traffic. GuardDuty only detects malicious activity, it cannot block traffic.

Restrict user ability to launch EC2 instances and change Security Group settings at any time.

Implement event based security using CloudTrail and CloudWatch Events which alerts when a user performs an action which is against company policy and sends an SNS notification. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting. In addition, you can use CloudTrail to detect unusual activity in your AWS accounts. CloudWatch Events can respond to unauthorized actions detected by CloudTrail and send SNS notifications to report security breaches.

IDS/IPS - intrusion detection systems, intrusion prevention systems.

If you are running a third-party IDS/IPS on EC2 and want to configure your IDS system to trigger an automated response to contain an attack by immediately shutting down affected systems if an intrusion is detected, you should send the IDS application logs to CloudWatch Logs, use CloudWatch to send an SNS notification alerting you of any incidents. Use Lambda to shut down affected systems.

How To Export Data to Excel in Angular

Oleg Chursin — Wed, 17 Jun 2020 19:30:09 +0000

Data export to Excel is a common task in modern business-facing apps and of course we have npm packages to help us do just that. An amazing one to consider is Angular Material Table Exporter. But there are a big prerequisite to use it. Your data has to be rendered using Material Table. If you are OK with it, then follow the docs for the mat-table-exporter package for a painless integration - it works like a charm. One gotcha that you may face is the bundle size. If you follow the default integration steps and add MatTableExporterModule to shared.module.ts, your bundle size may gain 1.5Mb. Of course you can lazy-load it, move to the server completely, or use the method below.

Meet excel-export Service

We will be using only one fairly low-level dependency - xlsx and go from there. Let’s make sure we have the latter installed:

npm i xlsx

Now we have access to a plethora of methods and options provided by this awesome package which will be integrated into excel-export.service.ts.

TLDR: Here’s what the service looks like:

// excel-export.service.ts

import { utils as XLSXUtils, writeFile } from 'xlsx';
import { WorkBook, WorkSheet } from 'xlsx/types';

import { Injectable } from '@angular/core';

export interface IExportAsExcelProps {
  readonly data: any[];
  readonly fileName: string;
  readonly sheetName?: string;
  readonly header?: string[];
  readonly table?: HTMLElement;
}

@Injectable({
  providedIn: 'root'
})
export class ExcelExportService {
  fileExtension = '.xlsx';

  public exportAsExcel({
    data,
    fileName,
    sheetName = 'Data',
    header = [],
    table
  }: IExportAsExcelProps): void {
    let wb: WorkBook;

    if (table) {
      wb = XLSXUtils.table_to_book(table);
    } else {
      const ws: WorkSheet = XLSXUtils.json_to_sheet(data, { header });
      wb = XLSXUtils.book_new();
      XLSXUtils.book_append_sheet(wb, ws, sheetName);
    }

    writeFile(wb, `${fileName}${this.fileExtension}`);
  }
}

What’s going on above?

First, official xlsx docs tell you to import everything from xlsx:

import * as XLSX from 'xlsx';

It works, but my personal preference is to import individual methods, interfaces, types, and not pull the whole library along. Hence the adjusted import declarations:

import { utils as XLSXUtils, writeFile } from 'xlsx';
import { WorkBook, WorkSheet } from 'xlsx/types';

We will have only one public method exportAsExcel that takes the following props: data, fileName, sheetName, header, table with the following interface:

export interface IExportAsExcelProps {
  readonly data: any[];
  readonly fileName: string;
  readonly sheetName?: string;
  readonly header?: string[];
  readonly table?: HTMLElement;
}

The data has to be in JSON format to make json_to_sheet util method happy. Read more about it in the docs: json_to_sheet

If you prefer to grab the DOM’s <table> Element and convert its contents into Excel doc, just pass the desired HTMLElement through and our service will use table_to_book method. More info on that in the docs: table_to_book

Well, fileName and sheetName are self-explanatory, se we are left with the last optional prop: header.

This is an array of keys from your data Object that controls the column order. If you don’t explicitly pass it, xlsx defaults to Object.keys. Read more on header: https://github.com/SheetJS/sheetjs#array-of-objects-input

I believe this is all. Just massage the data you want to send down or play with the <table> contents and you have a working Export as Excel service you can call whenever you need it.

Browser Security Headers with Gatsby and Netlify

Oleg Chursin — Thu, 21 May 2020 14:48:13 +0000

Our goals:

create a simple website (blog)
add a new blog post
push it to GitHub
publish our website to Netlify
secure it with browser security headers

Your takeaways:

step-by-step guide on how to publish a website with Netlify
Netlify config file with working config for basic browser security headers

Let’s go

Step 1. Create a simple website (blog).

Question 0 - which tech stack to use. We will be working with GatsbyJS (GatsbyJS) which is an amazing static site generator allowing to create blazing fast websites at almost no time. I will not waste time enumerating all of the Gatsby features, but do make sure that you play with it. And if you happen to like the result, feel free to join GatsbyNYC Meetup (Gatsby NYC (New York, NY) | Meetup) that I have an honor to co-host.

Make sure you have gatsby-cli installed by running gatsby —v. If not install Gatsby globally with:

npm install -g gatsby-cli

GatsbyJS has a concept they call starters. And for our needs we will chose gatsby-starter-blog (gatsby-starter-blog: Gatsby Starter | GatsbyJS) that will leave us with a simple setup to jump-start a blog. By the way, this starter was inspired by Dan Abramov’s blog - Overreacted, which in it’s own turn is a Gatsby website (Overreacted — A blog by Dan Abramov).

Let’s create a new project with the following command:

gatsby new our-blog-name https://github.com/gatsbyjs/gatsby-starter-blog

And open it in your favorite text-editor. You will get the following structure:

> content
> node_modules
> src
> static
  .gitignore
  .prettierignore
  .prettierrc
  gatsby-browser.js
  gatsby-config.js
  gatsby-node.js
  LICENSE
  package-lock.json
  package.json
  README.md

The folder that is of interest to us is content - that’s where our blog posts live in the for of markdown files. And that’s where we will be adding our new blog post.

It’s high time to see something in the browser. Fire up your newly created blog with npm start or yarn start. This will run gatsby develop command under the hood which will do it’s magic and make your blog available at http://localhost:8000/ by default.

Step 2. Add a new blog post

You may have noticed that Gatsby gives you some magic to play with. Folders (folder-names) in content > blog automagically become routes. The same thing happens with folders in pages.

Therefore, we will create a new folder in blog. Let’s name it deploy-and-secure. Inside the newly created folder we will touch index.mdfile with the following content:

---
title: Deploy Your Site Securely and Easily with Netlify and Browser Headers
date: "2020-05-20T22:12:03.284Z"
description: "Deploy Your Site Securely and Easily with Netlify and Browser Headers"
---

*Our goals:*
* create a simple website (blog)
* add a new blog post
* push it to GitHub
* publish our website to Netlify
* secure it with browser security headers

The part in between --- is called the front matter. You may have come across it if you have a blog on DEV.to. The rest is a good old markdown file. Just add your content and publish.

Step 3. Publish our blog with Netlify.

There are numerous ways to publish your static site these days, but Netlify is probably one of the coolest.

Things we need to be successful:

a website
GitHub repo
Netlify account

We already have our new and shiny website. You don’t need my help to push it to a GitHub repo. Let’s do the Netlify part.

Next steps are taken under assumption that you created a Netlify account and connected it to your GitHub account. Easy.

So, within Netlify we click on New site from Git to setup our CD flow. Netlify will prompt us with the following:

Continuous Deployment

Choose the Git provider where your site’s source code is hosted. When you push to Git, we run your build tool of choice on our servers and deploy the result.

We chose GitHub, search for the needed repo and select it.

Then we specify branch to deploy. In our case let’s stick to default master , although for most of my personal projects I prefer to have a separate prod branch. Netlify is crazy smart so it already knows that we have a Gatsby site, so in Basic build settings section it gives us all the needed defaults for build command and publish directory.

Hit Deploy site now. Wait… and wait again. Once it’s done you site is available under netlify-generated url. Let’s change that.

Click on Domain settings and under Custom domains click on Options and Edit this name. Save your changes and voila you have your site on https://your-site-name.netlify.com

Step 4. Secure your website with browser security headers

Always start with definition:
Browser security headers - HTTP response headers that your application can use to increase the security of your application. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities.

More information on headers:

OWASP Secure Headers Project
bit.ly/owasp-security-headers

MDN docs

Strict-Transport-Security // Strict-Transport-Security - HTTP | MDN
Content Security Policy (CSP) // Content Security Policy (CSP) - HTTP | MDN
X-Frame-Options // X-Frame-Options - HTTP | MDN
X-Content-Type-Options // X-Content-Type-Options - HTTP | MDN
Referrer-Policy // Referrer-Policy - HTTP | MDN
Feature-Policy // Feature-Policy - HTTP | MDN

Course on Pluralsight
Introduction to Browser Security Headers by Troy Hunt

Source: Introduction to Browser Security Headers | Pluralsight

How to add headers in Netlify

RTFM. Netlify docs on custom headers: Custom headers | Netlify Docs

Straightforward, right? Let’s do it.

TL;DR

Add netlify.toml to the root.

[[headers]]
  for = "/*"
  [headers.values]
    Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
    Content-Security-Policy = "default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob:; style-src data: 'unsafe-inline' https:; img-src data: https: blob:; font-src data: https:; connect-src https: wss: blob:; media-src https: blob:; object-src https:; child-src https: data: blob:; form-action https:; block-all-mixed-content"
    X-Frame-Options = "DENY"
    X-Content-Type-Options = "nosniff"
    Referrer-Policy = "no-referrer"
    Feature-Policy = "microphone 'none'; geolocation 'none'"

Be extra careful with Content-Security-Policy header. You may end up breaking your site by blocking your end-users from being able to load your content. You may find this tool helpful in generating CSP for you: Report URI: Generate your Content Security Policy

Take you HSTS setup step further with Chromium project

The HSTS value needs to be:
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload

You can make sure that your site is preloaded into Chromium browsers as the one that is always served over https. Use this tool to do it: HSTS Preload List Submission

This is it. We’ve gone through all the steps and have successfully created, deployed, and secured our website with browser security headers on Netlify.

How to squash Git commits

Oleg Chursin — Mon, 02 Mar 2020 16:05:15 +0000

A really quick step-by-step guide on how to squash Git commits to make your PRs concise, easy to read, and hence easy to review.

Steps:

Make sure your branch is up to date with the main branch.
Run git rebase -i main.
You should see a list of commits, each commit starting with the word "pick".
Make sure the first commit says "pick" and change the rest from "pick" to "squash". -- This will squash each commit into the previous commit, which will continue until every commit is squashed into the first commit.
Save and close the editor (press Esc key, type :w and hit Enter key) -- save a file and quit vim / Vi by pressing Esc key, type :x and hit Enter key.
It will give you the opportunity to change the commit message.
Save and close the editor again.
Force push the squashed commit: git push --force-with-lease origin.

GitHub gist of the steps above

Gatsby Auth with AWS Amplify

Oleg Chursin — Fri, 14 Feb 2020 00:22:22 +0000

TLDR: GitHub repo: https://github.com/olegchursin/gatsby-auth-amplify

Steps to follow along:

Create new Gatsby project

gatsby new gatsby-auth-amplify

Add TS (optional)

This step is optional but highly recommended

Add TS plugin

yarn add gatsby-plugin-typescript

Add TypeScript definitions

yarn add -D @types/react @types/react-dom @types/node

Change files extensions

.js —> .tsx

Hook up AWS Amplify Framework

Auth is handled by AWS Cognito

Steps:

Install AWS Amplify CLI
Configure Amplify
Initialize inside Gatsby project
Add Auth API
Deploy the config to AWS
Protect the ‘protected-page’

Step 1. Install AWS Amplify CLI

npm install -g @aws-amplify/cli
amplify --version

Configure Amplify

amplify configure

Actionable bash response:

Sign in to your AWS administrator account:
https://console.aws.amazon.com/
Press Enter to continue

Actionable bash response:

Specify the AWS Region
? region:  (Use arrow keys)
❯ us-east-1
  us-east-2
  us-west-2
  eu-west-1
  eu-west-2
  eu-central-1
  ap-northeast-1

You will also need to provide user name and configure IAM user within the console.
NB: Save you credentials (download .csv or copy access keys)

Actionable bash response:

Enter the access key of the newly created user:
? accessKeyId:  AKIA355I4O**********
? secretAccessKey:  ehf7gWSzPULXtNN0d0v******************
This would update/create the AWS Profile in your local machine
? Profile Name:  olegchursin

Successfully set up the new user.

Step 2. Initialize inside Gatsby project

from the root of your project run:

amplify init

Actionable bash response:

? Enter a name for the project gatsby-auth-amplify
? Enter a name for the environment dev
? Choose your default editor: Visual Studio Code
? Choose the type of app that you're building javascript
Please tell us about your project
? What javascript framework are you using react
? Source Directory Path:  src
? Distribution Directory Path: build
? Build Command:  npm run-script build
? Start Command: npm run-script start

Actionable bash response:

Do you want to use an AWS profile? Yes
? Please choose the profile you want to use default
Adding backend environment dev to AWS Amplify Console app: d1mhcdbiatabfc
⠧ Initializing project in the cloud...

Explore the newly generated amplify folder: Screenshot: amplify folder structure

Step 3. Add Auth API

amplify add auth

Actionable bash response:

Do you want to use the default authentication and security configuration? Default configuration
 Warning: you will not be able to edit these selections. 
 How do you want users to be able to sign in? Username
 Do you want to configure advanced settings? No, I am done.
Successfully added resource gatsbyauthamplifycba7570a locally

Step 4. Deploy the config to AWS

amplify push

Actionable bash response:

✔ Successfully pulled backend environment dev from the cloud.

Current Environment: dev

| Category | Resource name             | Operation | Provider plugin   |
| -------- | ------------------------- | --------- | ----------------- |
| Auth     | gatsbyauthamplifycba7570a | Create    | awscloudformation |
? Are you sure you want to continue? (Y/n)

You should have a new auth folder inside amplify/backend.

Go to AWS console Cognito —> User Pools and make sure your generated pool is there as well.

Step 5. Protect the ‘protected-page’

Install new libraries:

yarn add aws-amplify aws-amplify-react

Add the following to gatsby-browser.js

import Amplify, { Auth } from "aws-amplify"
import awsConfig from "./src/aws-exports"
Amplify.configure(awsConfig)

Add withAuthenticator to your protected-page:

import it:
import { withAuthenticator } from “aws-amplify-react”
wrap the export:
export default withAuthenticator(ProtectedPage)

Now you should be greeted with the login view: Screenshot: Login view

Click Create account, provide an email address that you have access to (for a confirmation code), have fun!

Resources

Gatsby Auth Amplify Starter by nadir Dabit: gatsby-auth-starter-aws-amplify: Gatsby Starter | GatsbyJS

Video tutorial by Arbaoui Mehdi: Gatsby and AWS Amplify Authentication - YouTube
Deploying to AWS Amplify: Deploying to AWS Amplify | GatsbyJS

#GatsbyNYC

DEV Community: Oleg Chursin

Mastering CSS Balance: "text-wrap: balance"

Understanding Text-Wrap

The text-wrap: balance Value

Advantages of text-wrap: balance

1. Improved Readability

2. Enhanced Aesthetics

3. Consistency Across Devices

Pretty vs. Balance

Browser Compatibility

Conclusion

More information

Communicate Risk with Git Commits

TL;DR

Cheatsheets

MD Table

Image

Reduce Risk with Micro-Commits

Practice

Insights

Make Risks Obvious

Practice

Insights

Increase Risk Sensitivity

Practice

Insights

Increase Safety

Practice

Read by Refactoring

Insights

External Links

Notes on Better User Stories Course

Course Modules

What Stories Are

Story template:

3Cs of a user Story

Card

Conversation

Confirmation

Adding detail to a user story

A story is a pointer to a requirement

Users, User Roles and Personas

Context, Characteristics, and Criteria

How to Do User Role Modeling

Documenting a User Role Model

Personas (Intro)

Attributes to Consider When Creating a Persona

Documenting a Persona

Decorated User Roles

Writing User Stories for the Right User

Story Mapping and Story-Writing

The Four Times to Write Stories

A Significant Objective Focuses the Scope of a Story-Writing Workshop

Story-Writing Workshop Attendees, Duration and Preparation

The Story-Writing Workshop Agenda

Story Mapping

Making Decisions with a Story Map

Adding Detail with Conditions of Satisfaction or Acceptance Criteria

Progressive Refinement - Adding Detail over Time

Epics and Themes

Two Ways of Adding Detail to a Story

Condition of Satisfaction

How Much Detail Is Appropriate

Working with a Team That Wants too Much Detail

A Definition of Ready and Why Having One Could Be Dangerous

INVEST in Good Stories

Splitting Stories

The SPIDR Approach to Splitting Stories

Tracer Bullet Story

Closed Stories

Three Things to Do when You Can’t Split a Story

Overcoming Common Problems

Managing Dependencies Between Stories

Stories with Too Much Detail

Spending Too Much Time Splitting Stories

Stories Involving More than One Team

Stories that Are Really Tasks

Not Everything Needs to Be a User Story

Nonfunctional Requirements

Stories and Bugs

The `text-wrap: balance` Value

Advantages of `text-wrap: balance`