New – Deployment Pipelines Reference Architecture and Reference Implementations

This post was originally published on this site

Today, we are launching a new reference architecture and a set of reference implementations for enterprise-grade deployment pipelines. A deployment pipeline automates the building, testing, and deploying of applications or infrastructures into your AWS environments. When you deploy your workloads to the cloud, having deployment pipelines is key to gaining agility and lowering time to market.

When I talk with you at conferences or on social media, I frequently hear that our documentation and tutorials are good resources to get started with a new service or a new concept. However, when you want to scale your usage or when you have complex or enterprise-grade use cases, you often lack resources to dive deeper.

This is why we have created over the years hundreds of reference architectures based on real-life use cases and also the security reference architecture. Today, we are adding a new reference architecture to this collection.

We used the best practices and lessons learned at Amazon and with hundreds of customer projects to create this deployment pipeline reference architecture and implementations. They go well beyond the typical “Hello World” example: They document how to architect and how to implement complex deployment pipelines with multiple environments, multiple AWS accounts, multiple Regions, manual approval, automated testing, automated code analysis, etc. When you want to increase the speed at which you deliver software to your customers through DevOps and continuous delivery, this new reference architecture shows you how to combine AWS services to work together. They document the mandatory and optional components of the architecture.

Having an architecture document and diagram is great, but having an implementation is even better. Each pipeline type in the reference architecture has at least one reference implementation. One of the reference implementations uses an AWS Cloud Development Kit (AWS CDK) application to deploy the reference architecture on your accounts. It is a good starting point to study or customize the reference architecture to fit your specific requirements.

You will find this reference architecture and its implementations at

Deployment pipeline reference architecture

Let’s Deploy a Reference Implementation
The new deployment pipeline reference architecture demonstrates how to build a pipeline to deploy a Java containerized application and a database. It comes with two reference implementations. We are working on additional pipeline types to deploy Amazon EC2 AMIs, manage a fleet of accounts, and manage dynamic configuration for your applications.

The sample application is developed with SpringBoot. It runs on top of Corretto, the Amazon-provided distribution of the OpenJDK. The application is packaged with the CDK and is deployed on AWS Fargate. But the application is not important here; you can substitute your own application. The important parts are the infrastructure components and the pipeline to deploy an application. For this pipeline type, we provide two reference implementations. One deploys the application using Amazon CodeCatalyst, the new service that we announced at re:Invent 2022, and one uses AWS CodePipeline. This is the one I choose to deploy for this blog post.

The pipeline starts building the applications with AWS CodeBuild. It runs the unit tests and also runs Amazon CodeGuru to review code quality and security. Finally, it runs Trivy to detect additional security concerns, such as known vulnerabilities in the application dependencies. When the build is successful, the pipeline deploys the application in three environments: beta, gamma, and production. It deploys the application in the beta environment in a single Region. The pipeline runs end-to-end tests in the beta environment. All the tests must succeed before the deployment continues to the gamma environment. The gamma environment uses two Regions to host the application. After deployment in the gamma environment, the deployment into production is subject to manual approval. Finally, the pipeline deploys the application in the production environment in six Regions, with three waves of deployments made of two Regions each.

Deployment Pipelines Reference Architecture

I need four AWS accounts to deploy this reference implementation: one to deploy the pipeline and tooling and one for each environment (beta, gamma, and production). At a high level, there are two deployment steps: first, I bootstrap the CDK for all four accounts, and then I create the pipeline itself in the toolchain account. You must plan for 2-3 hours of your time to prepare your accounts, create the pipeline, and go through a first deployment.

Once the pipeline is created, it builds, tests, and deploys the sample application from its source in AWS CodeCommit. You can commit and push changes to the application source code and see it going through the pipeline steps again.

My colleague Irshad Buch helped me try the pipeline on my account. He wrote a detailed README with step-by-step instructions to let you do the same on your side. The reference architecture that describes this implementation in detail is available on this new web page. The application source code, the AWS CDK scripts to deploy the application, and the AWS CDK scripts to create the pipeline itself are all available on AWS’s GitHub. Feel free to contribute, report issues or suggest improvements.

Available Now
The deployment pipeline reference architecture and its reference implementations are available today, free of charge. If you decide to deploy a reference implementation, we will charge you for the resources it creates on your accounts. You can use the provided AWS CDK code and the detailed instructions to deploy this pipeline on your AWS accounts. Try them today!

— seb

AWS Week in Review – January 30, 2023

This post was originally published on this site

This week’s review post comes to you from the road, having just wrapped up sponsorship of NDC London. While there we got to speak to many .NET developers, both new and experienced with AWS, and all eager to learn more. Thanks to everyone who stopped by our expo booth to chat or ask questions to the team!

.NET on AWS booth, NDC London 2023.NET on AWS booth, NDC London 2023

Last Week’s Launches
My team will be back on the road to our next events soon, but first, here are just some launches that caught my attention while I was at the expo booth last week:

General availability of Porting Advisor for Graviton: AWS Graviton2 processors are custom designed, Arm64, processors, that deliver increased price performance over comparable x86-64 processors. They’re suitable for a wide range of compute workloads on Amazon Elastic Compute Cloud (Amazon EC2) including application servers, microservices, high-performance computing (HPC), CPU-based ML inference, gaming, any many more. They’re also available in other AWS services such as AWS Lambda, AWS Fargate, to name just a few. The new Porting Advisor for Graviton is a freely available, open-source command line tool for analyzing compatibility of applications you want to run on Graviton-based compute environments. It provides a report that highlights missing or outdated libraries, and code, that you may need to update in order to port your application to run on Graviton processors.

Runtime management controls for AWS Lambda: Automated feature updates, performance improvements, and security patches to runtime environments for Lambda functions is popular with many customers. However, some customers have asked for increased visibility into when these updates occur, and control over when they’re applied. The new runtime management controls for Lambda provide optional capabilities for those customers that require more control over runtime changes. The new controls are optional; by default, all your Lambda functions will continue to receive automatic updates. But, if you wish, you can now apply a runtime management configuration with your functions that specifies how you want updates to be applied. You can find full details on the new runtime management controls in this blog post on the AWS Compute Blog.

General availability of Amazon OpenSearch Serverless: OpenSearch Serverless was one of the livestream segments in the recent AWS on Air re:Invent Recap of previews that were announced at the conference last December. OpenSearch Serverless is now generally available. As a serverless option for Amazon OpenSearch Service, it removes the need to configure, manage, or scale OpenSearch clusters, offering automatic provisioning and scaling of resources to enable fast ingestion and query responses.

Additional connectors for Amazon AppFlow: At AWS re:Invent 2023, I blogged about a release of new data connectors enabling data transfer from a variety of Software-as-a-Service (SaaS) applications to Amazon AppFlow. An additional set of 10 connectors, enabling connectivity from Asana, Google Calendar, JDBC, PayPal, and more, are also now available. Check out the full list of additional connectors launched this past week in this What’s New post.

AWS open-source news and updates: As usual, there’s a new edition of the weekly open-source newsletter highlighting new open-source projects, tools, and demos from the AWS Community. Read edition #143 here – LINK TBD.

For a full list of AWS announcements, be sure to keep an eye on the What’s New at AWS page.

Upcoming AWS Events
Check your calendars and sign up for these AWS events:

AWS Innovate Data and AI/ML edition: AWS Innovate is a free online event to learn the latest from AWS experts and get step-by-step guidance on using AI/ML to drive fast, efficient, and measurable results.

  • AWS Innovate Data and AI/ML edition for Asia Pacific and Japan is taking place on February 22, 2023. Register here.
  • Registrations for AWS Innovate EMEA (March 9, 2023) and the Americas (March 14, 2023) will open soon. Check the AWS Innovate page for updates.

You can find details on all upcoming events, in-person or virtual, here.

And finally, if you’re a .NET developer, my team will be at Swetugg, in Sweden, February 8-9, and DeveloperWeek, Oakland, California, February 15-17. If you’re in the vicinity at these events, be sure to stop by and say hello!

That’s all for this week. Check back next Monday for another Week in Review!

This post is part of our Week in Review series. Check back each week for a quick roundup of interesting news and announcements from AWS!

Decoding DNS over HTTP(s) Requests, (Mon, Jan 30th)

This post was originally published on this site

I have written before about scans for DNS over HTTP(s) (DoH) servers. DoH is now widely supported in different browsers and recursive resolvers. It has been an important piece in the puzzle to evade various censorship regimes, in particular, the "Big Chinese Firewall". Malware has at times used DoH, but often uses its own HTTP(s) based resolvers that do not necessarily comply with the official DoH standard.

Just today, one of our honeypots received the following requests from various IPs:


The different URLs correspond to various common implementations of DoH. The most common default appears to be "/dns-query" (BIND and Unbound). This is also the endpoint used by the RFC. Some DNS servers (for example, Power DNS) use "/" as the default. 

The payload is a Base64 encoded DNS message:

00000000: 0d42 0100 0001 0000 0000 0000 0562 6169  .B...........bai
00000010: 6475 0363 6f6d 0000 0100 01    

0d42 – Query ID
0100 – Recursion desired flag set
0001 – One Query
0000 – No Answers
0000 – No Authority Records
0000 – No Additional Records
0562 6169 6475 0363 6f6d 00
0001 – Internet Zone
0001 – A Records

So in short: An "A" records query for If you see any requests like this in your logs: Don't worry about it too much. I wouldn't consider it some simple recognizance. They are unlikely to "attack" your server even if you have a DNS over HTTPS resolver running. However, they may use it to anonymize their requests which may also trigger some alerts if they are attempting to look up suspect hostnames. This traffic may also lead to resource issues if you have a smaller server.

I did earlier today add DoH responses to some of my honeypots, so we will see if anything changes.


Johannes B. Ullrich, Ph.D. , Dean of Research,

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

AA23-025A: Protecting Against Malicious Use of Remote Monitoring and Management Software

This post was originally published on this site

Original release date: January 25, 2023


The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the “authoring organizations”) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders about malicious use of legitimate remote monitoring and management (RMM) software. In October 2022, CISA identified a widespread cyber campaign involving the malicious use of legitimate RMM software. Specifically, cyber criminal actors sent phishing emails that led to the download of legitimate RMM software—ScreenConnect (now ConnectWise Control) and AnyDesk—which the actors used in a refund scam to steal money from victim bank accounts.

Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional types of malicious activity. For example, the actors could sell victim account access to other cyber criminal or advanced persistent threat (APT) actors. This campaign highlights the threat of malicious cyber activity associated with legitimate RMM software: after gaining access to the target network via phishing or other techniques, malicious cyber actors—from cybercriminals to nation-state sponsored APTs—are known to use legitimate RMM software as a backdoor for persistence and/or command and control (C2).

Using portable executables of RMM software provides a way for actors to establish local user access without the need for administrative privilege and full software installation—effectively bypassing common software controls and risk management assumptions.

The authoring organizations strongly encourage network defenders to review the Indicators of Compromise (IOCs) and Mitigations sections in this CSA and apply the recommendations to protect against malicious use of legitimate RMM software.

Download the PDF version of this report: pdf, 608 kb.

For a downloadable copy of IOCs, see AA23-025.stix (STIX, 19 kb).

Technical Details


In October 2022, CISA used trusted third-party reporting, to conduct retrospective analysis of EINSTEIN—a federal civilian executive branch (FCEB)-wide intrusion detection system (IDS) operated and monitored by CISA—and identified suspected malicious activity on two FCEB networks:

  • In mid-June 2022, malicious actors sent a phishing email containing a phone number to an FCEB employee’s government email address. The employee called the number, which led them to visit the malicious domain, myhelpcare[.]online.
  • In mid-September 2022, there was bi-directional traffic between an FCEB network and myhelpcare[.]cc.

Based on further EINSTEIN analysis and incident response support, CISA identified related activity on many other FCEB networks. The authoring organizations assess this activity is part of a widespread, financially motivated phishing campaign and is related to malicious typosquatting activity reported by Silent Push in the blog post Silent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad, McAfee, Norton, and Paypal domains.

Malicious Cyber Activity

The authoring organizations assess that since at least June 2022, cyber criminal actors have sent help desk-themed phishing emails to FCEB federal staff’s personal, and government email addresses. The emails either contain a link to a “first-stage” malicious domain or prompt the recipients to call the cybercriminals, who then try to convince the recipients to visit the first-stage malicious domain. See figure 1 for an example phishing email obtained from an FCEB network.


Help desk-themed phishing email example


The recipient visiting the first-stage malicious domain triggers the download of an executable. The executable then connects to a “second-stage” malicious domain, from which it downloads additional RMM software.

CISA noted that the actors did not install downloaded RMM clients on the compromised host. Instead, the actors downloaded AnyDesk and ScreenConnect as self-contained, portable executables configured to connect to the actor’s RMM server.

Note: Portable executables launch within the user’s context without installation. Because portable executables do not require administrator privileges, they can allow execution of unapproved software even if a risk management control may be in place to audit or block the same software’s installation on the network. Threat actors can leverage a portable executable with local user rights to attack other vulnerable machines within the local intranet or establish long term persistent access as a local user service.

CISA has observed that multiple first-stage domain names follow naming patterns used for IT help/support themed social-engineering, e.g., hservice[.]live, gscare[.]live, nhelpcare[.]info, deskcareme[.]live, nhelpcare[.]cc). According to Silent Push, some of these malicious domains impersonate known brands such as, Norton, GeekSupport, Geek Squad, Amazon, Microsoft, McAfee, and PayPal.[1] CISA has also observed that the first-stage malicious domain linked in the initial phishing email periodically redirects to other sites for additional redirects and downloads of RMM software.

Use of Remote Monitoring and Management Tools

In this campaign, after downloading the RMM software, the actors used the software to initiate a refund scam. They first connected to the recipient’s system and enticed the recipient to log into their bank account while remaining connected to the system. The actors then used their access through the RMM software to modify the recipient’s bank account summary. The falsely modified bank account summary showed the recipient was mistakenly refunded an excess amount of money. The actors then instructed the recipient to “refund” this excess amount to the scam operator.
Although this specific activity appears to be financially motivated and targets individuals, the access could lead to additional malicious activity against the recipient’s organization—from both other cybercriminals and APT actors. Network defenders should be aware that:

  • Although the cybercriminal actors in this campaign used ScreenConnect and AnyDesk, threat actors can maliciously leverage any legitimate RMM software.
  • Because threat actors can download legitimate RMM software as self-contained, portable executables, they can bypass both administrative privilege requirements and software management control policies.
  • The use of RMM software generally does not trigger antivirus or antimalware defenses.
  • Malicious cyber actors are known to leverage legitimate RMM and remote desktop software as backdoors for persistence and for C2.[2],[3],[4],[5],[6],[7],[8]
  • RMM software allows cyber threat actors to avoid using custom malware.

Threat actors often target legitimate users of RMM software. Targets can include managed service providers (MSPs) and IT help desks, who regularly use legitimate RMM software for technical and security end-user support, network management, endpoint monitoring, and to interact remotely with hosts for IT-support functions. These threat actors can exploit trust relationships in MSP networks and gain access to a large number of the victim MSP’s customers. MSP compromises can introduce significant risk—such as ransomware and cyber espionage—to the MSP’s customers.

The authoring organizations strongly encourage network defenders to apply the recommendations in the Mitigations section of this CSA to protect against malicious use of legitimate RMM software.


See table 1 for IOCs associated with the campaign detailed in this CSA.

Table 1: Malicious Domains and IP addresses observed by CISA



Date(s) Observed


Suspected first-stage malware domain

June 1, 2022

July 19, 2022


Suspected first-stage malware domain

June 14, 2022



Suspected first-stage malware domain

August 3, 2022

August 18, 2022


Suspected first-stage malware domain

September 14, 2022


Second-stage malicious domain

October 19, 2022

November 10, 2022


Additional resources to detect possible exploitation or compromise:


The authoring organizations encourage network defenders to:

  • Implement best practices to block phishing emails. See CISA’s Phishing Infographic for more information.
  • Audit remote access tools on your network to identify currently used and/or authorized RMM software.
  • Review logs for execution of RMM software to detect abnormal use of programs running as a portable executable.
  • Use security software to detect instances of RMM software only being loaded in memory.
  • Implement application controls to manage and control execution of software, including allowlisting RMM programs.
  • Require authorized RMM solutions only be used from within your network over approved remote access solutions, such as virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
  • Block both inbound and outbound connections on common RMM ports and protocols at the network perimeter. 
  • Implement a user training program and phishing exercises to raise awareness among users about the risks of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments. Reinforce the appropriate user response to phishing and spearphishing emails.


  • See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.
  • U.S. Defense Industrial Base (DIB) Sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email
  • CISA offers several Vulnerability Scanning to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See
  • Consider participating in CISA’s Automated Indicator Sharing (AIS) to receive real-time exchange of machine-readable cyber threat indicators and defensive measures. AIS is offered at no cost to participants as part of CISA’s mission to work with our public and private sector partners to identify and help mitigate cyber threats through information sharing and provide technical assistance, upon request, that helps prevent, detect, and respond to incidents.


This advisory was developed by CISA, NSA, and MS-ISAC in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.


The information in this report is being provided “as is” for informational purposes only. CISA, NSA, and MS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.



  • January 25, 2023: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

A First Malicious OneNote Document, (Wed, Jan 25th)

This post was originally published on this site

Attackers are always trying to find new ways to deliver malware to victims. They recently started sending Microsoft OneNote files in massive phishing campaigns[1]. OneNote files (ending the extension ".one") are handled automatically by computers that have the Microsoft Office suite installed. Yesterday, my honeypot caught a first sample. This is a good opportunity to have a look at these files. The file, called "", was delivered as an attachment to a classic phishing email:

Apple Updates (almost) Everything: Patch Overview, (Tue, Jan 24th)

This post was originally published on this site

Apple yesterday released its usually set of updates across its entire portfolio of operating systems. Some issues of note:

  • The update includes a patch for CVE-2022-42856 for iOS 12.5. This will help users of older Apple devices going back to the iPhone 5s. More recent operating systems received this patch in December.
  • tvOS is missing. I expect a tvOS update soon to address some of the vulnerabilities.
  • I do not see updates for git. Git last week patched some vulnerabilities; likely too late to be included in this update.
Safari 16.3 iOS 12.5.7 macOS Monterey 12.6.3 macOS Big Sur 11.7.3 watchOS 9.3 iOS 15.7.3 and iPadOS 15.7.3 iOS 16.3 and iPadOS 16.3 macOS Ventura 13.2
CVE-2023-23496 [critical] WebKit
The issue was addressed with improved checks.
Processing maliciously crafted web content may lead to arbitrary code execution
x       x   x x
CVE-2023-23518 [critical] WebKit
The issue was addressed with improved memory handling.
Processing maliciously crafted web content may lead to arbitrary code execution
x   x x x   x x
CVE-2023-23517 [critical] WebKit
The issue was addressed with improved memory handling.
Processing maliciously crafted web content may lead to arbitrary code execution
x   x x x   x x
CVE-2022-42856 [critical] *** EXPLOITED *** WebKit
A type confusion issue was addressed with improved state handling.
 Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.
CVE-2023-23499 [important] AppleMobileFileIntegrity
This issue was addressed by enabling hardened runtime.
An app may be able to access user-sensitive data
    x x x   x x
CVE-2022-42915 [other] curl
Multiple issues were addressed by updating to curl version 7.86.0.
Multiple issues in curl
    x         x
CVE-2022-42916 [other] curl
Multiple issues were addressed by updating to curl version 7.86.0.
Multiple issues in curl
    x         x
CVE-2022-32221 [other] curl
Multiple issues were addressed by updating to curl version 7.86.0.
Multiple issues in curl
    x         x
CVE-2022-35260 [other] curl
Multiple issues were addressed by updating to curl version 7.86.0.
Multiple issues in curl
    x         x
CVE-2022-35252 [other] curl
Multiple issues were addressed by updating to curl version 7.85.0.
Multiple issues in curl
    x x        
CVE-2023-23513 [critical] dcerpc
A buffer overflow issue was addressed with improved memory handling.
Mounting a maliciously crafted Samba network share may lead to arbitrary code execution
    x x       x
CVE-2023-23493 [other] DiskArbitration
A logic issue was addressed with improved state management.
An encrypted volume may be unmounted and remounted by a different user without prompting for the password
    x         x
CVE-2022-32915 [important] DriverKit
A type confusion issue was addressed with improved checks.
An app may be able to execute arbitrary code with kernel privileges
CVE-2023-23507 [important] Intel Graphics Driver
The issue was addressed with improved bounds checks.
An app may be able to execute arbitrary code with kernel privileges
    x         x
CVE-2023-23504 [important] Kernel
The issue was addressed with improved memory handling.
An app may be able to execute arbitrary code with kernel privileges
    x   x x x x
CVE-2023-23502 [other] Kernel
An information disclosure issue was addressed by removing the vulnerable code.
An app may be able to determine kernel memory layout
    x   x   x x
CVE-2023-23497 [important] PackageKit
A logic issue was addressed with improved state management.
An app may be able to gain root privileges
    x x       x
CVE-2023-23505 [other] Screen Time
A privacy issue was addressed with improved private data redaction for log entries.
An app may be able to access information about a user’s contacts
    x x x x x x
CVE-2023-23511 [important] Weather
The issue was addressed with improved memory handling.
An app may be able to bypass Privacy preferences
    x   x   x x
CVE-2023-23508 [important] Windows Installer
The issue was addressed with improved memory handling.
An app may be able to bypass Privacy preferences
    x x       x
CVE-2023-23519 [other] ImageIO
A memory corruption issue was addressed with improved state management.
Processing an image may lead to a denial-of-service
        x   x x
CVE-2023-23500 [important] Kernel
The issue was addressed with improved memory handling.
An app may be able to leak sensitive kernel state
        x x x x
CVE-2023-23503 [important] Maps
A logic issue was addressed with improved state management.
An app may be able to bypass Privacy preferences
        x x x x
CVE-2023-23512 [other] Safari
The issue was addressed with improved handling of caches.
Visiting a website may lead to an app denial-of-service
        x   x x
CVE-2023-23498 [other] Mail Drafts
A logic issue was addressed with improved state management.
The quoted original message may be selected from the wrong email when forwarding an email from an Exchange account
          x x x
CVE-2023-23506 [important] libxpc
A permissions issue was addressed with improved validation.
An app may be able to access user-sensitive data
CVE-2023-23510 [other] Safari
A permissions issue was addressed with improved validation.
An app may be able to access a user’s Safari history
CVE-2022-3705 [other] Vim
A use after free issue was addressed with improved memory management.
Multiple issues in Vim
CVE-2023-23501 [important] Wi-Fi
The issue was addressed with improved memory handling.
An app may be able to disclose kernel memory

Johannes B. Ullrich, Ph.D. , Dean of Research,

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Now Open — AWS Asia Pacific (Melbourne) Region in Australia

This post was originally published on this site

Following up on Jeff’s post on the announcement of the Melbourne Region, today I’m pleased to share the general availability of the AWS Asia Pacific (Melbourne) Region with three Availability Zones and API name ap-southeast-4.

The AWS Asia Pacific (Melbourne) Region is the second infrastructure Region in Australia, in addition to the Asia Pacific (Sydney) Region, and 12th the twelfth Region in Asia Pacific, joining existing Rregions in Singapore, Tokyo, Seoul, Mumbai, Hong Kong, Osaka, Jakarta, Hyderabad, Sydney, and Mainland China Beijing and Ningxia Regions.

Melbourne city historic building: Flinders Street Station built of yellow sandstone

AWS in Australia: Long-Standing History
In November 2012, AWS established a presence in Australia with the AWS Asia Pacific (Sydney) Region. Since then, AWS has provided continuous investments in infrastructure and technology to help drive digital transformations in Australia, to support hundreds of thousands of active customers each month.

Amazon CloudFront — Amazon CloudFront is a content delivery network (CDN) service built for high performance, security, and developer convenience that was first launched in Australia alongside Asia Pacific (Sydney) Region in 2012. To further accelerate the delivery of static and dynamic web content to end users in Australia, AWS announced additional CloudFront locations for Sydney and Melbourne in 2014. In addition, AWS also announced a Regional Edge Cache in 2016 and an additional CloudFront point of presence (PoP) in Perth in 2018. CloudFront points of presence ensure popular content can be served quickly to your viewers. Regional Edge Caches are positioned (network-wise) between the CloudFront locations and the origin and further help to improve content performance. AWS currently has seven edge locations and one Regional Edge Cache location in Australia.

AWS Direct Connect — As with CloudFront, the first AWS Direct Connect location was made available with Asia Pacific (Sydney) Region launch in 2012. To continue helping our customers in Australia improve application performance, secure data, and reduce networking costs, AWS announced the opening of additional Direct Connect locations in Sydney (2014), Melbourne (2016), Canberra (2017), Perth (2017), and an additional location in Sydney (2022), totaling six locations.

AWS Local Zones — To help customers run applications that require single-digit millisecond latency or local data processing, customers can use AWS Local Zones. They bring AWS infrastructure (compute, storage, database, and other select AWS services) closer to end users and business centers. AWS customers can run workloads with low latency requirements on the AWS Local Zones location in Perth while seamlessly connecting to the rest of their workloads running in AWS Regions.

Upskilling Local Developers, Students, and Future IT Leaders
Digital transformation will not happen on its own. AWS runs various programs and has trained more than 200,000 people across Australia with cloud skills since 2017. There is an additional goal to train more than 29 million people globally with free cloud skills by 2025. Here’s a brief description of related programs from AWS:

  • AWS re/Start is a digital skills training program that prepares unemployed, underemployed, and transitioning individuals for careers in cloud computing and connects students to potential employers.
  • AWS Academy provides higher education institutions with a free, ready-to-teach cloud computing curriculum that prepares students to pursue industry-recognized certifications and in-demand cloud jobs.
  • AWS Educate provides students with access to AWS services. AWS is also collaborating with governments, educators, and the industry to help individuals, both tech and nontech workers, build and deepen their digital skills to nurture a workforce that can harness the power of cloud computing and advanced technologies.
  • AWS Industry Quest is a game-based training initiative designed to help professionals and teams learn and build vital cloud skills and solutions. At re:Invent 2022, AWS announced the first iteration of the program for the financial services sector. National Australia Bank (NAB) is AWS Industry Quest: Financial Services’ first beta customer globally. Through AWS Industry Quest, NAB has trained thousands of colleagues in cloud skills since 2018, resulting in more than 4,500 industry-recognized certifications.

In addition to the above programs, AWS is also committed to supporting Victoria’s local tech community through digital upskilling, community initiatives, and partnerships. The Victorian Digital Skills is a new program from the Victorian Government that helps create a new pipeline of talent to meet the digital skills needs of Victorian employers. AWS has taken steps to help solve the retraining challenge by supporting the Victorian Digital Skills Program, which enables mid-career Victorians to reskill on technology and gain access to higher-paying jobs.

The Climate Pledge
Amazon is committed to investing and innovating across its businesses to help create a more sustainable future. With The Climate Pledge, Amazon is committed to reaching net-zero carbon across its business by 2040 and is on a path to powering its operations with 100 percent renewable energy by 2025.

As of May 2022, two projects in Australia are operational. Amazon Solar Farm Australia – Gunnedah and Amazon Solar Farm Australia – Suntop will aim to generate 392,000 MWh of renewable energy each year, equal to the annual electricity consumption of 63,000 Australian homes. Once Amazon Wind Farm Australia – Hawkesdale also becomes operational, it will boost the projects’ combined yearly renewable energy generation to 717,000 MWh, or enough for nearly 115,000 Australian homes.

AWS Customers in Australia
We have customers in Australia that are doing incredible things with AWS, for example:

National Australia Bank Limited (NAB)
NAB is one of Australia’s largest banks and Australia’s largest business bank. “We have been exploring the potential use cases with AWS since the announcement of the AWS Asia Pacific (Melbourne) Region,” said Steve Day, Chief Technology Officer at NAB.

Locating key banking applications and critical workloads geographically close to their compute platform and the bulk of their corporate workforce will provide lower latency benefits. Moreover, it will simplify their disaster recovery plans. With AWS Asia Pacific (Melbourne) Region, it will also accelerate their strategy to move 80 percent of applications to the cloud by 2025.

This Melbourne-based financial technology company works with more than 250 transport and mobility providers to enable contactless payments on local buses, city networks, and national public transport systems.

“Our mission is to create a universal payment experience around the world, which requires world-class global infrastructure that can grow with us,” said Amin Shayan, CEO at Littlepay. “To drive a seamless experience for our customers, we ingest and process over 1 million monthly transactions in real time using AWS, which enables us to generate insights that help us improve our services. We are excited about the launch of a second AWS Region in Australia, as it gives us access to advanced technologies, like machine learning and artificial intelligence, at a lower latency to help make commuting a simpler and more enjoyable experience.”

Royal Melbourne Institute of Technology (RMIT)
RMIT is a global university of technology, design, and enterprise with more than 91,000 students and 11,000 staff around the world.

“Today’s launch of the AWS Region in Melbourne will open up new ways for our researchers to drive computational engineering and maximize the scientific return,” said Professor Calum Drummond, Deputy Vice-Chancellor and Vice-President, Research and Innovation, and Interim DVC, STEM College, at RMIT.

“We recently launched RMIT University’s AWS Cloud Supercomputing facility (RACE) for RMIT researchers, who are now using it to power advances into battery technologies, photonics, and geospatial science. The low latency and high throughput delivered by the new AWS Region in Melbourne, combined with our 400 Gbps-capable private fiber network, will drive new ways of innovation and collaboration yet to be discovered. We fundamentally believe RACE will help truly democratize high-performance computing capabilities for researchers to run their datasets and make faster discoveries.”

Australian Bureau of Statistics (ABS)
ABS holds the Census of Population and Housing every five years. It is the most comprehensive snapshot of Australia, collecting data from around 10 million households and more than 25 million people.

“In this day and age, people expect a fast and simple online experience when using government services,” said Bindi Kindermann, program manager for 2021 Census Field Operations at ABS. “Using AWS, the ABS was able to scale and securely deliver services to people across the country, making it possible for them to quickly and easily participate in this nationwide event.”

With the success of the 2021 Census, the ABS is continuing to expand its use of AWS into broader areas of its business, making use of the security, reliability, and scalability of the cloud.

You can find more inspiring stories from our customers in Australia by visiting Customer Success Stories page.

Things to Know
AWS User Groups in Australia — Australia is also home to 9 AWS Heroes, 43 AWS Community Builders and community members of 17 AWS User Groups in various cities in Australia. Find an AWS User Group near you to meet and collaborate with fellow developers, participate in community activities and share your AWS knowledge.

AWS Global Footprint — With this launch, AWS now spans 99 Availability Zones within 31 geographic Regions around the world. We have also announced plans for 12 more Availability Zones and 4 more AWS Regions in Canada, Israel, New Zealand, and Thailand.

Available Now — The new Asia Pacific (Melbourne) Region is ready to support your business, and you can find a detailed list of the services available in this Region on the AWS Regional Services List.

To learn more, please visit the Global Infrastructure page, and start building on ap-southeast-4!

Happy building!


AWS Week in Review – January 23, 2023

This post was originally published on this site

Welcome to my first AWS Week in Review of 2023. As usual, it has been a busy week, so let’s dive right in:

Last Week’s Launches
Here are some launches that caught my eye last week:

Amazon Connect – You can now deliver long lasting, persistent chat experiences for your customers, with the ability to resume previous conversations including context, metadata, and transcripts. Learn more.

Amazon RDS for MariaDB – You can now enforce the use of encrypted (SSL/TLS) connections to your databases instances that are running Amazon RDS for MariaDB. Learn more.

Amazon CloudWatch – You can now use Metric Streams to send metrics across AWS accounts on a continuous, near real-time basis, within a single AWS Region. Learn more.

AWS Serverless Application Model – You can now run CloudFormation Linter from the SAM CLI to validate your SAM templates. The default rules check template size, Fn:GetAtt parameters, Fn:If syntax, and more. Learn more.

EC2 Auto Scaling – You can now see (and take advantage of) recommendations for activating a predictive scaling policy to optimize the capacity of your Auto Scaling groups. Recommendations can make use of up to 8 weeks of past date; learn more.

Service Limit Increases – Service limits for several AWS services were raised, and other services now have additional quotas that can be raised upon request:

X In Y – Existing AWS services became available in additional regions:

Other AWS News
Here are some other news items and blog posts that may be of interest to you:

AWS Open Source News and Updates – My colleague Ricardo Sueiras highlights the latest open source projects, tools, and demos from the open source community around AWS. Read edition #142 here.

AWS Fundamentals – This new book is designed to teach you about AWS in a real-world context. It covers the fundamental AWS services (compute, database, networking, and so forth), and helps you to make use of Infrastructure as Code using AWS CloudFormation, CDK, and Serverless Framework. As an add-on purchase you can also get access to a set of gorgeous, high-resolution infographics.

Upcoming AWS Events
Check your calendars and sign up for these AWS events:

AWS on Air – Every Friday at Noon PT we discuss the latest news and go in-depth on several of the most recent launches. Learn more.

#BuildOnLiveBuild On AWS Live events are a series of technical streams on that focus on technology topics related to challenges hands-on practitioners face today:

  • Join the Build On Live Weekly show about the cloud, the community, the code, and everything in between, hosted by AWS Developer Advocates. The show streams every Thursday at 9:00 PT on
  • Join the new The Big Dev Theory show, co-hosted with AWS partners, discussing various topics such as data and AI, AIOps, integration, and security. The show streams every Tuesday at 8:00 PT on

Check the AWS Twitch schedule for all shows.

AWS Community DaysAWS Community Day events are community-led conferences that deliver a peer-to-peer learning experience, providing developers with a venue to acquire AWS knowledge in their preferred way: from one another.

AWS Innovate Data and AI/ML edition – AWS Innovate is a free online event to learn the latest from AWS experts and get step-by-step guidance on using AI/ML to drive fast, efficient, and measurable results.

  • AWS Innovate Data and AI/ML edition for Asia Pacific and Japan is taking place on February 22, 2023. Register here.
  • Registrations for AWS Innovate EMEA (March 9, 2023) and the Americas (March 14, 2023) will open soon. Check the AWS Innovate page for updates.

You can browse all upcoming in-person and virtual events.

And that’s all for this week!


Who's Resolving This Domain?, (Mon, Jan 23rd)

This post was originally published on this site

Challenge of the day: To find the process that resolved a specific domain. And this is not always easy!

On Windows, when you search for processes that resolve domain names, you’ll find most of the time the well-known ‘svchost.exe’. The easiest way to get more details is to use Sysmon, which can log processes that perform DNS lookups (via the event ID 22[1]).

But in this diary, I’ll focus on Linux because I faced a situation where a suspicious domain was resolved by a Linux server, and I had no idea about who performed this DNS traffic.

First attempt, if you take a full packet capture, you’ll see the DNS traffic (with all details if you capture the complete packet's payload) but no way to find the suspicious process.

Second attempt, you could try to use the command ‘netstat’ but, again, you’ll see only “established” (note the quotes because UDP traffic is stateless) connections. The process will be listed only when executed with root privileges:

$ sudo netstat -aunp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0         ESTABLISHED 808/ossec-agentd
udp        0      0 *                           50593/systemd-resol
udp        0      0   *                           1454022/snmpd
udp        0      0 *                           814/chronyd
udp        0      0 *                           269598/rsyslogd
udp        0      0*                           1454022/snmpd
udp6       0      0 ::1:323                 :::*                                814/chronyd
udp6       0      0 fe80::20c:29ff:fee5:546 :::*                                50562/systemd-netwo

We can see on this host that an OSSEC client is talking to its server (UDP/1514), but no trace of DNS resolutions. It's so fast that you will probably never see them.

Another good candidate is the tool ‘lsof’. It will list all file handles used by processes and can also be helpful with network connections. However, we have the same issue: you usually won’t have time to capture the process.

$ sudo lsof|grep -i udp
ossec-age     808                             ossec    7u     IPv4          287945015       0t0        UDP XXX:60262->XXX:1514
chronyd       814                           _chrony    5u     IPv4              24612       0t0        UDP localhost.localdomain:323
chronyd       814                           _chrony    6u     IPv6              24613       0t0        UDP localhost6.localdomain6:323
systemd-n   50562                   systemd-network   19u     IPv6          269165675       0t0        UDP lab0:dhcpv6-client
systemd-r   50593                   systemd-resolve   12u     IPv4           19871966       0t0        UDP localhost:domain
rsyslogd   269598                            syslog    8u     IPv4           76691370       0t0        UDP *:45739
rsyslogd   269598  269599 in:imuxso          syslog    8u     IPv4           76691370       0t0        UDP *:45739
rsyslogd   269598  269600 in:imklog          syslog    8u     IPv4           76691370       0t0        UDP *:45739
rsyslogd   269598  269601 rs:main            syslog    8u     IPv4           76691370       0t0        UDP *:45739
snmpd     1454022                       Debian-snmp    8u     IPv4          226275818       0t0        UDP *:snmp
snmpd     1454022                       Debian-snmp    9u     IPv4          226275808       0t0        UDP localhost.localdomain:60485

But wait, Sysmon is available on Linux[2]. Sysmon for Linux is less popular than the Windows version. I have a running Sysmon running in a lab here. I was not able to log any DNS resolution, even if it seems to be correctly configured:

# sysmon -c

Sysmon v1.0.0 - Monitors system events
Sysinternals -
By Mark Russinovich, Thomas Garnier and Kevin Sheldrake
Copyright (C) 2014-2021 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.

Rule configuration (version 4.70):
 - ProcessCreate                      onmatch: exclude   combine rules using 'Or'
 - NetworkConnect                     onmatch: exclude   combine rules using 'Or'
 - ProcessTerminate                   onmatch: exclude   combine rules using 'Or'
 - RawAccessRead                      onmatch: exclude   combine rules using 'Or'
 - ProcessAccess                      onmatch: exclude   combine rules using 'Or'
 - FileCreate                         onmatch: exclude   combine rules using 'Or'
 - DnsQuery                           onmatch: exclude   combine rules using 'Or'
        QueryName                      filter: end with     value: '.arpa.'
 - FileDelete                         onmatch: exclude   combine rules using 'Or'

Let's try to find another solution. A tool that is usually helpful is auditd[3]. Installed on many servers, it collects a lot of information about the system activity.

Let's define a filter:

# auditctl -a exit,always -F arch=b64 -F a0=2 -F a1&=2 -S socket -k SOCKET

This will log calls to socket(). Filters (-F) refer to SOCK_DGRAM and SOCK_NOBLOCK|SOCK_CLOEXEC. "-k SOCKET" is used to tag matching events.

Now, let's hope that our process will perform more DNS resolutions, and let's try to find them:

# ausearch -i -ts today -k SOCKET

I executed the command ‘curl' from a shell and got this result:

type=PROCTITLE msg=audit(01/21/23 15:31:51.114:863) : proctitle=curl -v
type=SYSCALL msg=audit(01/21/23 15:31:51.114:863) : arch=x86_64 syscall=socket success=yes exit=7 a0=inet a1=SOCK_DGRAM a2=ip a3=0xffffffffffffff0d items=0 ppid=470790 pid=3528111 auid=xavier uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=2363 comm=curl exe=/usr/bin/curl key=SOCKET

In this example, we are lucky because "" was part of the command line arguments, but it's not always that easy! If you can't see the process, you will have to correlate the time of the UDP traffic with the resolution of the domain in your resolver logs (because you keep a log of your DNS resolver, right? 😉

Another tool that deserves to be tested is systemtap[4]. This tool is not installed by default, but it does a decent job of recording system activities.

You need to create a rule to instruct systemtap to log some activity:

# cat dns_traffic.stp
probe netfilter.ip.local_out {
  if (dport == 53)
      printf(“DNS traffic: %s[%d] %s:%dn", execname(), pid(), daddr, dport)

This will list all DNS resolutions:

# stap -v dns_traffic.stp
Pass 1: parsed user script and 476 library scripts using 104376virt/90984res/7448shr/83408data kb, in 120usr/60sys/176real ms.
Pass 2: analyzed script: 5 probes, 17 functions, 5 embeds, 3 globals using 110328virt/97900res/8560shr/89360data kb, in 100usr/740sys/884real ms.
Pass 3: using cached /root/.systemtap/cache/84/stap_84d09c3897d956313e0edbb8467b7de6_25825.c
Pass 4: using cached /root/.systemtap/cache/84/stap_84d09c3897d956313e0edbb8467b7de6_25825.ko
Pass 5: starting run.
DNS traffic: curl[3547165]
DNS traffic: systemd-resolve[50593]

Again, we see suspicious activity but is it the right candidate? Once you have identified the process that seems to resolve the domain, you can use the command 'strace' to verify that it’s the right one:

strace -f -p 3551601 -e sendmsg,sendmmsg
[pid 3551601] sendmmsg(7, [{msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="245301 11tmalicious3com11"..., iov_len=42}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, msg_len=42}, {msg_hdr={msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="3473461 11tmalicious3com341"..., iov_len=42}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, msg_len=42}], 2, MSG_NOSIGNAL) = 2

I'm sure that there are other ways to detect who's resolving specific domains. Please share your tools and processes if you've interesting ones!


Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Iron Castle Systems