Forem: NickTheSecurityDude

Kiro Just Went Live: Here’s Why I’m All In on GenAI for Security

NickTheSecurityDude — Mon, 14 Jul 2025 15:00:00 +0000

Building Smarter, Faster, and Custom with Kiro: My First Month with the Next-Gen AI Pair Programmer

For the past few weeks, I’ve had the chance to explore Kiro, a next-generation GenAI pair programmer designed for engineers, builders, and security professionals. After using Amazon Q extensively since launch, I didn’t think things could move that much faster.

But they did. Kiro feels like the next level.

Whether I was building custom Red Team tooling or rapidly prototyping pen testing scripts, Kiro handled every task with exceptional speed, near-zero revisions, and a deep contextual memory that made building entire ecosystems feel natural. It didn’t just save time, it made the impossible, possible.

💡 From Idea to Working Code in a Day

What traditionally would’ve taken 5 weeks and cost over $30,000 to build, I finished in under 8 hours with Kiro.

That’s not an exaggeration. I had an idea, drafted a session prompt, and by the end of the day, I had working, threaded, multi-region Python code scanning my AWS environment using boto3.

Kiro didn’t just understand the assignment, it remembered how I structure my tools, reused patterns I liked, and adapted itself on the fly. That’s the power of persistent GenAI memory.

📌 Use Case Spotlight: Project – EC2 Exposure Scanner

To show what Kiro can do, I’ll walk you through a small but powerful script I created called the EC2 Exposure Scanner. It does the following:

Enumerates all AWS regions
Detects public subnets by analyzing route tables for 0.0.0.0/0 → IGW
Scans every EC2 instance (even stopped ones)
Identifies any instance in a public subnet that has a Security Group allowing inbound access from 0.0.0.0/0 on TCP 80 or 443, including port ranges or overly permissive rules
Outputs a JSON and Markdown report
Generates remediation snippets in both CloudFormation and Terraform

This script took just a few iterations using Kiro and now I use it routinely during internal assessments.

🧠 What Is Vibe Coding?

One of my favorite styles with GenAI is what I call vibe coding, perfect for standalone scripts and one-off utilities.

Here’s how I use it:

Start each Kiro session with a "session prompt", this tells the model how I want code structured, what standards to follow, and what threading or logging styles I prefer.
Then I provide a descriptive, conversational prompt about the script I want.
Kiro returns clean, threaded, region-aware AWS code with consistent outputs, summaries, and error handling.

Project: EC2 Exposure Scanner

Objective:
Create a CLI-based Python script that identifies all EC2 instances in public subnets (those with a route to 0.0.0.0/0 via an Internet Gateway) where any attached security group allows inbound access from 0.0.0.0/0 on TCP port 80 and/or 443 — either directly or via port ranges. The tool should output findings in both human-readable and JSON format, and provide a suggested remediation snippet in CloudFormation or Terraform.

Input:
- AWS credentials via default boto3 environment
- Target: Single AWS account
- Scan all available AWS regions
- Use threading (max 3 threads) for region concurrency

Implementation Steps:

1. Region Discovery:
   - Use ec2.describe_regions() to list all enabled regions.

2. Public Subnet Detection:
   - In each region, call:
     - ec2.describe_route_tables() to find route tables with a route to 0.0.0.0/0 and a target of type igw-xxxx
     - ec2.describe_subnets() to match those subnets
     - Build a set of public subnet IDs

3. EC2 Instance Enumeration:
   - Use ec2.describe_instances() (with pagination)
   - For each instance in a public subnet, collect:
     - Instance ID
     - Subnet ID
     - Attached security group IDs

4. Security Group Evaluation:
   - For each SG attached to a public instance, call ec2.describe_security_groups()
   - Check for inbound rules matching:
     - Protocol: tcp or -1 (all protocols)
     - Port: 80 or 443 (or port ranges that include them)
     - CIDR: 0.0.0.0/0
     - Match also if FromPort=0 and ToPort=65535 or FromPort=400 and ToPort=500

5. Finding Reporting:
   - For each violating instance, record:
     {
       "region": "us-east-1",
       "instance_id": "i-abc123",
       "subnet_id": "subnet-xyz",
       "security_group_id": "sg-123456",
       "ports_exposed": [80, 443],
       "matching_rule": {
         "FromPort": 0,
         "ToPort": 65535,
         "CidrIp": "0.0.0.0/0"
       }
     }

6. Remediation Suggestion:
   - Include a generated Terraform and CloudFormation snippet to restrict access (e.g., remove inbound 0.0.0.0/0 or limit to a CIDR block like 10.0.0.0/16)

7. Summary Output:
   - Track and output the following:
     - Total EC2 instances
     - Instances in public subnets
     - Instances with port 80 and/or 443 open to 0.0.0.0/0
   - Provide this information per region and account-wide
   - Example summary:
     {
       "account_summary": {
         "total_instances": 12,
         "instances_in_public_subnets": 6,
         "instances_exposed_to_web": 4
       },
       "region_summaries": {
         "us-east-1": {
           "total_instances": 5,
           "instances_in_public_subnets": 3,
           "instances_exposed_to_web": 2
         },
         "us-west-2": {
           "total_instances": 7,
           "instances_in_public_subnets": 3,
           "instances_exposed_to_web": 2
         }
       }
     }

8. Output:
   - Save results to:
     - data/ec2_public_exposure/summary.json
     - data/ec2_public_exposure/summary.md
     - data/ec2_public_exposure/last_checked.txt
   - Markdown should include:
     - Account-wide totals
     - Regional breakdowns
     - Tabular list of exposed instances

9. Concurrency and Logging:
   - Use concurrent.futures.ThreadPoolExecutor(max_workers=3)
   - Log region-level errors to error.log

Deliverables:
- CLI script: scan_ec2_exposure.py
- Structured outputs: JSON summary, Markdown report
- Per-finding CloudFormation and Terraform remediation snippets

Notes:
- No port scanning or live network tests — AWS API only
- All EC2 instances should be evaluated, regardless of instance state
- Match all TCP-based exposure via 0.0.0.0/0 (direct or via range)
- Only use standard libraries: boto3, json, threading, logging

Vibe coding is fast, expressive, and best suited for Red Teamers and cloud security engineers who need tailored tooling without building from scratch every time.

🛠️ Spec-Based Coding: Scaling Beyond Single Scripts

While vibe coding is perfect for focused tasks, Kiro supports something even more powerful: spec-based coding.

In my workflow, spec-based coding starts with:

requirements.md — what the project is, why it exists
design.md — the technical plan
tasks.md — a breakdown of all steps, often 10+ subtasks for large-scale tools

This lets Kiro generate structured code in stages, perfect for dashboards, data pipelines, cloud-native automation, and larger security utilities. The result: clean, consistent code you can version, maintain, and extend.

🔥 "Tools Should Work Like Teammates, Not Just Autocomplete"

Kiro doesn’t just respond it co-develops. The way it remembers patterns, offers fixes, and even generates remediation code (CloudFormation and Terraform) makes it ideal for teams who want to move faster without cutting corners.

It’s especially useful in security, where:

Speed means patching before compromise
Consistency means audit readiness
Customization means avoiding detection during Red Team work

🚀 Getting Started with Kiro

If you’re a cloud engineer, DevSecOps practitioner, or Red Team lead, you’re going to want this in your toolkit.

Start with something small, vibe coding a one-off scanner or enumeration tool. Then grow into spec-based development. You’ll be amazed at what you can build.

🔗 Try Kiro for yourself: Kiro.dev

🧭 Final Thoughts

Kiro redefined how I build.

It’s no longer about just coding faster, it’s about thinking differently. Automating tasks I used to skip. Building tools I never had time for. Finding exposures others missed.

This is what happens when GenAI becomes a true teammate, not a tool.

Tesla’s Massive 2023 Data Breach - Could Chaos Security Engineering Have Prevented This?

NickTheSecurityDude — Tue, 22 Aug 2023 16:30:34 +0000

Tesla is facing a possible multi-billion dollar fine¹ for its latest data breach which exposed customer bank account details¹ as well as employee PII, reportedly including Elon Musk’s SSN².

Tesla is blaming a “service technician”¹ for the breach, and suing them and one other employee, but does the company itself bear any responsibility?

Details of the breach are scarce so its hard to say exactly how it occurred and if the company could have done anything to prevent, but let's take a look at the following hypothetical scenario with some similar details and see if Chaos Security Engineering could identify possible security weaknesses before an adversary could exploit them.

Chaos Security Engineering (CSE) is the creation and execution of “experiments” to test that your security controls are working as desired. Many times security controls are non-existent, insufficient, or stop working over time, therefore its important to use CSE to regularly, automatically, and sporadically test these.

Let’s say XYZ Corp has 2 S3 buckets, one with company payroll info and one with customer banking information used to auto-debit their account monthly. Let’s also assume there is a service technician who has access to AWS but does not have a business need to access either buckets.

Right off the bat, I see a couple issues here, one, there is no blast radius with respect to HR data as well as customer data, these items should really be in complete separate AWS accounts. Two, additionally that data should not be in a file in an S3 bucket, even if the bucket is encrypted, this is something which should be in a database, with table and/or column level encryption. Then even if you had to make a backup of the database and store that in S3, the sensitive data would be encrypted.

Back to the topic of encryption, there are a number of ways to encrypt data in S3, ideally this should typically be done with a Customer Managed KMS (CMK) key, with IAM permissions disabled in the KMS resource policy. Common mistakes that companies often make are using the S3 default encryption, an AWS Managed KMS key, or allowing IAM permissions for the CMK.

With respect to SCE what kind of experiments might help here?

A frequent blunder I see is assigning the “ReadOnlyAccess” policy to low level accounts, such as service technician. While the name sounds rather trivial from a security point of view, it actually is quite dangerous and allows full S3 access. A much better policy would be "ViewOnlyAccess", with a custom policy to add gradual permissions where needed.

Ergo, one SCE experiment would be to attach that policy to a role and confirm that it gets removed automatically.

Another experiment would be deactivating any KMS keys which are created that allow IAM permission in the resource policy.

Finally, a policy that takes action when an S3 bucket is created not using a
CMK key.

With these controls in place, and regularly verified by SCE tests, users who should not be able to, would not be able to access the data in the first place, preventing the breach from ever occurring. With such a negligible cost to do SCE there no reason why more companies aren’t doing it, especially considering the ROI value when facing possible million or billion dollar fines.

To learn more about SCE and see some real experiments in action, join cloud security experts Ankit Mehta and Nick Gilbert CISSP for the Florida AWS Security Users Meetup on 9/13. Chaos Security Engineering Demo

About the author: Nick Gilbert is a Cloud Security Expert, working in the financial field, and part of the AWS Community Builders Program.

Operation "Hot Chow Springs"

NickTheSecurityDude — Tue, 20 Dec 2022 06:00:00 +0000

What surprises you most about the community builders program?

I like learning about new services, the sessions they put on for us are really amazing and give a sneak peak at innovative technologies which we can apply. One other surprising thing is the amount of talented new builders from so many countries that were added in 2022.

What’s your background and your experience with AWS?

I come from a Linux and programming background which I did for about 20 years before getting started with AWS. I've been using AWS for over 5 years, and as you've probably guessed from my name, my specialty is on the security side of things. I enjoy building and hosting workshops and other hands on activities for AWS users to learn best practices and how to avoid common security mistakes.

What’s the biggest benefit you see from the program?

Networking with other builders is by far the biggest benefit. I've collaborated with a number of builders in 2022 and plan on expanding on that even more in 2023. Meeting so many builders and networking with them in person at re:Invent was a great experience as well.

What’s the next swag item that you would like to get?

Jason and Karissa always comes up with the best swag. It will be hard to top the oversized coffee mug and Osprey trail pack that I received this year. I'm sure they will come up with something even more spectacular next year. :)

What are you eating for dinner today? Share the recipe!

Deep Dish Pizza (the photo is not the actual pizza).

Deep Dish Pizza Dough, this dough is easy to work with and gives a thick crust. If you're not on a diet you can replace some of the water with butter.

3 Cups flour. I'm use KA Sir Lancelot Hi Gluten flour. If you use bread flour you may want to look for one with a high gluten, but any bread flour will give a good result.
1/2 T sea salt
1/2 T sugar
1 packet of Quick rise, rapid rise or instant yeast. The only difference in those is the brand.
2 T EVOO
1 1/4 cups warm water (under 90 degrees)

Mix the dry items then add the liquids.

I put this in a mixer with a dough hook and knead it until I have a smooth dough. About five minutes but you really have to use your judgement on the time.

Pull the dough and quickly knead it by hand in to a round smooth ball. Set your dough in a oiled bowl.

You can either cover it with a damp cloth or plastic wrap. Either way I spray the top of the dough with non-stick spray.

Let it rise 1-2 hours or until it doubles.

Punch the dough and your ready to roll.

Use about 14 oz of dough for a large deep dish.

I spray my deep dish pans and put the dough in then let the dough rest for 15 min or so, until the crust starts to rise again.

Put a layer of cheese, then a layer of sausage, covering the whole pizza, top it off with some pizza sauce and finally some parmesan cheese.

Bake at 400 degrees for 40 minutes or until the internal temperature reaches 165 degrees.

Is there anything else you would like to say about the community builders program in 2022?

Thanks for a great year!! I'm looking forward to more building in 2023!!!

AWS CIS Compliance in 15 minutes with 1 Command

NickTheSecurityDude — Sun, 05 Sep 2021 00:50:31 +0000

Did you know an AWS Account is only 39% CIS compliant by default?

That's why I've created a Python script (which is available free on my GitHub page) which will help you achieve CIS, PCI DSS, and AWS Security Best Practice compliance, all with just one command.

Behind the scenes it checks about 200 controls and with my script you will meet over 95% of those. Some items such as enabling hardware MFA are not possible with a script.

Behind the scenes it launching a nested CloudFormation stack with 10 sub-stacks. Then it uses Python (via the AWS boto3 SDK library) to do the following:

Enable GuardDuty
Remove Default Security Group Rules
Update the Password Policy
Enable S3 Secure Transport
Enable PCI Standards
Enable a VPC for the Control Tower Lambda function

You can download the script and find details on how run it here. NickTheSecurityDude GitHub

After you run the script, simply give SecurityHub about 24 hours to update.

The script will send both email notices as well Slack notifications in the event a control is detected out of compliance.

I will be doing a live demo of the script at the September 2021 Chicago AWS Security Meetup Group. Join me via Zoom on 9/21 at 7pm to view first hand how the script works and to ask any questions.

AWS Cloud Security Bootcamp (Pentester Academy) - Review

NickTheSecurityDude — Wed, 11 Aug 2021 20:46:46 +0000

I recently finished Pentester Academy "Cloud Security: AWS Edition" Bootcamp. This is a 5-week instructor led course. Its a fairly new bootcamp they've started, which they appear to offer about once per month. My class was the 4th time they've offered it.

It mainly focuses on the 5 most popular AWS services (IAM, API Gateway, Lambda, DynamoDB and S3), teaching you how to discover vulnerabilities and learning how to create security fixes for them.

I've previously taken a number of Pentester Academy's courses and find them challenging as well as practical.

This bootcamp consists of a 4 hour class, once per week, and homework in the form of Capture the Flag labs, about 10 per week.

They say its a course for all skill levels, but I would recommend it for intermediate or higher as you should be somewhat familiar with the AWS console, CLI and services.

Each lab has a PDF guide, so if you get stuck and need a hint, the guide will help you out. The instructor, which was Jeswin Mathai for my class, walks you through the labs the following week as well. There is also a video recording available after each weeks session to go back and review, or in case you cannot make a session.

Myself, an advanced AWS user, I can say I still learned new things in this course and found many of the labs challenging. And they have a Lab Tech Support Discord channel setup to assist students. Most of the labs took me 15-20 minutes, the more challenging ones took up to an hour.

Each week covers a different area of AWS Security:

IAM
API Gateway
Lambda
Cloud Databases (DynamoDB and RDS)
and S3

Starting with IAM they cover a number of privilege escalation paths and some tools you can use to quickly find them. A few highlights from this session were exploiting a misconfigured trust policy, dangerous policy combinations and three ways to get admin access using PassRole.

Week 2, on API Gateway, covered some great exploits for API Gateway, 4 out of the 6 labs for this week contained flags, that you could only get by compromising the gateway using methods like Verb Tampering and exploiting a poor authorizer. And a really interesting one was setting up a VPC Interface endpoint in a different account to exploit API Gateway in the target account.

On to week 3, which focuses on hacking Lambda. There are over 10 labs (different methods to hack lambda). This covered everything from command injection, to deserialization, to exploiting custom runtimes, to not only compromise the app but to also gain access keys. Another really cool lab this week, was creating Python script to brute force a Lambda app using a dictionary attack. I found this week quite interesting as a number of the attack vectors were new to me.

Week 4 continued with exploiting Lambda. In particular this week focuses on 2 stage attacks for Lambda, including how to backdoor a Lambda function to give you persistent access via a reverse shell.

Week 5 covers Cloud Databases and S3. One really cool concept was SQL injection on DynamoDB using PartiQL. Another interesting topic was a method to quickly bypass AWS WAF with an SQL injection. The course also covers using popular pentesting tools like Burp Suite to exploit applications hosted on AWS.

After completing the course there is a 48-hour exam, which you can take any time in the next 60 days. The exam consists of 5 labs with one or two flags each. The exam labs are more difficult than the course labs. Two were on IAM, one on S3, one using API Gateway and the last one using Lambda and DynamoDB. In order to pass the exam you have to solve 4 out of the 5 challenges.

One thing to note is the labs in this course are different than their regular AWS labs on their Attack Defense platform.

In summary, as always, Pentester Academy provides great value in their education and I would recommend this course to anyone working in the AWS security field or planning on taking the AWS Certified Security Specialty Exam. While not an exam preparation class, you will gain hands on experience valuable for the exam. I would recommend it for intermediate to advanced AWS users, the course is marketed toward all levels and it does include some beginner content, but most beginners will find the concepts and exam very challenging.

For more details on this bootcamp, visit: https://bootcamps.pentesteracademy.com/courses