Forem: Alexander Delgado

A Strategy for Passing AWS Certifications

Alexander Delgado — Sun, 26 Apr 2020 18:02:39 +0000

I passed the AWS Solutions Architect - Associate and the AWS Certified Security - Specialty exams using the strategy I'm about to outline. I acknowledge that everyone learns differently and what works for some may not work for others but I do think this is a good strategy to follow if you're trying to pass any of the exams.

Courses

If you or your employer can pay for a course to prepare for the exam I highly recommend doing it. In order to see what course you should take I like searching r/AWSCertifications on reddit and looking at what courses people are recommending for the exam you want to take.

From my personal experience if you're taking the AWS Solutions Architect - Associate exam then I highly recommend Stephane Maarek's course.

When I took the AWS Certified Security - Specialty exam I took the Linux Academy course and highly recommend it as well.

Once you've decided on what course you're going to take you need to stick with it. It's easy to get analysis paralysis when looking at all the options. Find one and stick with it until the end.

Hands-on Experience

Every AWS certification recommends that you have hands on experience. If you don't have any hands on experience don't worry! If you're taking a course sometimes they will have hands on labs that give you hands-on experience. If you're not taking one of these courses with labs included you can sign up for the AWS Free Tier and follow along in your own account! Just make sure to clean up so you don't go over any of your free quota's.

Whitepapers

You can supplement your learning with AWS Whitepapers. These are great resources to dig deeper into a topic and provide a wealth of information. I found these to be especially useful when taking the AWS Certified Security - Specialty exam because it requires deep knowledge on services like KMS. That being said, they still have Whitepapers that are great for an introduction to AWS. Just keep what you will be tested on in mind and don't worry about knowing everything in a Whitepaper.

Practice Exam

Practice exams will make or break you in the real exam. AWS exams have a certain wording and strategy to answering them and in order to best prepare for that I highly recommend taking practice exams.

Some courses come with practice exams and you should definitely take those. Depending on the exam you want to take there will also be practice exams that you can buy and these are extremely beneficial. When I took the AWS Solutions Architect - Associate exam Jon Bonso's practice tests really helped me here.

Scheduling the Exam

When I took the exams they were required to be taken in person but you can take them online now! Regardless of the format in which you take your exam here are my tips:

1. Schedule the Exam When You Start Studying

This will ensure that you have a goal with a specific date in mind and will drive you to actually study. If you schedule the exam when "you think you're ready" you will push the exam back. It's nerve wracking and no one feels absolutely ready when they take the exam. But if you've studied then trust me you will be in a great position to take the exam by the time it rolls around!

2. Know When You're the Most Focused

I'm the most focused in the early morning so I generally schedule my exams as early as I can. If you know that you can't focus in the morning though don't schedule them in the morning! In general most people find it hard to focus after a meal or in the middle of the day but maybe that's when you focus best. Figure out when that time is and schedule it then.

Recap

Find a great course. Look online for reviews and what people are saying about it. Once you find one stick with it.
Get hands on experience if you can
Supplement what you're learning with Whitepapers
Take every practice test you can find! These will make or break you.
Schedule the exam as soon as you start studying for it and schedule it for a time in the day when you know you're focused

Good luck and trust the process! You can follow me on Twitter for more content, to ask me questions, or just chat.

Securing Terraform Code with tfsec

Alexander Delgado — Sat, 11 Jan 2020 19:38:46 +0000

What is it?

tfsec is an open source static code analyzer for Terraform code. It will look at your Terraform and alert against any deviations from best practices. Currently it has the capabilities of checking AWS, Azure, and GCP cloud resources. There are also a few cloud agnostic checks included now.

Why would I use it?

Terraform allows you to create cloud resources and even if your Terraform code is perfect it is really easy to create a misconfigured cloud resource. This could lead to a security compromise, leaving data exposed publicly, or leaving your resources open to attack.

If you're someone responsible for maintaining the security of your infrastructure or the security posture of your Terraform code then tfsec is a great tool and to be running in your CI pipeline. For example you can run it in your CI pipeline and fail a build if tfsec detects any issues.

Who wrote it?

tfsec was created by Liam Galvin and is on GitHub now with 3 contributors (at the time of writing this) including Liam.

How can I get it?

You can download binary from the tfsec releases page
You can install it with Homebrew

brew tap liamg/tfsec
brew install liamg/tfsec/tfsec

You can install with Go

env GO111MODULE=on go get -u [github.com/liamg/tfsec/cmd/tfsec](http://github.com/liamg/tfsec/cmd/tfsec)

Usage

One of the great things about tfsec is it's really easy to get started. Now that we know what tfsec is and how to get it lets start using it. Below is a Terraform file that creates a standard S3 bucket and we've given it the name tfsec-bucket. It's a small and boring file but shows how easy it is to create a misconfigured cloud resource.

    resource "aws_s3_bucket" "b" {
      bucket = "tfsec-bucket"
    }

Create a file called s3_bucket.tf with the above contents and save the file
From the command line run tfsec .

    2 potential problems detected:

    Problem 1

      [AWS002][ERROR] Resource 'aws_s3_bucket.b' does not have logging enabled.
      /tfsec_test/s3_bucket.tf:1-3

           1 | resource "aws_s3_bucket" "b" {
           2 |   bucket = "tfsec-bucket"
           3 | }
           4 | 

      See https://github.com/liamg/tfsec/wiki/AWS002 for more information.

    Problem 2

      [AWS017][ERROR] Resource 'aws_s3_bucket.b' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).
      /tfsec_test/s3_bucket.tf:1-3

           1 | resource "aws_s3_bucket" "b" {
           2 |   bucket = "tfsec-bucket"
           3 | }
           4 | 

      See https://github.com/liamg/tfsec/wiki/AWS017 for more information.

tfsec tells you:

The number of potential problems it found:

2 potential problems detected

The rule number of the detected problem:

[AWS002]

The resource identifier with the problem:

aws_s3_bucket.b

What the problem is:

does not have logging enabled.

The file path and the lines where it detected the problem:

/tfsec_test/s3_bucket.tf:1-3

The Terraform code of the resource with line numbers:

           1 | resource "aws_s3_bucket" "b" {
           2 |   bucket = "tfsec-bucket"
           3 | }
           4 |

A link to more information about the finding

https://github.com/liamg/tfsec/wiki/AWS002

Summary

Just like with everything in security tfsec should be just another layer in your defense-in-depth approach to securing your assets and cloud infrastructure resources and absolutely not the end-all-be-all for your cloud security.

With that being said tfsec is a great tool and I'm really glad to see security tooling created and developed around Terraform. Hopefully this made you want to check it out!

What is Terraform?

Alexander Delgado — Sat, 06 Jul 2019 21:50:05 +0000

Introduction

This post covers what Terraform is and what the benefits of using it are.

Terraform is a tool that allows you to define and create resources. The way that Terraform accomplishes this is the best part. Terraform uses easy to read statements with configuration data to create those resources.

Managing your resources this way is known as infrastructure as code. Instead of creating and managing resources and their configurations through interactive configuration tools you are now doing it through machine readable Terraform files.

Example

If you wanted to create a repository on GitHub using Terraform you would create a terraform file with the following in it:

provider "github" {
  token        = "${var.github_token}"
  organization = "${var.github_organization}"
}

resource "github_repository" "my_awesome_repo" {
  name        = "my_awesome_repo"
  description = "My awesome repo"
  private     = false
}

This is telling Terraform to create a GitHub repository with the name "my_awesome_repo" and a description "My awesome repo". When you apply this configuration Terraform will create that resource for you. Just like that!

Benefits

"Why Do I need this? I could easily script this using python or my favorite high level language."

That's true. Terraform, however, comes with many out-of-the-box features that you're not going to get by scripting the creation of resources yourself.

Terraform is able to keep state. It knows what resources you have created, what resources it'll need to create, which resources it needs to update, and which resources it will need to delete.
Terraform has a plan command that when ran will tell you exactly what resources will be created, modified, or deleted. This is really handy to ensure you're creating what you want to be creating and there are no surprises.
Terraform can graph your resources and tell you what resources have dependencies. This gives you, the operator, a lot of insight about your resources.
Terraform creates and modifies resources without dependencies in parallel to build infrastructure efficiently.

One of the biggest benefits that you get from Terraform is workflow portability. Whether you're working on resources in GitHub, BitBucket, AWS, Azure, DigitalOcean or anything else, your workflow looks the same no matter what service or provider you're working with.

You create your Terraform configuration files
You run terraform init to initialize the current directory
You run terraform plan to see what resources will be created
You run terraform apply to create those resources

Compare this to having to know where to look and how to configure each service that you're working on individually.

Terraform is awesome and comes with many benefits. I highly encourage anyone that is interested in infrastructure or devops to dive right in and start learning it as it is a great tool to have in your toolbox.

Resources & Learning More

Learning Terraform
Terraform Docs
A Comprehensive Guide to Terraform