Brad Dickinson | Page 51

Cloud Academy Sketches: Encryption in S3

The content below is taken from the original ( Cloud Academy Sketches: Encryption in S3), to continue reading please visit the site. Remember to respect the Author & Copyright.

Cloud Academy Sketches: Encryption in S3

Some of 2017’s largest data breaches involved unprotected Amazon Simple Storage (S3) buckets that left millions of customer data records exposed to the public. The problem wasn’t the technology, but administrators who improperly configured the security settings.

For cloud teams in charge of security, understanding the configurations and options available for securing data in the cloud can help them make them make the right choices.

In this short video sketch, our AWS Security expert Stuart Scott will take a closer look at encryption in S3.

Amazon S3 provides a number of encryption mechanisms to secure and protect your data when at rest, giving you the flexibility to select the most appropriate way of managing your keys.

These include:

Server-Side encryption with S3 managed keys (SSE-S3)
Server-Side encryption with KMS Managed keys (SSE-KMS)
Server-Side encryption with customer managed keys (SSE-C)
Client-Side encryption with customer managed keys (CSE-C)
Client-Side encryption with KMS Managed keys (CSE-KMS)

SSE-KMS uses the AWS Key Management Service (KMS), which gives users the ability to generate, control, and store encryption keys allowing you to encrypt your data.

Let’s take a look at how S3 works with KMS to perform both the encryption and decryption of your objects when using SSE-KMS.

Posted on February 14 in category News

RightScale 2018 State of the Cloud Report Uncovers Cloud Adoption Trends

The content below is taken from the original ( RightScale 2018 State of the Cloud Report Uncovers Cloud Adoption Trends), to continue reading please visit the site. Remember to respect the Author & Copyright.

RightScale Inc., a demonstrated leader in enterprise universal cloud management, today announced the results of the RightScale 2018 State of the… Read more at VMblog.com.

Posted on February 14 in category News

Robots had their own skiing competition at the Winter Olympics

The content below is taken from the original ( Robots had their own skiing competition at the Winter Olympics), to continue reading please visit the site. Remember to respect the Author & Copyright.

The Olympics aren't just an event for the most talented athletes to strut their stuff on the world's stage. No, The Games are where robots can find honest work and leisure, too. Some 85 robots (spread across 11 different models, humanoid and otherwis…

Posted on February 14 in category News

MIT’s low power encryption chip could make IoT devices more secure

The content below is taken from the original ( MIT’s low power encryption chip could make IoT devices more secure), to continue reading please visit the site. Remember to respect the Author & Copyright.

The Internet of Things hasn't ever been super secure. Hacked smart devices have been blamed for web blackouts, broken internet, spam and phishing attempts and, of course, the coming smart-thing apocalypse. One of the reasons that we haven't seen the…

Posted on February 14 in category News

While Western Union wired customers’ money, hackers transferred their personal info

The content below is taken from the original ( While Western Union wired customers’ money, hackers transferred their personal info), to continue reading please visit the site. Remember to respect the Author & Copyright.

Outside storage outfit blamed for data leak blunder

Western Union has confirmed one of its IT suppliers was hacked, and that customer information was exposed to miscreants.…

Posted on February 14 in category News

Reverse Engineering A Bitcoin Miner

The content below is taken from the original ( Reverse Engineering A Bitcoin Miner), to continue reading please visit the site. Remember to respect the Author & Copyright.

If you’re brave enough to have dipped your toes into the Wild West that is cryptocurrency, you probably know that people have long since abandoned trying to mine on their desktop computers. Farms of GPUs are all the rage now, but dedicated mining hardware has also enjoyed a following among those who are serious about their fictitious money. The state-of-the-art for such devices is moving just as rapidly as cryptocurrency itself is, which means older mining gear can now be picked up fairly cheap on the second-hand market. This is an excellent opportunity for those who want to experiment with this type of hardware and potentially utilize it for some other purpose, but first you’ve got to figure out how the thing works.

To that end, [Tomasz Wątorowski] wrote in to the tip line to tell us about the progress he’s made reverse engineering the control protocol for the Antminer S1. As is often the case, the documentation didn’t have all the details he needed, but it did have a schematic of the BM1380 chip at the heart of the device.

Performance of the Antminer S1 controlled via UART

The Antminer S1 contains 64 BM1380 chips on an internal UART bus. With the information from the schematic, [Tomasz] was able to tap into this UART bus with a USB adapter and start listening in on the conversation. He compiled a collection of commands and learned enough to be dangerous (which is always the goal here at Hackaday).

For example, he found that the could set the frequency of the BM1380 as high as he wished without any consideration for thermal overload. This could potentially allow somebody to run the hardware to the point of destruction, à la Stuxnet.

Once he figured out how to give the hardware hashes to work on over the UART interface, he setup a little head-to-head competition between the software he wrote to command the Antminer S1 and the official control software. No drop in performance was found between his software and the real deal, which sounds like a win in our book.

Even if he can’t improve on the performance of this particular piece of outdated mining hardware, it still beats doing it by hand on a piece of paper.

Posted on February 11 in category News

Updates for Planner but No Sign of Guest Access

The content below is taken from the original ( Updates for Planner but No Sign of Guest Access), to continue reading please visit the site. Remember to respect the Author & Copyright.

Office 365 with Teams

Planner Pushes Forward

Planner, the Office 365 app to organize tasks for teams (but definitely not as well as Microsoft Project) received a set of welcome changes recently. The upside is that Microsoft is delivering on the commitments they made at Ignite last September to improve Planner. The downside is that Planner still does not support access to plans for users outside an Office 365 tenant, something that the app needs to support guest access in Teams and Office 365 Groups.

Slow Progress

I like Planner and use it to organize the work for different projects, including the Office 365 for IT Pros eBook. It is a frustrating app because Microsoft does not appear to give Planner the same loving care as other parts of Office 365 receive.

Teams is out on its own in this respect as new features pop up in it every couple of weeks. Office 365 Groups does things differently by keeping interesting new features in preview for months, perhaps because Microsoft needs space to figure out the licensing rules.

Planner plods on with new features showing up once in a blue moon. It’s not as if Planner is complicated, or that it has multiple clients (just browser and mobile). The lack of progress is puzzling and has been a disappointment over the twenty-odd months of Planner’s existence.

Schedule View

But now we have a schedule view, a welcome addition to the paltry charting capabilities in Planner to date. People use schedule views all the time with Outlook to organize personal and team commitments, so it is surprising that it has taken so long for Microsoft to introduce the same view to Planner.

It is not that the schedule view establishes a new high mark in the state of calendaring representation. The view is basic and perfectly usable because it looks as if it was lifted out of OWA (Figure 1). Well, lifted while leaving some functionality behind, like being able to assign categories (colors) to different tasks. The only visual sign that something is happening with a task is an icon showing if it is progress (an example is in the top task listed for February 14).

Figure 1: Tasks for a plan shown in Planner’s schedule view (image credit: Tony Redmond)

Filters

As anyone who has a busy calendar knows, it is all too easy to be overwhelmed with a packed schedule. To help, Planner now supports the ability to filter tasks so that you can focus on specific categories by suppressing the display of stuff you don’t want to see.

Some filters are date-based, such as tasks that are late or due today. Others use the labels that you can assign to tasks, like the “Critical Path” label shown in Figure 2. And you can also filter tasks assigned to members of the team.

Figure 2: Filtering tasks with Planner (image credit: Tony Redmond)

There’s not much you can say about filters because they either work or they don’t. In this case, they do, and Planner covers all the major ways to filter tasks.

Notifications

Next up, we have some new notifications. Bizarrely, Microsoft omitted notifications for Planner up to now. Part of task management is reminding people to get assigned work done. Given that Office 365 knows about tasks and has more than enough ways to remind people, I do not know why Planner has not been able to send email to flag tasks due soon, which is what we now have.

To access the notifications setting (which is personal to a user), click the cogwheel (settings) icon and select Notifications (Figure 3). These settings are separate to the notification settings for the team.

Figure 3: Personal task notifications (image credit: Tony Redmond)

Teams are Missing

What’s missing from notifications is the ability to flag a task through the Teams activity feed. Some tenants are likely to prefer seeing these notifications in Teams, especially if they are trying to transfer some workload from email to Teams or prefer to access Planner through links to plans set up as channel tabs.

The good news is that Microsoft made the commitment to bring Planner notifications to Teams at Ignite, so it is likely coming soon. Figure 4 shows how I use Planner to track Microsoft’s progress against commitments. As you can see, they are getting there. Slowly.

Figure 4: The progress of Planner (image credit: Tony Redmond)

Next Steps for Planner

Microsoft’s blog post makes no mention of guest access, but I hope that is the next big thing we see in Planner. So many plans involve external experts, and Planner really suffers through this lack. In the meantime, Microsoft says that Planner will soon be able to publish tasks through an iCalendar feed, meaning that tasks can be picked up in personal Outlook calendars. That capability is “coming soon.”

I continue to like Planner. I would use it more if the app was more functional, but it does seem to be squeezed inside Office 365 by Outlook tasks and To-Do at the bottom end and by Microsoft Project at the top end. It must be hard to figure out what feature goes where when you have so many competing demands…

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.

The post Updates for Planner but No Sign of Guest Access appeared first on Petri.

Posted on February 7 in category News

Embark’s self-driving truck completes 2,400 mile cross-U.S. trip

The content below is taken from the original ( Embark’s self-driving truck completes 2,400 mile cross-U.S. trip), to continue reading please visit the site. Remember to respect the Author & Copyright.

Embark’s autonomous trucking solution just demonstrated what it could be capable of in a big way: It make a coast-to-coast trip from L.A. to Jacksonville, Florida, driving 2,400 miles ~~and delivering refrigerators for Electrolux~~ from one end of the U.S. to the other.
This follows Embark‘s prior test route, which ran from L.A. to El Paso, and covers more than four times the distance of that initial path. Embark did the new… ~~distance…~~ Read More

Posted on February 7 in category News

cloneapp (1.20.812)

The content below is taken from the original ( cloneapp (1.20.812)), to continue reading please visit the site. Remember to respect the Author & Copyright.

CloneApp enables easy backup of all your app settings from Windows directories and Registry.

Posted on February 7 in category News

I see you’re writing a résumé?!.. LinkedIn parked in MS Word

The content below is taken from the original ( I see you’re writing a résumé?!.. LinkedIn parked in MS Word), to continue reading please visit the site. Remember to respect the Author & Copyright.

It’s so unreal, didn’t look out below. Watch the time go right out the Windows

Microsoft has glued LinkedIn and Office 365’s Word together so it can automatically help folks write or update their résumés – and find them new jobs at the same time.…

Posted on February 7 in category News

Microsoft will buy out existing cloud storage contracts for customers switching to OneDrive for Business

The content below is taken from the original ( Microsoft will buy out existing cloud storage contracts for customers switching to OneDrive for Business), to continue reading please visit the site. Remember to respect the Author & Copyright.

Microsoft is targeting its cloud storage rivals including Dropbox, Box, and Google today by offering to essentially buy out customers’ existing contracts if they make the switch to OneDrive for Business. The company says that customers currently paying for one of these competitive solutions, can instead opt to use OneDrive for free for the remainder of their contract’s term. The… Read More

Posted on February 6 in category News

SiFive Introduces RISC-V Linux-Capable Multicore Processor

The content below is taken from the original ( SiFive Introduces RISC-V Linux-Capable Multicore Processor), to continue reading please visit the site. Remember to respect the Author & Copyright.

Slowly but surely, RISC-V, the Open Source architecture for everything from microcontrollers to server CPUs is making inroads in the community. Now SiFive, the major company behind putting RISC-V chips into actual silicon, is releasing a chip that’s even more powerful. At FOSDEM this weekend, SiFive announced the release of a Linux-capable Single Board Computer built around the RISC-V ISA. It’s called the HiFive Unleashed, and it’s the first piece of silicon capable or running Linux on a RISC-V core.

The HiFive Unleashed is built around the Freedom U540 SOC, a quad-core processor built on a 28nm process. The chip itself boasts four U54 RV64GC cores with an additional E51 RV64IMAC management core. This chip has support for 64-bit DDR4 with ECC and a single Gigabit Ethernet port. Those specs are just the chip though, and you’ll really need a complete system for a single board computer. This is the HiFive Unleashed, a board sporting the Freedom U540, 8GB of DDR4 with ECC, 32MB of Quad SPI Flash, Gigabit Ethernet, and a microSD card slot for storage. If you don’t mind being slightly inaccurate while describing this to a technological youngling, you could say this is comparable to a Raspberry Pi but with a completely Open Source architecture.

News of this caliber can’t come without some disappointment though, and in this case it’s that the HiFive Unleashed will ship this summer and cost $999. Yes, compared to a Raspberry Pi or BeagleBone that is an extremely high price, but it has to be borne in mind that this is a custom chip and low-volume silicon on a 28nm process. Until a router or phone manufacturer picks up a RISC-V chip for some commodity equipment, this architecture will be expensive.

This announcement of a full Single Board Computer comes just months after the announcement of the SOC itself. Already, GCC support works, Linux stuff is going upstream, and the entire Open Source community seems reasonably enthusiastic about RISC-V. It’ll be great to see where this goes in the coming years, and when we can get Linux-capable RISC-V chips for less than a kilobuck.

Posted on February 4 in category News

Spotify teams with Discord to soundtrack your gaming chats

The content below is taken from the original ( Spotify teams with Discord to soundtrack your gaming chats), to continue reading please visit the site. Remember to respect the Author & Copyright.

Spotify and gaming chat app Discord are joining forces so your entire channel can bump to the same music during a raid. Starting today, you can link your Spotify Premium account to your Discord account and keep the beats rocking for your entire commu…

Posted on February 2 in category News

New Azure Data Factory self-paced hands-on lab for UI

The content below is taken from the original ( New Azure Data Factory self-paced hands-on lab for UI), to continue reading please visit the site. Remember to respect the Author & Copyright.

A few weeks back, we announced the public preview release of the new browser-based V2 UI experience for Azure Data Factory. We’ve since partnered with Pragmatic Works, who have been long-time experts in the Microsoft data integration and ETL space, to create a new set of hands on labs that you can now use to learn how to build those DI patterns using ADF V2.

In that repo, you will find data files and scripts in the Deployment folder. There are also lab manual folders for each lab module as well an overview presentation to walk you through the labs. Below you will find more details on each module.

The repo also includes a series of PowerShell and database scripts as well as Azure ARM templates that will generate resource groups that the labs need in order for you to successfully build out an end-to-end scenario, including some sample data that you can use for Power BI reports in the final Lab Module 9.

Here is how the individual labs are divided:

Lab 1 – Setting up ADF and Resources, Start here to get all of the ARM resource groups and database backup files loaded properly.
Lab 2 – Lift and Shift of SSIS to Azure, Go to this lab if you have existing SSIS packages on-prem that you’d like to migrate directly to the cloud using the ADF SSIS-IR capability.
Lab 3 – Rebuilding an existing SSIS job as an ADF pipeline.
Lab 4 – Take the new ADF pipeline and enhance it with data from Cloud Sources.
Lab 5 – Modernize the DW pipeline by transforming Big Data with HDInsight.
Lab 6 – Go to this lab to learn how to create copy workflows in ADF into Azure SQL Data Warehouse.
Lab 7 – Build a trigger-based schedule for your new ADF pipeline.
Lab 8 – You’ve operationalized your pipeline based on a schedule. Now learn how to monitor and manage that DI process.
Lab 9 – Bringing it all Together

Thank you and we hope that you enjoy using the lab to learn how to build scale-out data integration project using Azure Data Factory!

Posted on January 31 in category News

Looking Back at Microsoft Bob

The content below is taken from the original ( Looking Back at Microsoft Bob), to continue reading please visit the site. Remember to respect the Author & Copyright.

Every industry has at least one. Automobiles had the Edsel. PC Hardware had the IBM PCJr and the Microchannel bus. In the software world, there’s Bob. If you don’t remember him, Bob was Microsoft’s 1995 answer to why computers were so darn hard to use. [LGR] gives us a nostalgic look back at Bob and concludes that we hardly knew him.

Bob altered your desktop to be a house instead of a desk. He also had helpers including the infamous talking paper clip that suffered slings and arrows inside Microsoft Office long after Bob had been put to rest.

Microsoft had big plans for Bob. There was a magazine and add-on software (apparently there was only one title released). Of course, if you want to install Bob yourself, you’ll need to boot Windows 3.1 — this is 1995, remember.

To log in you had to knock on the big red door and then tell the helpful dog all your personal information. Each user had a private room and all users would share other rooms.

We like to feature retrocomputing of the great old computers of our youth. This is kind of the anti-example of this. Bob was a major fail. PC World awarded it 7th place in the 25 worst tech products of all time and CNet called it the number one worst product of the decade.

Once you’ve had enough of 1995 failed software, you can always read up on some more successful Z80 clones. Or you can further back in the way back machine and see what user interfaces were like in the 1960s and 1970s.

Posted on January 30 in category News

802.11: Wi-Fi standards and speeds explained

The content below is taken from the original ( 802.11: Wi-Fi standards and speeds explained), to continue reading please visit the site. Remember to respect the Author & Copyright.

In the world of wireless, the term Wi-Fi is synonymous with wireless access in general, despite the fact that it is a specific trademark owned by the Wi-Fi Alliance, a group dedicated to certifying that Wi-Fi products meet the IEEE’s set of 802.11 wireless standards.

These standards, with names such as 802.11b (pronounced “Eight-O-Two-Eleven-Bee”, ignore the “dot”) and 802.11ac, comprise a family of specifications that started in the 1990s and continues to grow today. The 802.11 standards codify improvements that boost wireless throughput and range as well as the use of new frequencies as they become available. They also address new technologies that reduce power consumption.

To read this article in full, please click here

Posted on January 30 in category News

Biocylcer wants to recycle construction waste into new building materials

The content below is taken from the original ( Biocylcer wants to recycle construction waste into new building materials), to continue reading please visit the site. Remember to respect the Author & Copyright.

Waste from construction and demolition sites accounts for approximately 15-30% of all landfill content in the United States. According to NASA’s estimates, more than 500 million tons of often non-biodegradable building materials containing carcinogens and other toxins are sent off to the junkyard yearly.

Seeking to alleviate some of these environmental consequences of the built environment, Chris Maurer of redhouse studio has created the Biocycler, a mobile machine to be placed at demolition sites in order to recycle waste. Maurer, who previously served as director of the non-profit firm MASS Design Group in Rwanda, has teamed up with both NASA and MIT for the project, which is currently running a Kickstarter campaign to build a working prototype.

The machine, which will collect waste on site, uses living organisms, primarily mushrooms, as binders to form ground up trash materials into bricks. Fungi—Earth’s great decomposer—contains mycelium, the vegetative part of mushrooms that e…

Posted on January 30 in category News

Password Rotation for Windows on Amazon EC2 Made Easy with EC2Rescue

The content below is taken from the original ( Password Rotation for Windows on Amazon EC2 Made Easy with EC2Rescue), to continue reading please visit the site. Remember to respect the Author & Copyright.

EC2Rescue for Windows is an easy-to-use tool that you run on an Amazon EC2 Windows Server instance to diagnose and troubleshoot possible problems. A common use of the tool is to reset the local administrator password.

Password rotation is an important security task in any organization. In addition, setting strong passwords is necessary to ensure that the password doesn’t get hacked by brute force or dictionary attacks. However, these tasks become very challenging to perform manually, particularly when you are dealing with more than a few servers.

AWS Systems Manager allows you to manage your fleet remotely, and to run commands at scale using Run Command. The Systems Manager Parameter Store feature is integrated with AWS Key Management Service (AWS KMS). Parameter Store allows for string values to be stored encrypted, with granular access controlled by AWS Identity and Access Management (IAM) policies.

In this post, I show you how to rotate the local administrator password for your Windows instances using EC2Rescue, and store the rotated password in Parameter Store. By using Systems Manager Maintenance Window, you can then schedule this activity to occur automatically at a frequency of your choosing.

Overview

EC2Rescue is available as a Run Command document called AWSSupport-RunEC2RescueForWindowsTool. The option to reset the local administrator password allows you to specify which KMS key to use to encrypt the randomly generated password.
If your EC2 Windows instances are already enabled with Systems Manager, then the password reset via EC2Rescue Run Command happens online, with no downtime. You can then configure a Systems Manager maintenance window to run AWSSupport-RunEC2RescueForWindowsTool on a schedule (make sure your EC2 instances are running during the maintenance window!).

Workflow

In this post, I provide step-by-step instructions to configure this solution manually. For those of you who want to see the solution in action with minimal effort, I have created a CloudFormation template that configures everything for you, in the us-west-2 (Oregon) region.

Keep reading to learn what is being configured, or jump to the Deploy the solution section for a description of the template parameters.

Define a KMS key

First, you create a KMS key specifically to encrypt Windows passwords. This gives you control over which users and roles can encrypt these passwords, and who can then decrypt them. I recommend that you create a new KMS key dedicated to this task to better manage access.

Create a JSON file for the Key policy

In a text editor of your choosing, copy and paste the following policy. Replace ACCOUNTID with your AWS Account ID. Administrators is the IAM role name that you want to allow to decrypt the rotated passwords, and EC2SSMRole is the IAM role name attached to your EC2 instances. Save the file as RegionalPasswordEncryptionKey-Policy.json.

{
  "Version": "2012-10-17",
  "Id": "key-policy",
  "Statement": [
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNTID:role/Administrators"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow decryption",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNTID:role/Administrators"
      },
      "Action": "kms:Decrypt",
      "Resource": "*"
    },
    {
      "Sid": "Allow encryption",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNTID:role/EC2SSMRole"
      },
      "Action": "kms:Encrypt",
      "Resource": "*"
    }
  ]
}

Create the key and its alias (user-friendly name)
Use the following CLI command to create a KMS key that the IAM role Administrators can manage, and that the IAM role EC2SSMRole can use for encryption only:

aws kms create-key \
–-policy file://RegionalPasswordEncryptionKey-Policy.json \
--description "Key used to encrypt local Administrator passwords stored in SSM Parameter Store."

Output:
{
	"KeyMetadata":
	{
		"Origin": "AWS_KMS",
		"KeyId": "88eea0b7-0508-4318-a0bc-feee4a5250a3",
		"Description": "Key used to encrypt local Administrator passwords stored in SSM Parameter Store.",
		(...)
	}
}

Use the following CLI command to create an alias for the KMS key:

aws kms create-alias \
--alias-name alias/WindowsPasswordRotation-EncryptionKey \
--target-key-id 88eea0b7-0508-4318-a0bc-feee4a5250a3

Define a maintenance window

Use a maintenance window to schedule the password reset. Here is the CLI command to schedule such activity every Sunday at 5AM UTC:

aws ssm create-maintenance-window \
--name "windows-password-rotation" \
--schedule "cron(0 5 ? * SUN *)" \
--duration 2 \
--cutoff 1 \
--no-allow-unassociated-targets

Output:
{ "WindowId": "mw-0f2c58266a8c49246" }

Define a target

Use tags to identify which instances to reset the password. For example, you can reset all instances tagged with tag key Environment with value Production.

aws ssm register-target-with-maintenance-window \
--window-id "mw-0f2c58266a8c49246" \
--targets "Key=tag:Environment,Values=Production" \
--owner-information "Production Servers" \
--resource-type "INSTANCE"

Output:
{
	"WindowTargetId": "a5fc445b-a7f1-4591-b528-98440832da41"
}

Define a maintenance window IAM role

These steps are only necessary if you haven’t configured a maintenance window before. Skip this section if you already have your IAM role with the AmazonSSMMaintenanceWindowRole AWS Managed Policy attached.

Create a JSON file for the role trust policy

In a text editor of your choosing, copy and paste the following trust policy. Save the file as AutomationMWRole-Trust-Policy.json.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ssm.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create the IAM role and attach the Amazon managed policy for SSM maintenance window

Use the following CLI two commands to create the IAM role AutomationMWRole and associate the AmazonSSMMaintenanceWindowRole AWS Managed Policy.

aws iam create-role \
--role-name AutomationMWRole \
--assume-role-policy-document file://AutomationMWRole-Trust-Policy.json

aws iam attach-role-policy \
--policy-arn arn:aws:iam::aws:policy/service-role/AmazonSSMMaintenanceWindowRole \
--role-name AutomationMWRole

Define a task

EC2Rescue is available as a Run Command document called AWSSupport-RunEC2RescueForWindowsTool. This document allows you to run EC2Rescue remotely on your instances. One of the available options is the ability to reset the local administrator password. As the final configuration step, create a Run Command task that runs AWSSupport-RunEC2RescueForWindowsTool with the following parameters:

Command = ResetAccess
Parameters = KMS Key ID

Rotated passwords are saved in Parameter Store encrypted with the KMS key to use. Here is the CLI command using the KMS key, target, maintenance window and role that you previously generated:

aws ssm register-task-with-maintenance-window \
--targets "Key=WindowTargetIds,Values=a5fc445b-a7f1-4591-b528-98440832da41" \
--task-arn "AWSSupport-RunEC2RescueForWindowsTool" \
--service-role-arn "arn:aws:iam::ACCOUNTID:role/AutomationMWRole" \
--window-id "mw-0f2c58266a8c49246" \
--task-type "RUN_COMMAND" \
--task-parameters  "{\"Command\":{ \"Values\": [\"ResetAccess\"] }, \"Parameters\":{ \"Values\": [\"88eea0b7-0508-4318-a0bc-feee4a5250a3\"] } }" \
--max-concurrency 5 \
--max-errors 1 \
--priority 1

Output:
{
	"WindowTaskId": "a3571731-c64c-4e43-be8d-7b543942a179"
}

Your Windows instances need to be enabled for Systems Manager, and to have additional IAM permissions to be able to write to Parameter Store. You can accomplish this by adding the following policy to the existing IAM roles associated with your Windows instances:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:PutParameter"
            ],
            "Resource": [
                "arn:aws:ssm:*:ACCOUNTID:parameter/EC2Rescue/Passwords/*"
            ]
        }
    ]
}

Save the policy as EC2Rescue-ResetAccess-Policy.json. Here are the CLI commands to create a new IAM customer managed policy and attach it to an existing Systems Manager IAM role for EC2 (in this example, EC2SSMRole).

aws iam create-policy \
--policy-name EC2Rescue-ResetAccess-Policy \
--policy-document file://EC2Rescue-ResetAccess-Policy.json

aws iam attach-role-policy \
--policy-arn arn:aws:iam::ACCOUNTID:policy/EC2Rescue-ResetAccess-Policy \
--role-name EC2SSMRole

Deploy the solution

To simplify the deployment of this solution, I have created an AWS CloudFormation template that configures all the parts described earlier in this post, and deploys this solution in us-west-2 (Oregon).

These are the parameters that the template requires:

Target
- Tag key to filter your instances
- Tag value to filter your instances
- Cron expression for the maintenance window
Permissions
- Existing IAM role name you are using for your Systems Manager-enabled EC2 instances, which will be authorized to encrypt the passwords.
Security
- Current IAM role name that you are using to deploy this CloudFormation template. The role is authorized to decrypt the passwords and manage the KMS key.

The following figure shows the CloudFormation console, with the default template parameters and the existing EC2 IAM role named EC2SSMRole, as well as the administrative IAM role Administrators, which you use to create the CloudFormation stack.

The deployment takes few minutes. Here is a sample maintenance window, which was last executed on October 29th 2017.

Parameter Store has an encrypted parameter for each production Windows instance. You can decrypt each value from the console if you have kms:decrypt permissions on the key used to encrypt the password.

Conclusion

In this post, I showed you how to enhance the security of an EC2 environment by automating secure password rotation. Passwords are rotated on a schedule, and these actions are logged in AWS CloudTrail. Passwords are stored in Parameter Store with a KMS key, so that you have granular control over who has access to the encrypted passwords with IAM policies.
As long as your EC2 Windows instances are running during the maintenance window and are configured to work with Systems Manager, the local administrator password is rotated automatically. Additional maintenance windows can be created for other environments, or new targets added to the existing maintenance window (such as development, staging, or QA environments).

About the Author
Alessandro Martini is a Senior Cloud Support Engineer in the AWS Support organization. He likes working with customers, understanding and solving problems, and writing blog posts that outline solutions on multiple AWS products. He also loves pizza, especially when there is no pineapple on it.

Posted on January 29 in category News

Zombie … in SPAAACE: amateur gets chatty with ‘dead’ satellite

The content below is taken from the original ( Zombie … in SPAAACE: amateur gets chatty with ‘dead’ satellite), to continue reading please visit the site. Remember to respect the Author & Copyright.

NASA reckons it might even be able to operate ‘IMAGE’, thought dead since 2005

An amateur astronomer hunting the Zuma satellite that SpaceX may or may not have lost has instead turned up signals from a NASA bird thought dead since 2005.…

Posted on January 29 in category News

Azure ExpressRoute updates – New partnerships, monitoring and simplification

The content below is taken from the original ( Azure ExpressRoute updates – New partnerships, monitoring and simplification), to continue reading please visit the site. Remember to respect the Author & Copyright.

Azure ExpressRoute allows enterprise customers to privately and directly connect to Microsoft’s cloud services, providing a more predictable networking experience than traditional internet connections. ExpressRoute is available in 42 peering locations globally and is supported by a large ecosystem of more than 100 connectivity providers. Leading customers use ExpressRoute to connect their on-premises networks to Azure, as a vital part of managing and running their mission critical applications and services.

Cisco to build Azure ExpressRoute practice

As we continue to grow the ExpressRoute experience in Azure, we’ve found our enterprise customers benefit from understanding networking issues that occur in their internal networks with hybrid architectures. These issues can impact their mission-critical workloads running in the cloud.

To help address on-premises issues, which often require deep technical networking expertise, we continue to partner closely with Cisco to provide a better customer networking experience. Working together, we can solve the most challenging networking issues encountered by enterprise customers using Azure ExpressRoute.

Today, Cisco announced an extended partnership with Microsoft to build a new network practice providing Cisco Solution Support for Azure ExpressRoute. We are fully committed to working with Cisco and other partners with deep networking experience to build and expand on their networking practices and help accelerate our customers’ journey to Azure.

Cisco Solution Support provides customers with additional centralized options for support and guidance for Azure ExpressRoute, targeting the customers on premises end of the network.

New monitoring options for ExpressRoute

To provide more visibility into ExpressRoute network traffic, Network Performance Monitor (NPM) for ExpressRoute will be generally available in six regions in mid-February, following a successful preview announced at Microsoft Ignite 2017. NPM enables customers to continuously monitor their ExpressRoute circuits and alert on several key networking metrics including availability, latency, and throughput in addition to providing graphical view of the network topology.

NPM for ExpressRoute can easily be configured through the Azure portal to quickly start monitoring your connections.

We will continue to enhance the footprint, features and functionality of NPM of ExpressRoute to provide richer monitoring capabilities for ExpressRoute.

Figure 1: Network Performance Monitor and Endpoint monitoring simplifies ExpressRoute monitoring

Endpoint monitoring for ExpressRoute enables customers to monitor connectivity not only to PaaS services such as Azure Storage but also SaaS services such as Office 365 over ExpressRoute. Customers can continuously measure and alert on the latency, jitter, packet loss and topology of their circuits from any site to PaaS and SaaS services. A new preview of Endpoint Monitoring for ExpressRoute will be available in mid-February.

Simplifying ExpressRoute peering

To further simplify management and configuration of ExpressRoute we have merged public and Microsoft peerings. Now available on Microsoft peering are Azure PaaS services such as Azure Storage and Azure SQL along with Microsoft SaaS services (Dynamics 365 and Office 365). Access to your Azure Virtual Networking remains on private peering.

Figure 2: ExpressRoute with Microsoft peering and private peering

ExpressRoute, using BGP, provides Microsoft prefixes to your internal network. Route filters allow you to select the specific Office 365 or Dynamics 365 services (prefixes) accessed via ExpressRoute. You can also select Azure services by region (e.g. Azure US West, Azure Europe North, Azure East Asia). Previously this capability was only available on ExpressRoute Premium. We will be enabling Microsoft peering configuration for standard ExpressRoute circuits in mid-February.

New ExpressRoute locations

ExpressRoute is always configured as a redundant pair of virtual connections across two physical routers. This highly available connection enables us to offer an enterprise-grade SLA. We recommend that customers connect to Microsoft in multiple ExpressRoute locations to meet their Business Continuity and Disaster Recovery (BCDR) requirements. Previously this required customers to have ExpressRoute circuits in two different cities. In select locations we will provide a second ExpressRoute site in a city that already has an ExpressRoute site. A second peering location is now available in Singapore. We will add more ExpressRoute locations within existing cities based on customer demand. We’ll announce more sites in the coming months.

Posted on January 29 in category News

Apple whispers farewell to macOS Server

The content below is taken from the original ( Apple whispers farewell to macOS Server), to continue reading please visit the site. Remember to respect the Author & Copyright.

All the bits that make it a server are being deprecated

Apple appears to have all but killed ~~all-but-killed~~ macOS Server by deprecating most of what distinguishes it from a desktop OS.…

Posted on January 29 in category News

UK hits its 95 percent ‘superfast’ broadband coverage target

The content below is taken from the original ( UK hits its 95 percent ‘superfast’ broadband coverage target), to continue reading please visit the site. Remember to respect the Author & Copyright.

'Superfast' broadband with speeds of at least 24 Mbps is now available across 95 percent of the UK, according to new stats thinkbroadband.com published today. The milestone was actually achieved last month, meaning the government's Broadband Delivery…

Posted on January 29 in category News

Voicelabs launches Alpine to bring retailers to the voice shopping ecosystem

The content below is taken from the original ( Voicelabs launches Alpine to bring retailers to the voice shopping ecosystem), to continue reading please visit the site. Remember to respect the Author & Copyright.

Voicelabs, a company that has been experimenting in the voice computing market for some time with initiatives in advertising and analytics, is now pivoting its business again – this time, to voice-enabled commerce. The company is today launching its latest product out of stealth: Alpine.AI, a solution that builds voice shopping apps for retailers by importing their catalog, then layering… Read More

Posted on January 29 in category News

How to move files between Office 365, SharePoint and OneDrive

The content below is taken from the original ( How to move files between Office 365, SharePoint and OneDrive), to continue reading please visit the site. Remember to respect the Author & Copyright.

Last year, Microsoft announced that they would allow copying files using Office 365. But now onwards, Microsoft allows users to movie files in Office 365 with full fidelity protections for metadata and version management. Thus it helps in easing up […]

This post How to move files between Office 365, SharePoint and OneDrive is from TheWindowsClub.com.

Posted on January 26 in category News

Trueface.ai integrates with IFTTT as the latest test-case of its facial recognition tech

The content below is taken from the original ( Trueface.ai integrates with IFTTT as the latest test-case of its facial recognition tech), to continue reading please visit the site. Remember to respect the Author & Copyright.

Trueface.ai, the stealthy facial recognition startup that’s backed by 500 Startups and a slew of angel investors, is integrating with IFTTT ~~IFTT~~ to allow developers to start playing around with its technology. ~~Chief executive, Shaun Moore tells me that the integration with IFTT represents the first time that facial recognition technology will be made available to the masses without the need…~~ Read More