Category Archives: AWS

Penetration Testing and AWS

Here is one of those topics where you can often run into misinformation when you are studying AWS. That is because the rules keep changing, and you will often have textbooks and courses quoting old rules still!

AWS Pen Test

So here is the skinny as of 10/20/2019! You no longer have to obtain permission from AWS for pen testing your own resources within 8 of the total services of AWS. NOTE: Be sure not to pen test against any AWS services themselves, as this is never permitted. In fact, if you should discover vulnerabilities in a service itself when you are pen testing your resources, you are encouraged to report that to the AWS Security team. What are the 8 services? Here they are:

  • EC2, including NAT Gateways and Elastic Load Balancers
  • RDS
  • CloudFront
  • Aurora
  • API Gateways
  • Lambda and Lambda Edge
  • Lightsail
  • Elastic Beanstalk

You should also note that Amazon currently prohibits the following tests:

  • DNS zone walking via Amazon Route 53 Hosted Zones
  • Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS
  • Port flooding
  • Protocol flooding
  • Request flooding (login request flooding, API request flooding)

These rules will change again in the future. Be sure to subscribe to the blog using the widget in the right column. When the rules change – I will be sure to let you know!

Thanks for reading, and have fun in AWS! Just not too much fun!

Take This Year’s AWS Salary Survey!

Here is your chance to participate in the report for AWS professionals, by AWS professionals. Packed with over 40 pages of insights, stats, and commentary, the Jefferson Frank Salary Survey is the ultimate guide for anyone working with Amazon Web Services products.

If you’re an employer or hiring manager, use the report to benchmark your team’s salaries and set budgets for the next financial year. If you’re a professional working in the AWS environment, we’ll tell you how much you should be earning, what certifications and technical skills you need to succeed, and much more. Click here to download last year’s survey.

To participate in the latest survey – click here!
aws salary survey

Need to get started with AWS? No problem – use my latest book below to begin your AWS journey and earn your first AWS Certification:

Get to Know AWS Snowball Edge

snowball edge

This post certainly falls in the category of “what can’t you do with AWS these days!” This post is also an excerpt from the rough draft of my upcoming AWS SysOps Associate text from Pearson Publishing.

Before we dive into Snowball Edge, let’s quickly review AWS Snowball.


Snowball is a petabyte-scale data transport solution that uses secure appliances to transfer large amounts of data into and out of AWS. With Snowball, you do not need to write any code or purchase any hardware to transfer your data. You follow these steps:

  1. Create a job in the AWS Management Console.
  2. A Snowball appliance is automatically shipped to you.
  3. After it arrives, attach the appliance to your local network, download and run the Snowball client to establish a connection, and then use the client to select the file directories that you want to transfer to the appliance.
  4. The client encrypts and transfers the files to the appliance at high speed.
  5. Once the transfer is complete, and the appliance is ready to be returned, the E Ink shipping label automatically updates. You can track the job status using the Simple Notification Service (SNS), checking text messages, or directly using the console.

Snowball uses multiple layers of security designed to protect your data including tamper-resistant enclosures, 256-bit encryption, and an industry-standard Trusted Platform Module (TPM) designed to ensure both security and the full chain of custody of your data. Once the data transfer job has been processed and verified, AWS performs a software erasure of the Snowball appliance using industry secure erasure standards.

Snowball Edge

Snowball Edge is a type of Snowball device with onboard storage and compute power for select AWS capabilities. Snowball Edge can undertake local processing and edge-computing workloads in addition to transferring data between your local environment and the AWS Cloud.

Each Snowball Edge device can transport data at speeds faster than the public Internet. This transport is done by shipping the data in the appliances through a regional carrier.

Snowball Edge devices have three options for device configurations – storage optimized, compute optimized, and with GPU.

Snowball Edge devices have the following features:

  • Large amounts of storage capacity or compute functionality for devices, depending on the options you choose when you create your job.
  • Network adapters with transfer speeds of up to 100 GB/second.
  • Encryption is enforced, protecting your data at rest and in physical transit.
  • You can import or export data between your local environments and S3, physically transporting the data with one or more devices, completely bypassing the public Internet.
  • Snowball Edge devices are their own rugged shipping containers, and the built-in E Ink display changes to show your shipping label when the device is ready to ship.
  • Snowball Edge devices come with an onboard LCD display that can be used to manage network connections and get service status information.
  • You can cluster Snowball Edge devices for local storage and compute jobs to achieve 99.999 percent data durability across 5–10 devices, and to locally grow and shrink storage on demand.
  • You can use the file interface to read and write data to a Snowball Edge device through a file share or NFS mount point.
  • You can write Python-language Lambda functions and associate them with S3 buckets when you create a Snowball Edge device job. Each function triggers whenever there is a local S3 PUT object action executed on the associated bucket on the appliance.
  • Snowball Edge devices have S3 and EC2 compatible endpoints available, enabling programmatic use cases.
  • Snowball Edge devices support the new sbe1, sbe-c, and sbe-g instance types, which you can use to run compute instances on the device using Amazon Machine Images (AMIs).

As always, I hope this post was informative for you, and I would like to thank you for reading!