CloudTrail in CloudWatch isn't very good

by Aidan Steele

Amazon deprecated CloudTrail Lake for new customers on May 31 and is pointing them at CloudWatch instead, so Aidan tried the migration and came away disappointed. CloudWatch can't enrich events with resource tags and global condition keys the way Lake did, the org setup is a tangle of trusted-access APIs, separate management/member-account rules and an 8-hour delay before events flow, and his retention-setting API calls failed with InternalServerException. The "unified data store" stored as S3 Tables and queryable from Athena is the one bright spot, but it needs manual wiring and the per-GB-vs-per-event pricing is murky enough that he can't say which is cheaper. Most teams use CloudTrail to hunt and investigate breaches, so a clunkier, less enrichable replacement is a detection-and-response problem.

AWS: ALB and Cloudflare - Configuring mTLS and AWS Security Rules

by Arseny Zinchenko

After a SYN flood and a Hacker News hug-of-death battered his origin, Arseny locks his ALB down to Cloudflare only. He wires up Cloudflare Authenticated Origin Pulls as mTLS, where Cloudflare presents a client certificate on every connection and the ALB verifies it against a trust store built from Cloudflare's shared origin-pull CA. The real network-level gate, though, is a cron-driven script (running under an EC2 instance-profile IAM role) that keeps the ALB's security group synced to Cloudflare's published IP ranges, so non-Cloudflare packets never reach the ALB and never burn LCU during a DDoS. A reproducible recipe for the very common "my load balancer is wide open to the internet" problem.

What Makes a Good Foothold in AWS?

by hackaws.cloud

This is plainly a pitch for hackaws.cloud's blast-radius assessment service, but the underlying point is if you're going to run an assumed-compromise assessment, the starting identity you pick can make or break it. Start from the management-account admin and you just confirm admin can do anything; start from the EC2 role on the public web service or a long-lived AKIA key sitting in CI and you get the breach you actually have. The article suggests grading a foothold on its transitive reach across IAM, secrets and resource policies, credential durability (long-lived keys vs short STS sessions), detection resistance, and outbound cross-account trust.