IAM in the Spotlight - Victor Grenu
For our first member spotlight of 2022, we’re featuring a person whose numerous and ongoing contributions to the cloudsec community are only part of what make him so delightful. Plus, he’s a Parisian and a hobbyist photographer so double points.
In our Q&A with Victor, you’ll learn more about the inspiration behind MAMIP, other projects Victor has up his sleeve, and of course, his thoughts on IAM including what he’d change about default behavior. We also included a list of the resources Victor shares in his Q&A answers.
If you check out Victor’s social media and blog profiles, you’ll notice he has a couple golden mantras: Try to be a rainbow in someone else’s cloud and Making things boring with simple automation. While we agree with the former (joy is one of our IAM Pulse Community principles!), we’d say for the latter that what Victor’s done with MAMIP in particular may be boring to some but we can all agree we wouldn’t want to be without it!
All the kudos to Victor for kicking off this year’s IAM in the Spotlight and sharing more of his background and IAM insights.
IAM called: Victor GRENU aka zoph
IAM located in: Paris
IAM working on: Cloud Security and Architecture
Background and work
What's the technology you're most excited to learn and work with?
K8s. No – just kidding. Generally speaking, AWS security related technologies and I also love to find vulnerabilities on websites / apps I’m using personally. I found a few last year that led to generating a few bug-bounty rewards.
What project are you working on now that most excites you?
I’m working in my free time (so not so much), on a micro-SaaS product around AWS FinOps and waste detection. I hope to open beta test in 2022 and see what is happening next. Small bet.
Why did you create the MAMIP account?
The original idea comes from Scott Piper who used to run CLI commands on his laptop periodically. I wanted to apply some automation and visibility where cloudsec folks are – on Twitter.
With this new regularity we could spoil services / feature releases from AWS as announcements / blog posts (almost) synchronized to the release / update of corresponding IAM Managed Policies. It also provides us the capability to keep history and see what is happening: release / error / rollback of IAM Managed Policies as everything is on git.
What’s the most surprising notification you received from your MAMIP service?
I think the most surprising notification was SupportServiceRolePolicy and internal AWS policies that have been pushed to public by error. I maintain a HALL OF FAILS, to keep track of AWS failures on AWS Managed Policies.
Describe the strangest AWS environment you’ve walked into on a client job.
A small startup where all resources were on public subnets, “isolated” from each other with subnetting, IAM roles with trust-policies on AWS: “*” and full of AccessKeys/SecretKeys without any rotation.
We started again from scratch with new accounts setup and deleted this legacy one. Really big time here :)
What motivates you to share your work and expertise with the larger community?
I really like the usage of social media in my daily work, I love to be able to talk directly with the senior leadership team of AWS Security and developers on Twitter.
Asking questions, sharing thoughts with other customers, helping each other is our only option, right?
Your thoughts on IAM
Where do you think IAM is going to go next?
I think they [cloud providers] will work on simplicity, a more comprehensive language, especially for new comers. They will integrate helpers and tooling that comes from OSS from the community. Policy validation, simulation, better error messages, etc...
I am already talking to AWS IAM teams using Twitter or CloudSecurity Forum (Slack). I am also (for the second year) part of the AWS Community Builders program that allows me to have a privileged communication channel to AWS Teams.
If you could change one thing about how IAM works, what would it be?
I will change default behavior for many things like:
- Required MFA on root account
- Disable the ability of the root user to create AccessKey/SecretKey
- Better Default password policy
- Encryption by default on many services: SQS, S3, EBS Volumes etc..
- Default to IMDSv2 for EC2 Instances- etc..
What's the one thing companies should be doing that they're not?
Take IAM seriously, and ask help from external consulting firms to outsider feedback on their AWS security posture.
What's the most fun project you've ever worked on?
In my free time I like to participate in CTF especially on hacking conferences. I loved to participate with friends at “TheHack” a French hacking conf. I hope to participate in larger conferences after the pandemic. (CCC, Blackhat, DEFCON).
If computers magically no longer existed, what would you do for a career?
Renovate and open a guest room in one of beautiful regions of France.
What are some of your hobbies?
Photography, DIY, renovation of an old house (1958), and some woodworking.
Check these out resources
Created by Victor
MAMIP - Monitor AWS Managed IAM Policies Changes
AWS Security Digest http://asd.zoph.io
Adopt a slow-tech approach by reading only essential, digest summary of what is going on in the AWS Security landscape.
What you will find:
- Highlight of the week
- Change since last week on AWS Managed IAM Policies
- Curated Cloud Security Newsletters
- AWS API changes
- IAM Permissions changes
- Most upvoted posts on r/AWS
- Top shared links on Twitter (by cloudsec folks)
- Most engaged Tweets from the community
On Twitter: https://twitter.com/zoph
Cloud Security Forum on Slack (send a DM to Scott Piper to join)
Get the IAM Pulse Check Newsletter
We send out a periodic newsletter full of tips & tricks, contributions from the community, commentary on the industry, relevant social posts, and more.
Checkout past issues for a sampling of the goods.