five minutes break after that call you want to drink some water or something then please go ahead and do that okay uh yeah we can we can go a little bit into detail about what we do at a later stage of this interview but for now know just for an intro perspective this is what it is okay uh so you guys go ahead with your yeah I can go ahead so yeah hey good evening Asik so basically uh my name is sahil and I have have a total of around 12 year of experience and it's been around 3 plus year with Siana okay and I am here working as a lead Cloud engineer and uh under the same team I'm reporting to V and this is a global uh Cloud team uh and we are working on say multiple Technologies tools and Technologies we we are a cloud agnostic tool and is a centralized team in Siana and you know like Siana is a product company so we are basically supporting internal teams to use cloud and setting up the guard rails and doing another Bo right and uh we are using like most of the stuffs we are running in the AWS and uh few uh Onre applications and on PR stuff are related to ad is running on AO and we are having Footprints in gcp as well okay and they are using a number of cicd solutions and number of other things like Cloud natives in tools cm and things like that we we're going to talk more about that uh yeah that's about me and uh something about this roles that we are so can you introduce about yourself and maybe uh your day today work yeah sure so basically myself Muhammad ashik basically I'm from Kerala so initially I joined as a o engineer so I have total year experience of 3.1 year so when it come to devops I have a relevant experience 1.5 so I'm sorry sir 1 [Music] minute hello hello is it uh it looked like there is some Network issue but yeah it's fine though okay fine uh like uh so when it come to AWS part I have a good experience on I am is3 bucket and as well as virtual private cloud and as well as like elastic uh virtual machines and when it come to cloudfront and Route 53 and uh AWS Gateway Lo balance when it come to the security perspective and network Knack and as well as Security Group and web application firewall so I don't have any explicit like idea about web application firewall but I an interal project by using web application firewall and DNS firewall and as well as this kind of activity so when it come to this Azure part I have a good experience like this virtual Network and virtual machines and Azure application Gateway and Azure virtual uh hello hello hello sir hello uh yeah I think we lost you again like actually the things are actually I connected Wi-Fi through my mobile phone that's what the issue actually in I'm getting call so that's what disconnect in between I'm sorry for that okay okay are you are at your home or at workplace no actually workplace only but see I cannot take interview from like uh office that's what I came to my friend PG that's what okay okay okay okay now you're on mute okay so yeah first of all please continue please complete whatever you were saying yeah sure so when it come to the aure part again so I have experience like Azure active directory as well like so connection between Azure active directory and AWS because actually we need to create identity provider in Azure active directory and we usually not creating any users in AWS because we will be have one user credential and the identity provider will be our Azure active directory so the user can access Azure account and as well as any other application by using Azure active directory credal so when you come to this D actually have a good experience as cacd tool like most especially genkins when it come to other tool like a terraform INF code and anible and eks ECS and when it come to the Microsoft sorry microservices like so that's it like overall okay so um your zum says your currently staying in Dubai so right now you're uh joining from Dubai no no not at all actually currently I'm residing in Bangalore basically I'm from Kerala okay because your resume says currently staying in Dubai seeking job opportunity that's why no I think VI you may have open a different resume maybe because uh so this meeting this is the 5 5:00 one isn't it yeah yeah yeah yeah oh I sry sorry okay uh this one so you are right now working with 60 Technologies right correct sir okay this is your first company right correct okay so uh then in that case um uh looking at your resume um lot of services that you have mentioned so let us try and go through it so from a uh from a customer support perspective um are you supporting internal customers or uh external customers external customer only external customers so uh you are basically part of uh the requirement planning design as well as deployment or uh you know there's a demarcation in your organization like uh so I supporting deployment and as well as when it come to the monitoring part so that also I'm supporting like so most like AWS part also I'm doing and as well as like a devop I'm doing so when it come to devops I'm doing like deployment services and that and I'm doing OB I'm sorry you are too fast for me can you repeat that again yeah sure sure see when it come to this Dev Dev part like like cuber design like Docker contain that and all so I'm doing I'm doing deployment over there and when it come to this like AWS part I'm doing like monitoring kind of activity over there and doing troubleshooting as well because previously we were hosting application of Legacy systems like easy to machion and elastic being stucking out so now we trying to migrate those kind of application from those kind of Legacy system to EK ccs and this kind of microservices that's what okay so uh what sort of connectivity uh is configured for uh for your customer is it uh private IP based or public IP based private private IP based only okay so uh how do you achieve that so you know you create a VPC and then how do you achieve private IP connectivity from your uh office land uh into a so like uh actually we have a lot of option over there when it come to AWS part in buil AWS providing like VPC endpoint so what we can so VPC VPC VPN Cent endpoint so what we can do here we can create a VPN client endpoint and so we don't need to install any like a particular application for that so we can create like Amazon certificate like we can create ourself we can create Amazon certificate then we can import into Amazon certificate so then after we can create multiple authentication by using active directory so then we have to go to like VPN client and P that we have to do like which VPC has to access that IP address we have to give security we have to give so that we have to give so then after we have to install the VPN like client application we have to install or else or else actually we can like depend third party as well for example openvpn so we can go to Marketplace and we can install openvpn application and we can install that application on particular virtual machine then after we can configure that so we have to install one client as well so once we install the client then we need to authenticate that we'll be get one client certificate and the certificate actually we have to import into the client application then we have to enter the password and username so once it done then we can access to our application without public IP address without the private by using private IP address without any public IP address so then after what of the application we hosted in our e cluster or our e to Virtual Machine we can access those application by using private IP address we not reord any public IP address at all so let me bring up a very simple scenario I think uh you said a lot of things there so a simple E2 instance in know private vbc uh created in AWS um can you tell me what would you do to connect to that ec2 instance and what how shall you configure the connectivity sure sure so in this scenario so we can use two method either we can use like and I'm sorry sorry to interrupt you I'm only talking about connectivity don't tell me about authentication and authorization fees yet just let us just talk about connectivity first okay so if it is a private V if it is a private VPC like we be have a private virtual machine over there so we don't have any public AP address so we can use jum over there we can create a peing connection or else as we discussed so we can create like one VPN client end point then we can connect from a local system to our virtual machine so we can create a private connection we not to create any public IP address so that basically we do in a company so uh so let us say the client that you have uh they have uh um 100 users okay uh who would like to access those I don't know 20 30 40 machines right okay now are you saying that we are then supposed to create all you know that many VPN Androids and no not at all so what's the like uh so we have like a Transit Gateway so we can connect the transit Gateway in transit Gateway we'll be have like a rout table so which VP sorry which user should access to this IP address like so we can mention over there so there we can create the routing Ro or else so by using this Transit Gateway we can create one more VPC that we can implement the centralized security like so we can Implement like micr Trend or parro Alto or like foret like this kind of application we can install in a virtual machine then we can integrate it that also we can do so we'll be have a connection from on premis as well as from directly from the clients as well like users as well so every the connection will be come to this VPC centralized security VPC then only it will go so that's what I mentioned Transit datway so if it is a transer gateway we can connect multiple VPC as well as the connection from the on premise as well yeah so multiple multiple vpcs can connect to Transit Gateway but how is Transit Gateway going to get connected to your company's land and that is that is the connectivity that I wanted to ask you about okay okay okay that actually we can create a side to S side connection like so if it is a two company two corporate office then we can connect side to S side connection so if it is a like a client or individual client then we have to use a point to site connection that's what I mentioned VPN client and point or else we can like create a vpg in our VPC like then we will be have a customer Gateway there will be have a corporate office public AP address that device public AP address so we have to shoot out a side to side Connection in between then we'll be get one template metadata file there will be have a customer G to a public AP address and pre-shared key and like this kind of information then we have to configure over with what are the dev actually be using over with okay so um one of the major concerns that um uh the companies or development teams have while migrating from on Prem to a public cloud is around security right so if you are uh the person who is talking to them and uh you want them to migrate to public Cloud what would you uh say about security of cloud what time like uh so when it come to security so cloud is providing like a different different layer security like Virtual Machine level security subil level security VPC level security and overall Ender account security that're also providing first of all you know let me sort of shorten the scope there yeah the dev team has you know uh maybe 50 60 VMS sitting on VMware infrastructure and they are developing um their code by logging into those VMS now they want to do the same things uh in uh uh in public Cloud right so that's that's one use case for them the second is then they also want to host their application whatever they develop within uh public clock so these are the two scenarios that you have uh now uh let us talk about securing this infrastructure like uh from on premise they want to connect uh Cloud right sir yeah yeah okay so there as we discussed we can create a site to site connection like definitely see if it is on premise so we cannot we cannot create any point to S side Connection in between so we have to do that so like so that manly we have to do that then we have to like determine like say for example we have a multiple subnet over there one is for production another one is for like a pre-production or else we have multiple VPC over there one is for production or pre-production staging so then we have to create a route so the route should be like okay one VPC so from this particular VPC only we should able to connect to that VPC so that's what actually are we creating route table like uh so consider so we have a developer and manager so manager actually they 1 minute s I'm sorry hello hello we can hear you if you're he talking hello sir am I audable now yeah yeah okay okay okay so okay uh so what I'm discussing like so uh suppose consider we have a multiple subnet subnet one and subnet 2 and subnet 3 so in subnet one is a manager and subnet 2 is like developer so in subnet 3 I have like some critical application I hosted him so suppose I want to achieve the connection from subnet one to subnet 3 and I I don't want to connect from subnet 2 to subnet 3 so because all developers actually they residing on subnet 3 so here actually I can create an acle R so knle I can create a particular nackle for my Subnet 3 so that I can only allow my Subnet one connection because my Subnet one only my managers residing over there so that kind of rule like explicit rule and implicit rule we have to create over then then only we can achieve it as per as my knowledge okay first of all the scenario that I gave you I I mentioned that these would be uh people who would be accessing from their company land to uh the cloud okay right so it's not that they are actually logging in to VM in a subnet and from there they want to go into another subnet that's not the case right so that is something that you envision that's okay that may be the case right um so uh okay so I won't go further into that question but you tell me uh whatever you just mentioned about the scenario uh what layer did you secure and know what cloud layer did you secure by doing this like uh I think Network layer so we have to do TLS security that's okay great so what about other layers in Cloud you didn't say anything about that to the customer uh no are you only going to secure network sir sir one minute sir yeah yeah hello TR to call you okay uh ma'am if you don't mind I'll call you back within like half an hour actually I was in a cent meeting so that's what I'm so sorry for that okay within half an hour like so now 5:32 so like 6:00 I'll call you back I'm so sorry so that's what after 5:30 no 6 6:00 now it's at 5:30 6:00 I'll call you back okay okay thank you thank you so much hello yeah yeah like which means so could you please repeat the question one second actually for so you secured the network layer but what about other layers uh in Cloud for your customer uh would you be securing other layers also and if yes what are all other layers and how that I'm not aware about that because that's what I like I don't have much exposure into that like exposure into what like that layers and all okay uh so you mentioned uh you have experience with I in a ah yes sir okay so how would you configure I am for these streams you know yeah okay these streams like uh okay so for example when any user is accessing to our application like any virtual machine or any other application so I can specify conditions of am policy like if they access him from my VPN okay then then only they can access to my app application so that type of condition I can set over there or else I can specify some set of time over there for example 9 to 6 so can you create a policy which can identify whether a user has logged in Via a VPN connection from a certain point to certain point and it can allow and deny that can you create such I policy in a yeah that we can do it because actually we can I think add headers over there like headers so if head does actually it's a matching so we can do that the same as I'll give us example because which I done already in my company so in S3 bucket so if the like object is encrypted then only we can upload to S3 pet then if it is not encrypted then we cannot upload to S3 pet for that actually we have to create a policy and if the header is a present over there like a KMS or like that s header then we can upload to our S3 bucket so that kind of fed is presenting that policy that we can hand over with I I don't have an exposure but from my knowledge I'm just recreating so you're trying to guess basically you haven't created such no I haven't I haven't created yes because S3 bucket encryption is a property of S3 okay and S3 is a service of cloud right so then you can fetch uh multiple properties out of a service which is sitting inside you know itself in Cloud uh but uh fetching the connection header we connect C header uh I I don't think so um but I haven't seen I don't think so it can but at least actually we can create a condition for example if any user is accessing from VPN connection because every company will be have a one unified VPN IP address so that IP address actually we cannot create for any other company so we can create a condition if any user is accessing from this particular IP address so that connection only we have to allow to this this VPC or this network so that condition we can create right that is possible I think because I already done in myself yeah you can do that but then that's a private IP address isn't it I just mentioned this is the private line of the company so private IP address any company could have the same 10x range 192 168 range right so that that doesn't uh but like for VPN we will be have a public AP address like I'm I'm just discussing about like a public VPN so we'll be have a VPN that VPN I'm asking okay okay okay yeah so let us move on uh from there so um in very simple terms can you explain uh how do uh you know for five accounts let us say you have to create five accounts for U for One customer itself okay they have five development team they want five different AWS accounts now how how would you plan uh authentication as well as authorization for them and what is the difference between the two okay so authentication means like uh one user or like multiple user how is it scenario I said five teams right so that would be multiple teams okay okay so definitely we recorded like a group so by using group actually we can do that so we can create a five groups for five department for or five teams so then like so we can create like a uh SSO single signing on so we only need to create one uh one so we only need need to create one credential so by using this credential this team can access to multiple account so we'll be have a some set of policy as well for this F team for example team number they only Reed like RDS and team two they only required virtual machine and team three they only required cloudfront and Route 53 so we can create this kind of policy then we can assign to this group so when we creating this SSO we have an option over there we can create a user and we can assign policy as well so that particular user only can access to that so accept the permission they will not get like that we can do that only we only only we re one credential over there I think so so but using all of them using same credentials uh no not at all like uh see so we have a group so actually we applying this policy to group so that is an I but when we creating SSO so we will be have a different different user so each user would have their own credentials and they would be part of a group wherein the policy is assigned on the group yeah there we can restrict by using permission boundary as as well suppose if we want to like restrict any uh like permission for a particular user so we can Implement permission boundary then we can restrict that as well we don't need to create any other group for that only we Rec five group only over there okay yeah I think uh I'll I'll ask few questions later please go ahead sure thank you um so yeah so I just wanted to know firstly like do you have experience on Linux environment yes yes sir sorry about that so is that some certification you have pursue or do you have no no certification no certification yeah okay so you are familiar with the Linux commands ah yes sir yes okay so do you know what how would you see the current shell in which you are working so we can execute like a shell or Echo shell that is going to print like the current shell mhm and and what's the default shell of a say Cent or L operating system default shell bash only bash but unique that is yes okay and sir please okay and uh yeah so how do you create a uh say file or edit a file basically if you want to do something in a file or video open it like opening a file mhm uh we can like use a cat command to open or else if you want to do some edit then we can use like whim uh sir 1 minute sir I'm so sorry hello hello see actually I'm busy now so just do one thing call me back after okay okay thank thank you so much hello hello sir yeah yeah okay so talking about the Linux do you have experience on hardening a server uh that I don't know okay and do you have experience on patching your server patching a little bit I know like uh for company I didn't but inally I didn't like uh like security patching and that kind of activity M so how do you patch that like by using systems manager only like in aw systems manager we have already predefined script over there so we can uh create a viral machine first then we can create a role for that like SSM manager instance score so then it will be managed by systems manager then after we can go to System Manager patch manager so there we can patch our systems like we can we can set up for for example like a sud sudo patching or like whatever the patching we re that we can specify over there so yeah so system manager ysm that you mentioned so what are the prerequisite for a VM to use SSM to access a VM by SSM is there any prerequisite or any VM can be access directly SSM no systems manager we can only access the first thing actually we need SSM agent so every system should be have SSM agent and then we record like the role SSM manager instance score so that is a basic role we have to create so once we create then we have to reboot the system then only it will take to effect so until unless we reboot we cannot do that okay okay okay so so ashik say I I have say for example a alert received say from my internal audit team that these are the IPS which are basically uh malicious IPS and say from you one of the ec2 instance uh on say some of the port say p 22 or p25 some traffic going to that malicious IP from your E2 instance it is going outbound to that particular malicious IP so they wanted us to block that okay on on that particular uh say a number of instances or maybe to the whole Cloud environment so what would be your approach in that case to BL that oh okay okay so the first thing actually we have to find out what are the port is enabled on our virtual machine so we can use like net Strat command or else we can use LS minus O then minus I minus P minus n that command we can use to find out the listening ports so then like then we have to find out which are the port actually we have to use then like we have to find the source of the IP address then we can install like firewall D or ufw or else IP tabls or root tabls then we can restrict that particular IP address like which IP address actually it's sourcing that that we can restrict over there so basically you are saying that at the Linux level at the server level we can have some inbuilt firewall using some of the internal IP tables or tools like that but still like traffic would be following to your AWS account to your load balancer vpcs to your in to that particular network interface and and even into your instance okay is there any other way like we can block this at another level rather than like so we can use like w w you can use over there like in W itself actually we have a predefined ro like from AWS like uh so they already have some set of like malicious IP address and informations so these IP address basically uh the requirement was the traffic was flowing from instance to outbound we is something that is block that is used basically for the incoming traffic to the instance okay thing is that from instance to outbound right okay okay okay okay but so there also we can use W right so in in like when it come to firewall so we have an option outbound so there we can like restrict that kind of rule already we have some set of rule like I think around 600 or 700 plus rules already there IP address I think so so the IP address we can we can add the add over there we can do that so as as far as I know so that would work as a application layer what about the network layer uh Network layer we have a network load balancer we can use that I think so Network load balancer we have from aw only sorry Network fir I'm sorry Network fir okay so do you have experience of network firewall H Network firewall I know yes okay so Network fire basically have two types of model can you explain what are these two types of model and how does it work um uh so one is a stateful set another one is a stateless I think so I'm not sure about that because I done like you know a couple of months ago that's what I forgot but I didn't interally in that so can you just explain like overview like how does it works like what changes we need to do if you have configured then you w talk off mind you have the idea right okay see actually what I done over there I created three sub two subnets one is for like U so one is for endpoint endpoint in the sense I created one Gateway load balancer endpoint so that is for Network load balance so when whenever the user is accessing to my VPC so I have an application application I created in my second subnet so first this will this request will be come to my internet gateway so in internet gateway I attached one route table by the help of edge routing so this route table will be routed to my endpoint U the subnet so from this subnet it will go to gateway gateway uh sorry load balance so Gateway load balancer connected with the network network firewall so it will uh like inspect all the route so once it allow then it will come to my application subnet same as from this application subnet so if they want to access Internet so the connection is going to my endpoint like my first Subnet from subnet it will go to intern Gateway 0 intern gate okay okay okay so so say if you have a requirement say a customer come to you and say I need to deploy internet faing application in AWS Cloud so considering security at the different levels starting from the instance to the topmost level uh so what are the resources just name the resources like which you think can be useful for adding uh security to the internet facing application which can protect the application there is no bar for the money but they want some of the best practices and some of the services which can protect their application okay okay so uh the first of all like we can use like proxy servers like if you're using proxy servers actually we can protect our interal servers because nobody can understand actually what is our exact servers IP address so second thing we can use firewall on top we can use Network load bar Network firewall we can use DNS firewall and uh when it come to this viral Machine level we can create firewall ufw and or else we can create a centralized security VPC so there we can Implement like as we discussed Gateway load balancer we can Implement then after we can create multiple virtual machines over there for example parto or 40 gate So then whenever our user is access into our application the request first will come to our Gateway load balancer endpoint from this endpoint it will go to our centralizer VPC from centralizer VPC security VPC from this centralizer security VPC it will back to our application server same as if anybody accessing to the application from on premise so this on premise it will come to for S centralized security VPC from the security VPC it will come to the application so this thing we can do like yeah like you mixed a couple of things here like the application was isolated that's basically internet facing like it is it do not have any connective with the one frame thing right because this is the internet facing application but yeah you mix couple of things but uh that's okay so uh what I wanted to know like do you have experience over the serverless thing on cloud uh any of the services or Lambda like interally I done but I didn't done anything for company like I created a small AP Gateway so if anybody access into AP G it will go to one of the Lambda application and we'll be get some kind of AP like so that ITA okay and uh do you have experience over any say automation scripting language programming language like bash a little bit you know and python also little bit okay on python can you give me example what type of code you have written in past any any example on top of your mind python when it come to python in Lambda itself like to find unused EBS volume and as well as uh when when we do patching so we need to reboot all system so we do we use to do that manually so we have some set of patching servers ring zero ring one and ring two and ring three and ring four ring five like that so we need to reboot the systems like once it come to the maintenance window so that I don't like by using Lambda then can you name the some of the modules in Python that you have used in your automation obviously one is maybe the B 3 see that's what I in I told like so I was little bit exposure I have and I I go through like this tack of flow and as well as chat GPT then I found it like that so if I'm getting any like challenging role I could have learned that okay okay so uh so just one basic question in Python maybe yeah so in Python we use single quotes double quotes and triple quotes do you know like what is the basic difference in using these three types of quotes in Python uh single codes like that basically we using string same string and double code also we using to string and could be using to for multiple lanes for example when we want to create like like multiple Lane so in string so there we will use like mult triple string we will use S multiple line you mean to say a comment or do you mean to say to print anything no not command print print only not command command we can we have some set of other uh like commands we have so we have to use like three codes for multiple m in multiple line we can print something for example if I want to create some squares and all then I can create that by using this three three strings okay okay uh and do you have experience over uh infrastructure as a code tool ah yes sir ter for so do you have handson experience over the terraform or do you have theoretical experience only I have handson experience okay and uh like how do you manage the state fire in your environment like so that we pushing to S3 bucket in S3 buet we keeping that okay so do you know about what is the Locking State file locking I know that yes and do we need to enable this uh if file bucket yes yes sir we used to do that by using Dynamo DP so in Dynamo DP we have to create a table in Partition we have to use lock ID so then automatically like so if multiple develop is trying to change any uh configuration file so they'll be getting error so this is already uped someone so they have to release that then only they can do we can overate that by using minus minus like Locus equal to false mhm okay and uh and like if we have an2 instance running in a cloud and I want to uh import that basically instance in my terraform can I do that H we can do that so what about the manually created resources we have in a terraform so that we can like import into terraform State file by using like import command import then we have to specify the resource name which we created on the configuration file then the ID whatever the source ID that we have to specify then after we can go to the state file there we'll be able to find all the like attributes whatever the attributes we have the that we can see MH and and did you use the terraform modules yes sir mod yes so why do we need a terraform module like what is okay if you have if you have any repetitive task for example I want to create one environment Bas and host and I'm using this Bas and host for multiple environment or multiple projects so I can create a logic first by using this module I can create some variables over there so whenever whenever I want to create this Bas and host again I don't need to create from the scratch again so I can use this module or I can call this module then I can achieve it okay okay and then in your current environment like uh are you de the infrastructure via cicd or cicd automation automation correct we don't have any manual entry which cicd tool you are using there genkins so why genkins you are deploying to cloud or engine you are using some scripting CLI or terraform or which thing you are using to deploy in fine clown like uh so there we using script only so we have a server so we have public server we using a server so so for that server we cloning to this under repos whatever the code be keeping our like a version control system so we be cloning from the Version Control System to our virtual machine from from that virtual machine we applying that so for that virtual machine have a specific access like what other access has to do that so how this GitHub connect with the genkins like is it pull based or push based it's a pull based R okay so like is it a centralized configuration at the Jin end or job based configuration uh which mean sir like you mentioned it's a pull base so pull base it means like jenin is pulling the code from the GitHub right correct correct so is that configured at a job level or is there any centralized configuration at Jin level uh that I don't know like basically we have a pipel okay so Auto whenever the like developer is updating that so we have a some set of time not actually we not enable like end star stars like every time so we created like one set of set of time so that time automatically genkins will let you know that and jins will pull endre repository and it will try to do the job so on every push if it is like running a jing then it may be the push Bas rather than the pull Bas because in the pull Bas we used to basically scan the repository at a fixed interval okay in Sp by the web hooks that used to trigger the junin jobs so have you configure those web books web books I I didn't configure but like when it come to this onar Cube like I created a workbook because like okay so basically if you are deploying any application in in a cloud environment then application may have some of the important uh say token credentials that are connecting to the third party tools so where you are storing those things sorry sir could you please repeat once again actually a lot of noise that's what yeah yeah so in an application there may be some of the credentials token that would be used to interact with the third party tool right or maybe uh say connection to the RDS or something like anything so there may be some kinds of uh critical or sensitive information uh so where you are storing those token credentials in in the cloud environment when you um use the particular application so for that we can use like hash cor Vault we can use or else we can use like in genkins itself we have some some kind of like plugins we have or else we can use aw Secrets manager so we can keep our credential over the username or password so in like suppose if we if we storing our credential in our hash cor board we'll be have a token so this by using this token this genkins genkins can decrypt that so we have to connect that and if I talk about the cloud environment that's about the deployment like during the deployment they can store the topon engine G and that get the credentials from the ASO but if an application needs to connect to a third party tool so at the application Level an application is running on an E2 instance so at that particular level uh uh like how do you get those credentials are uh is it stored in the ec2 itself or or is there any Cloud native service that can be used to store those credentials like uh so as far as I know so we can use Secrets manager a Secrets manager or else in systems manager we have an option parameter storage SS so that we can use when it come to the container service micros service service so we have an option in containers and I used to do that as well like the terraform token we will keep in that there itself and when the genkins is run so the before this init container will be initialize the token and it will push to our actual application so that we use okay okay okay so in in a cloud environment like what are the other uh Security Services that you have used uh Security Services ACM I have and I am and uh Secrets manager and web application firewall and uh then load balancer and load balancer also we can make it some a little bit secure right and Cloud friend I have used and in Cloud friend we can some kind of region when it come to this Route 53 we have a different different routing policies that also I use like okay okay and and do you have experience over uh core Security Services like AWS guard Duty Messi security Hub aw is like guard Duty like sometime I configured not for company myself in my system guard Duty or do you have idea about scps service control policies SCP yes yes for organization I used that because like if anybody if any if anyone want to restrict the root user privileges or or we want to get some permission for the root users so that we can create an organization so in this organization we can attach all our account then we can create some set of policy over there m okay and then suppose if I need to monitor like how many public buckets are there in my uh say multiple AWS accounts what do you think like how can we get those details in AWS CL uh sorry sir yeah I have multiple AWS accounts hundreds of account and I wanted to know the status of which all the buckets are publicly open there may be some misation or somebody have allowed it to the public and I want to track those things do you know how can I get those details oh that I don't know sir that I didn't know okay do you have experience over any of the audit tool or uh cspm Tool uh sorry sir any of the cspm tool Cloud security posture management or okay uh and uh do you know about the last thing in the Cloud High which I wanted to know about a simple question about S3 like do you know like what are the various S3 security feature that can be applied on S3 so S3 security like versioning we have and um like we have encryption like when it come server said encryption client said encryption like that we can use it over there that to I know like we have a like access point for example if anybody want to access from any application third party application so we can use access point and we can create some set of conditions over there we can create end points so that other thing actually MH okay okay yeah yeah VI I think uh I have done what I wanted to know so what do you and one more thing sir like uh like a sharp 6:00 actually I have another client round like so I have to do that yeah yeah we're done we're done we just wanted to uh ask you if you have any questions I like uh no sir no okay okay then we'll share our feedback internally withr and hopefully they'll share the same with you yeah you thank you so much bye hello ah yes yes