howto completely secure backup server env?

I have a secure and private aws ec2 environment but I need to do some backups of mongodb, postgresql, so I have a separate ec2 instance for doing backup and occasionally allow 80 and 443 to allow install/update software on backup instance.

I use shell scripts to do backup job, it requires hardcoded password or credentials in scripts, I don’t feel it secure enough to have all credentials saved into one place — backup instance.

How to secure backup instance to avoid saving passwords/credentials in plain text, I also want to avoid saving passwords/credentials in memory or temporary files?

Is using “Signature Versioning” in Amazon S3 a secure way of selling ebooks?

I own an ecommerce platform that sells large (500 megabyte+) ebooks. To reduce server costs I am looking at hosting the ebooks on S3 and using Sendowl/ FetchApp to create the links to the downloads.

My understanding is that “customer buys ebook” -> “customer receives signed url (i.e. example.com/ksljfasdkfj)” -> signed URL goes to actual s3 file (i.e. amazon.bucket/file1.pdf)”

Assuming that the middleman I use to sign the domain works correctly, and my bucket file has the correct security settings, is this secure? What is keeping someone from just brute-forcing the file system to find other files or use the link after it expires? My nightmare would be a security hole wherein someone could access all the documents.

What can i do to secure my network [on hold]

I have noticed my network security sucks so i am working on fixing it i have some of the basic stuff down like constant OS/software patching using antivirus software and enabling/monitoring the default firewall ( I am looking more into firewall administration and log reading ).

I am also making sure to limit directory/file permissions and to only use normal user accounts. I also am changing passwords to something random every month. For unknown applications and web browsing i am using a virtual machine that i restore from a clean snapshot every time i need to use it. I also enforce signature checking from a virtual machine before downloading applications onto my host system and whenever i suspect a intrusion i perform a complete OS re installation combined with a flash of the BIOS. I check for BIOS firmware updates on a regular basis and apply them when they are available. I am using ProtonVPN as my VPN provider and Cloudfare as my DNS provider. I have in place full disk encryption on all of my machines with a password that is changed every month. My routers firmware is kept up to date and i have a password setup for the WIFI ( Read below for why this a problem ). I have changed the default router username/password and have disabled remote administration and am looking into forcing HTTPS connections for connecting to the router i am also starting to learn how to read connection logs for the router. I monitor the devices that are connected to the network using the web interface for the router. My desktops/laptops also undergo physical inspection of the hardware i take inventory of the installed hardware and check the list every time i look at the hardware this list includes a physical copy and photos of the hardware i also use USB white listing for these systems. I also am starting to monitor network traffic looking for known c&c addresses/unknown domains suspicious websites and signs of data stealing.

My questions are is there anything else i can do in regards to hardware security? and what threats should i try to protect against on my network? Also i have read about routers compromising systems on the network using drive by download attacks and DNS hijacking i am monitoring the DNS configuration of the router and that of the hosts on the network but how do i detect/prevent drive by downloads from my router? Also any other operating system hardening/router hardening advice that comes to mind is also appreciated. This brings me to my last question how do i get started in threat hunting/looking for malware/attackers on my network.

Problems: I control my network however family/friends come over and i have to give them the WIFI password and they could possibly give it to there friends this has occurred in the past so there is no point in changing the WIFI password because people will just get it again so how do i help re-mediate this? Also any other basic network security advice you could provide would be helpful

Are there any models of operating systems which don’t require rings of privileges, that are also secure?

I am working on a simple operating system in JavaScript and have noticed that there are two kinds of processes: the “main” process (or “kernel” process), and all the other processes. Basically they are implemented completely differently (which makes sense). But I’m wondering if you could reuse some of the logic and just have it all be one type of process. Do any operating systems do this? If so, what do they do? If not, why not?

Is Bitlocker secure enough for portable storage devices?

I have recently lost a U drive, which contained some important information. Fortunately, it was protected by Bitlocker. I felt the compulse to ask exactly how secure it is. Most answers on this site related to Bitlocker seem to be about built-in storage on a computer. This answer says there was a possible cold boot hack. Is it more secure to protect a U drive with Bitlocker, since you cannot use that kind of hack on a U drive? Also, that answer is 6 years old. There must have been some new developments. With the current technology that Bitlocker uses, do I need to worry that the information on my U drive could be decrypted?

Use of HTTP functions in GCP Cloud Functions Is Not Secure. Why they are still available?

As Google mentions itself in the documentation,

the HTTP functions in Cloud Functions have no authentication and are not secure. HTTP functions are unprotected and will respond to any HTTP request, which means anybody on the internet could start and stop your Compute Engine instances.

What is the real use of such HTTP functions then? Why they are available at all?