🔶 Serverless Policy Enforcement: Connecting OPA and AWS Lambda

Recent updates to the project aim to better integrate OPA with serverless architectures and other infrastructure with intermittent compute.

https://blog.openpolicyagent.org/serverless-policy-enforcement-connecting-opa-and-aws-lambda-e624f7176a3

#aws

🔴 Org Policies by default

An opinionated list of common organization policies you should use in Google Cloud.

https://medium.com/google-cloud/org-policies-by-default-3adc0c8925b0

#gcp

🔷 Azure Service Authentication and Authorization table

A table for reviewing service authentication and authorization security in Azure, especially cross-service security.

https://github.com/jsa2/aad-auth-n-z

#azure

🔴 Scaling Kubernetes Tenant Management with Hierarchical Namespaces Controller

Post explaining details of Mercari's multitenant Kubernetes architecture, and the issues they faced while migrating from on-premise deployments to containers on GCP by using Google Kubernetes Engine (GKE).

https://engineering.mercari.com/blog/entry/20210930-scaling-kubernetes-tenant-management-with-hierarchical-namespaces-controller/

#gcp

🔶 AWS WAF's Dangerous Defaults

AWS WAF's defaults make bypassing trivial in POST requests, even when you enable the AWS Managed Rules.

https://osamaelnaggar.com/blog/aws_waf_dangerous_defaults/

#aws

🔷 Azure Privilege Escalation via Service Principal Abuse

Post explaining how to abuse Service Principals to escalate rights in Azure and how to protect yourself against it.

https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5

#azure

🔴 VPC Service Controls in Plain English

GCP offers powerful security controls to mitigate API-based data exfiltration called VPC Service Controls. To execute a successful and secure cloud architecture with VPC Service Controls, it is important to understand exactly how they work.

https://scalesec.com/blog/vpc-service-controls-in-plain-english/

#gcp

🔶 Designing Least Privilege AWS IAM Policies for People

Got engineers with AdministratorAccess? Here's how to deploy reduced privilege IAM roles for people without breaking their workflows.

https://www.iampulse.com/t/designing-least-privilege-aws-iam-policies-for-people

#aws

🔷 Understanding Azure Logs from a security perspective - Part 2 - NSG Flow Logs

This blog is the second in a multi-part series to cover the available logs and telemetry of the Azure platform, discuss the security insights that we can obtain from them and also to highlight existing blind spots that can save you a few headaches down the line.

https://davidokeyode.medium.com/understanding-azure-logs-from-a-security-perspective-part-2-nsg-flow-logs-3edc5c42f39a

#azure

🔶🔷🔴 Multicloud failover is almost always a terrible idea

Multicloud failover is complex and costly to the point of nearly almost always being impractical, and it's not an especially effective way to address cloud resilience risks.

https://cloudpundit.com/2021/10/14/multicloud-failover-is-almost-always-a-terrible-idea/

#aws #azure #gcp

🔶 Hacking AWS end-to-end - remastered

A remastering of one of greatest cloud security talk ever given, Daniel Grzelak's Kiwicon 2016 presentation where he shows IAM principal enumeration using resource policies, abusing vendor trust relationship confused deputies, and more. Slides and code: https://github.com/dagrz/aws_pwn

https://youtu.be/8ZXRw4Ry3mQ

#aws

Do you want to know the best way to defend against cyberattacks?

We are already waiting for you from November 16 to 18 at one of the most important events of this year in information security - the global online conference CLOUDSEC 2021 by Trend Micro.

72 hours of total immersion in the world experience of world security awaits you. We will discuss trends, development prospects, challenges, urgent problems and their solutions.

And what else?

📍Thematic content;
📍Live performances;
📍Useful insights;
📍Networking;
📍Exhibition of solutions;
📍Place of resources;
📍Gaming environment.

Registration has already started. Follow the link: https://bit.ly/3EgVxka

#advertising

🔶 Achieving least-privilege at FollowAnalytics with Repokid, Aardvark and ConsoleMe

FollowAnalytics’s Guilherme Sena Zuza describes how they used these open source Netflix tools to remove static keys and overall get closer to least privilege IAM policies in AWS.

https://medium.com/followanalytics/granting-least-privileges-at-followanalytics-with-repokid-aardvark-and-consoleme-895d8daf604a

#aws

🔶 te-papa/aws-key-disabler

A small lambda script that will disable access keys older than a given amount of days.

https://github.com/te-papa/aws-key-disabler

#aws

🔷 Enterprise-scale seamless onboarding and deployment of Azure Sentinel using Lighthouse for multi-tenant environments

Behind the scenes view of some of the automated processes involved in setting up new environments and managing custom analytics for each customer, including details about our scripting and automated build and release pipelines, which are are deployed as infrastructure-as-code.

https://research.nccgroup.com/2021/10/19/enterprise-scale-seamless-onboarding-and-deployment-of-azure-sentinel-using-lighthouse-for-multi-tenant-environments/amp/

#azure

🔶 Continuous compliance on AWS

A list of services and patterns that can be especially helpful in adopting a continuous compliance posture on AWS.

https://8thlight.com/blog/connor-mendenhall/2021/04/27/continuous-compliance-on-AWS.html

#aws

🔴 Stop Downloading Google Cloud Service Account Keys!

Generating and distributing service account keys poses severe security risks to your organization. You don't actually have to download these long-lived keys. There's a better way!

https://jryancanty.medium.com/stop-downloading-google-cloud-service-account-keys-1811d44a97d9

#gcp

🔶 AWS temporary creds with SSO and a CDK workaround

Step-by-step guide including helpful recommendations for replacing hard-coded credentials with temporary credentials using SSO.

https://www.iampulse.com/t/aws-temporary-creds-with-sso-and-a-cdk-workaround

#aws

🔴 Accessing GKE private clusters through IAP

How to connect to the control plane of a GKE private cluster, leveraging a proxy and an IAP tunnel.

https://medium.com/google-cloud/accessing-gke-private-clusters-through-iap-14fedad694f8

#gcp

🔶 Streamline Fifteen SOC 2 Controls with AWS Config and AWS Security Hub

There are two services on AWS that can make SOC 2 easier for you and your company, AWS Config and AWS Security Hub. These two services have built-in rules (Config) and controls (Security Hub) that directly address SOC 2 criteria and controls.

https://www.sans.org/blog/streamline-fifteen-soc-2-controls/

#aws

🔴 The 2 limits of Google Cloud IAM

2 use cases where the GCP IAM model is limited, requiring some trickery to get right.

https://www.iampulse.com/t/the-2-limits-of-google-cloud-iam

#gcp