🔶 Hacking AWS end-to-end - remastered
A remastering of one of greatest cloud security talk ever given, Daniel Grzelak's Kiwicon 2016 presentation where he shows IAM principal enumeration using resource policies, abusing vendor trust relationship confused deputies, and more. Slides and code: https://github.com/dagrz/aws_pwn
https://youtu.be/8ZXRw4Ry3mQ
#aws
A remastering of one of greatest cloud security talk ever given, Daniel Grzelak's Kiwicon 2016 presentation where he shows IAM principal enumeration using resource policies, abusing vendor trust relationship confused deputies, and more. Slides and code: https://github.com/dagrz/aws_pwn
https://youtu.be/8ZXRw4Ry3mQ
#aws
Twitter
Daniel Grzelak (@dagrz) | Twitter
The latest Tweets from Daniel Grzelak (@dagrz). Founder of Milo Twitter. Peak Milo.
At the intersection of cyber security, Milo, and stonks.
https://t.co/uyVBMFtGUY. ap-southeast-2
At the intersection of cyber security, Milo, and stonks.
https://t.co/uyVBMFtGUY. ap-southeast-2
Do you want to know the best way to defend against cyberattacks?
We are already waiting for you from November 16 to 18 at one of the most important events of this year in information security - the global online conference CLOUDSEC 2021 by Trend Micro.
72 hours of total immersion in the world experience of world security awaits you. We will discuss trends, development prospects, challenges, urgent problems and their solutions.
And what else?
📍Thematic content;
📍Live performances;
📍Useful insights;
📍Networking;
📍Exhibition of solutions;
📍Place of resources;
📍Gaming environment.
Registration has already started. Follow the link: https://bit.ly/3EgVxka
#advertising
We are already waiting for you from November 16 to 18 at one of the most important events of this year in information security - the global online conference CLOUDSEC 2021 by Trend Micro.
72 hours of total immersion in the world experience of world security awaits you. We will discuss trends, development prospects, challenges, urgent problems and their solutions.
And what else?
📍Thematic content;
📍Live performances;
📍Useful insights;
📍Networking;
📍Exhibition of solutions;
📍Place of resources;
📍Gaming environment.
Registration has already started. Follow the link: https://bit.ly/3EgVxka
#advertising
🔶 Achieving least-privilege at FollowAnalytics with Repokid, Aardvark and ConsoleMe
FollowAnalytics’s Guilherme Sena Zuza describes how they used these open source Netflix tools to remove static keys and overall get closer to least privilege IAM policies in AWS.
https://medium.com/followanalytics/granting-least-privileges-at-followanalytics-with-repokid-aardvark-and-consoleme-895d8daf604a
#aws
FollowAnalytics’s Guilherme Sena Zuza describes how they used these open source Netflix tools to remove static keys and overall get closer to least privilege IAM policies in AWS.
https://medium.com/followanalytics/granting-least-privileges-at-followanalytics-with-repokid-aardvark-and-consoleme-895d8daf604a
#aws
🔶 te-papa/aws-key-disabler
A small lambda script that will disable access keys older than a given amount of days.
https://github.com/te-papa/aws-key-disabler
#aws
A small lambda script that will disable access keys older than a given amount of days.
https://github.com/te-papa/aws-key-disabler
#aws
GitHub
GitHub - te-papa/aws-key-disabler: A small lambda script that will disable access keys older than a given amount of days.
A small lambda script that will disable access keys older than a given amount of days. - te-papa/aws-key-disabler
🔷 Enterprise-scale seamless onboarding and deployment of Azure Sentinel using Lighthouse for multi-tenant environments
Behind the scenes view of some of the automated processes involved in setting up new environments and managing custom analytics for each customer, including details about our scripting and automated build and release pipelines, which are are deployed as infrastructure-as-code.
https://research.nccgroup.com/2021/10/19/enterprise-scale-seamless-onboarding-and-deployment-of-azure-sentinel-using-lighthouse-for-multi-tenant-environments/amp/
#azure
Behind the scenes view of some of the automated processes involved in setting up new environments and managing custom analytics for each customer, including details about our scripting and automated build and release pipelines, which are are deployed as infrastructure-as-code.
https://research.nccgroup.com/2021/10/19/enterprise-scale-seamless-onboarding-and-deployment-of-azure-sentinel-using-lighthouse-for-multi-tenant-environments/amp/
#azure
🔶 Continuous compliance on AWS
A list of services and patterns that can be especially helpful in adopting a continuous compliance posture on AWS.
https://8thlight.com/blog/connor-mendenhall/2021/04/27/continuous-compliance-on-AWS.html
#aws
A list of services and patterns that can be especially helpful in adopting a continuous compliance posture on AWS.
https://8thlight.com/blog/connor-mendenhall/2021/04/27/continuous-compliance-on-AWS.html
#aws
8th Light
Continuous compliance on AWS | 8th Light
A looming deadline. A long list of requirements handed off to the team without their input. No room for flexibility. Just one shot to get it right.
You may be thinking of a doomed software project from the distant past. And if you’re cringing ...
You may be thinking of a doomed software project from the distant past. And if you’re cringing ...
🔴 Stop Downloading Google Cloud Service Account Keys!
Generating and distributing service account keys poses severe security risks to your organization. You don't actually have to download these long-lived keys. There's a better way!
https://jryancanty.medium.com/stop-downloading-google-cloud-service-account-keys-1811d44a97d9
#gcp
Generating and distributing service account keys poses severe security risks to your organization. You don't actually have to download these long-lived keys. There's a better way!
https://jryancanty.medium.com/stop-downloading-google-cloud-service-account-keys-1811d44a97d9
#gcp
Medium
Stop Downloading Google Cloud Service Account Keys!
TL;DR: Downloading service account keys poses a serious security risk to your organization because they are long lived and not…
🔶 AWS temporary creds with SSO and a CDK workaround
Step-by-step guide including helpful recommendations for replacing hard-coded credentials with temporary credentials using SSO.
https://www.iampulse.com/t/aws-temporary-creds-with-sso-and-a-cdk-workaround
#aws
Step-by-step guide including helpful recommendations for replacing hard-coded credentials with temporary credentials using SSO.
https://www.iampulse.com/t/aws-temporary-creds-with-sso-and-a-cdk-workaround
#aws
🔴 Accessing GKE private clusters through IAP
How to connect to the control plane of a GKE private cluster, leveraging a proxy and an IAP tunnel.
https://medium.com/google-cloud/accessing-gke-private-clusters-through-iap-14fedad694f8
#gcp
How to connect to the control plane of a GKE private cluster, leveraging a proxy and an IAP tunnel.
https://medium.com/google-cloud/accessing-gke-private-clusters-through-iap-14fedad694f8
#gcp
Medium
Accessing GKE private clusters through IAP
TL;DR
🔶 Streamline Fifteen SOC 2 Controls with AWS Config and AWS Security Hub
There are two services on AWS that can make SOC 2 easier for you and your company, AWS Config and AWS Security Hub. These two services have built-in rules (Config) and controls (Security Hub) that directly address SOC 2 criteria and controls.
https://www.sans.org/blog/streamline-fifteen-soc-2-controls/
#aws
There are two services on AWS that can make SOC 2 easier for you and your company, AWS Config and AWS Security Hub. These two services have built-in rules (Config) and controls (Security Hub) that directly address SOC 2 criteria and controls.
https://www.sans.org/blog/streamline-fifteen-soc-2-controls/
#aws
www.sans.org
Streamline Fifteen SOC 2 Controls with AWS Config and AWS Security Hub | SANS Institute
AJ Yawn shares how to streamline SOC 2 controls with AWS config and AWS security hub.
🔴 The 2 limits of Google Cloud IAM
2 use cases where the GCP IAM model is limited, requiring some trickery to get right.
https://www.iampulse.com/t/the-2-limits-of-google-cloud-iam
#gcp
2 use cases where the GCP IAM model is limited, requiring some trickery to get right.
https://www.iampulse.com/t/the-2-limits-of-google-cloud-iam
#gcp
IAM Pulse
The 2 limits of Google Cloud IAM | IAM Pulse
Security is paramount in cloud environments and an IAM service can help, but there are some limits to know and to manage.
🔶 Automating cloud governance at scale
Blog post from SkyScanner, introducing some recent improvements to CFRipper that have enabled them to detect issues more accurately, allow for increasing levels of customization, and facilitate dynamic stack exemptions for engineering squads.
https://medium.com/@SkyscannerEng/automating-cloud-governance-at-scale-895695fe4a1f
#aws
Blog post from SkyScanner, introducing some recent improvements to CFRipper that have enabled them to detect issues more accurately, allow for increasing levels of customization, and facilitate dynamic stack exemptions for engineering squads.
https://medium.com/@SkyscannerEng/automating-cloud-governance-at-scale-895695fe4a1f
#aws
Medium
Automating cloud governance at scale
How we automate advanced IaC security linting at scale, with latest version of Cfripper
🔶 Using New S3 Features to Give CloudTrail Logs Service-Side Enrichment
Use the recent S3 Object Lambda functionality in AWS to enrich S3-based logs with valuable intelligence.
https://www.paloaltonetworks.com/blog/security-operations/enrich-aws-cloudtrail-s3-object-lambda/
#aws
Use the recent S3 Object Lambda functionality in AWS to enrich S3-based logs with valuable intelligence.
https://www.paloaltonetworks.com/blog/security-operations/enrich-aws-cloudtrail-s3-object-lambda/
#aws
🔷 ChaosDB Explained: Azure’s Cosmos DB Vulnerability Walkthrough
Great walkthrough example of exploring attack surface, escalating privileges, and lateral movement by Wiz’s Nir Ohfeld and Sagi Tzadik.
https://www.wiz.io/blog/chaosdb-explained-azures-cosmos-db-vulnerability-walkthrough
#azure
Great walkthrough example of exploring attack surface, escalating privileges, and lateral movement by Wiz’s Nir Ohfeld and Sagi Tzadik.
https://www.wiz.io/blog/chaosdb-explained-azures-cosmos-db-vulnerability-walkthrough
#azure
wiz.io
ChaosDB explained: Azure's Cosmos DB vulnerability walkthrough | Wiz Blog
This is the full story of the Azure ChaosDB Vulnerability that was discovered and disclosed by the Wiz Research Team, where we were able to gain complete unrestricted access to the databases of several thousand Microsoft Azure customers.
🔴 Everything you always wanted to know about VPC Peering (but were afraid to ask)
An overview of Google Cloud VPC network peerings, their anatomy, major misconceptions, and some watchpoints, so that users can learn how to use them wisely, while designing their infrastructures.
https://medium.com/google-cloud/everything-you-always-wanted-to-know-about-vpc-peering-but-were-afraid-to-ask-2b26267ba7d9
#gcp
An overview of Google Cloud VPC network peerings, their anatomy, major misconceptions, and some watchpoints, so that users can learn how to use them wisely, while designing their infrastructures.
https://medium.com/google-cloud/everything-you-always-wanted-to-know-about-vpc-peering-but-were-afraid-to-ask-2b26267ba7d9
#gcp
Medium
Everything You Always Wanted to Know About VPC Peering* (*But Were Afraid to Ask)
TL:DR
🔷 Exploiting and defending anonymous access in Azure
Most of Azure services require some form of authentication for access. However, there are a few exceptions that allows the configuration of unauthenticated and unauthorized access. The most common ones are the Azure Blob Container and the Azure Container registry.
https://davidokeyode.medium.com/exploiting-and-defending-anonymous-access-in-azure-dcb00e032258
#azure
Most of Azure services require some form of authentication for access. However, there are a few exceptions that allows the configuration of unauthenticated and unauthorized access. The most common ones are the Azure Blob Container and the Azure Container registry.
https://davidokeyode.medium.com/exploiting-and-defending-anonymous-access-in-azure-dcb00e032258
#azure
Medium
Exploiting and defending anonymous access in Azure
Many cloud-related security breaches start with a compromised user identity. Once an attacker gets a foot in the door using the compromised…
🔶 tenchi-security/camp
A tool that automatically downloads and keeps a local copy of all AWS IAM Managed Policies, and runs Cloudsplaining on them. By Victor Grenu and Tenchi Security’s Alexandre Sieira.
https://github.com/tenchi-security/camp
#aws
A tool that automatically downloads and keeps a local copy of all AWS IAM Managed Policies, and runs Cloudsplaining on them. By Victor Grenu and Tenchi Security’s Alexandre Sieira.
https://github.com/tenchi-security/camp
#aws
GitHub
GitHub - tenchi-security/camp: CloudSplaining on AWS Managed Policies
CloudSplaining on AWS Managed Policies. Contribute to tenchi-security/camp development by creating an account on GitHub.
🔶 Do not use AWS CloudFormation
Greg Swallow argues that CloudFormation is strictly worse than Terraform: it has extra indirection and is harder to debug, Terraform has a rich set of data sources and makes transforming data is a breeze, Terraform is much faster, CloudFormation’s async nature requires polling logic, Terraform is portable across providers, and more.
https://gswallow.medium.com/do-not-use-aws-cloudformation-7cf61f58bd5f
#aws
Greg Swallow argues that CloudFormation is strictly worse than Terraform: it has extra indirection and is harder to debug, Terraform has a rich set of data sources and makes transforming data is a breeze, Terraform is much faster, CloudFormation’s async nature requires polling logic, Terraform is portable across providers, and more.
https://gswallow.medium.com/do-not-use-aws-cloudformation-7cf61f58bd5f
#aws
Medium
Do not use AWS CloudFormation
Several years ago I actually cared about the differences between AWS CloudFormation and Terraform. Namely, that Terraform did not provide…
🔶 Well, That Escalated Quickly
AfterPay’s Dorien Koelemeijer describes Cloud Cover, a tool they built to enable developers to move quickly but also with least IAM privilege, using Okta, permissions defined in a git repo, and more. Neat approach.
https://www.afterpaytechblog.com/well-that-escalated-quickly/
#aws
AfterPay’s Dorien Koelemeijer describes Cloud Cover, a tool they built to enable developers to move quickly but also with least IAM privilege, using Okta, permissions defined in a git repo, and more. Neat approach.
https://www.afterpaytechblog.com/well-that-escalated-quickly/
#aws
Afterpay Technology Blog
Well, That Escalated Quickly
An introduction to Cloud Cover, our AWS IAM tooling
🔷 CVE-2021-42306 CredManifest: App Registration Certificates Stored in Azure Active Directory
Another security issue discovered in Azure: due to a misconfiguration, Automation Account "Run as" credentials (PFX certificates) were being stored in cleartext in Azure Active Directory (AAD).
https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-cloud-vulnerability-credmanifest/
#azure
Another security issue discovered in Azure: due to a misconfiguration, Automation Account "Run as" credentials (PFX certificates) were being stored in cleartext in Azure Active Directory (AAD).
https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-cloud-vulnerability-credmanifest/
#azure
NetSPI
CVE-2021-42306 CredManifest: App Registration Certificates Stored in Azure Active Directory
The vulnerability, found by NetSPI’s cloud pentesting practice director, Karl Fosaaen, affects any organization that uses Automation Account "Run as" accounts in Azure.
🔶 Identity Federation for GitHub Actions on AWS
An useful step-by-step example on how to configure your GitHub Actions build jobs to securely and seamlessly use IAM Roles in AWS.
https://scalesec.com/blog/identity-federation-for-github-actions-on-aws/
#aws
An useful step-by-step example on how to configure your GitHub Actions build jobs to securely and seamlessly use IAM Roles in AWS.
https://scalesec.com/blog/identity-federation-for-github-actions-on-aws/
#aws
Scalesec
Identity Federation for GitHub Actions on AWS | ScaleSec
Securing access to AWS resources for GitHub Actions workflows with OpenID Connect identity federation