🔶 Continuous compliance on AWS
A list of services and patterns that can be especially helpful in adopting a continuous compliance posture on AWS.
https://8thlight.com/blog/connor-mendenhall/2021/04/27/continuous-compliance-on-AWS.html
#aws
A list of services and patterns that can be especially helpful in adopting a continuous compliance posture on AWS.
https://8thlight.com/blog/connor-mendenhall/2021/04/27/continuous-compliance-on-AWS.html
#aws
8th Light
Continuous compliance on AWS | 8th Light
A looming deadline. A long list of requirements handed off to the team without their input. No room for flexibility. Just one shot to get it right.
You may be thinking of a doomed software project from the distant past. And if you’re cringing ...
You may be thinking of a doomed software project from the distant past. And if you’re cringing ...
🔴 Stop Downloading Google Cloud Service Account Keys!
Generating and distributing service account keys poses severe security risks to your organization. You don't actually have to download these long-lived keys. There's a better way!
https://jryancanty.medium.com/stop-downloading-google-cloud-service-account-keys-1811d44a97d9
#gcp
Generating and distributing service account keys poses severe security risks to your organization. You don't actually have to download these long-lived keys. There's a better way!
https://jryancanty.medium.com/stop-downloading-google-cloud-service-account-keys-1811d44a97d9
#gcp
Medium
Stop Downloading Google Cloud Service Account Keys!
TL;DR: Downloading service account keys poses a serious security risk to your organization because they are long lived and not…
🔶 AWS temporary creds with SSO and a CDK workaround
Step-by-step guide including helpful recommendations for replacing hard-coded credentials with temporary credentials using SSO.
https://www.iampulse.com/t/aws-temporary-creds-with-sso-and-a-cdk-workaround
#aws
Step-by-step guide including helpful recommendations for replacing hard-coded credentials with temporary credentials using SSO.
https://www.iampulse.com/t/aws-temporary-creds-with-sso-and-a-cdk-workaround
#aws
🔴 Accessing GKE private clusters through IAP
How to connect to the control plane of a GKE private cluster, leveraging a proxy and an IAP tunnel.
https://medium.com/google-cloud/accessing-gke-private-clusters-through-iap-14fedad694f8
#gcp
How to connect to the control plane of a GKE private cluster, leveraging a proxy and an IAP tunnel.
https://medium.com/google-cloud/accessing-gke-private-clusters-through-iap-14fedad694f8
#gcp
Medium
Accessing GKE private clusters through IAP
TL;DR
🔶 Streamline Fifteen SOC 2 Controls with AWS Config and AWS Security Hub
There are two services on AWS that can make SOC 2 easier for you and your company, AWS Config and AWS Security Hub. These two services have built-in rules (Config) and controls (Security Hub) that directly address SOC 2 criteria and controls.
https://www.sans.org/blog/streamline-fifteen-soc-2-controls/
#aws
There are two services on AWS that can make SOC 2 easier for you and your company, AWS Config and AWS Security Hub. These two services have built-in rules (Config) and controls (Security Hub) that directly address SOC 2 criteria and controls.
https://www.sans.org/blog/streamline-fifteen-soc-2-controls/
#aws
www.sans.org
Streamline Fifteen SOC 2 Controls with AWS Config and AWS Security Hub | SANS Institute
AJ Yawn shares how to streamline SOC 2 controls with AWS config and AWS security hub.
🔴 The 2 limits of Google Cloud IAM
2 use cases where the GCP IAM model is limited, requiring some trickery to get right.
https://www.iampulse.com/t/the-2-limits-of-google-cloud-iam
#gcp
2 use cases where the GCP IAM model is limited, requiring some trickery to get right.
https://www.iampulse.com/t/the-2-limits-of-google-cloud-iam
#gcp
IAM Pulse
The 2 limits of Google Cloud IAM | IAM Pulse
Security is paramount in cloud environments and an IAM service can help, but there are some limits to know and to manage.
🔶 Automating cloud governance at scale
Blog post from SkyScanner, introducing some recent improvements to CFRipper that have enabled them to detect issues more accurately, allow for increasing levels of customization, and facilitate dynamic stack exemptions for engineering squads.
https://medium.com/@SkyscannerEng/automating-cloud-governance-at-scale-895695fe4a1f
#aws
Blog post from SkyScanner, introducing some recent improvements to CFRipper that have enabled them to detect issues more accurately, allow for increasing levels of customization, and facilitate dynamic stack exemptions for engineering squads.
https://medium.com/@SkyscannerEng/automating-cloud-governance-at-scale-895695fe4a1f
#aws
Medium
Automating cloud governance at scale
How we automate advanced IaC security linting at scale, with latest version of Cfripper
🔶 Using New S3 Features to Give CloudTrail Logs Service-Side Enrichment
Use the recent S3 Object Lambda functionality in AWS to enrich S3-based logs with valuable intelligence.
https://www.paloaltonetworks.com/blog/security-operations/enrich-aws-cloudtrail-s3-object-lambda/
#aws
Use the recent S3 Object Lambda functionality in AWS to enrich S3-based logs with valuable intelligence.
https://www.paloaltonetworks.com/blog/security-operations/enrich-aws-cloudtrail-s3-object-lambda/
#aws
🔷 ChaosDB Explained: Azure’s Cosmos DB Vulnerability Walkthrough
Great walkthrough example of exploring attack surface, escalating privileges, and lateral movement by Wiz’s Nir Ohfeld and Sagi Tzadik.
https://www.wiz.io/blog/chaosdb-explained-azures-cosmos-db-vulnerability-walkthrough
#azure
Great walkthrough example of exploring attack surface, escalating privileges, and lateral movement by Wiz’s Nir Ohfeld and Sagi Tzadik.
https://www.wiz.io/blog/chaosdb-explained-azures-cosmos-db-vulnerability-walkthrough
#azure
wiz.io
ChaosDB explained: Azure's Cosmos DB vulnerability walkthrough | Wiz Blog
This is the full story of the Azure ChaosDB Vulnerability that was discovered and disclosed by the Wiz Research Team, where we were able to gain complete unrestricted access to the databases of several thousand Microsoft Azure customers.
🔴 Everything you always wanted to know about VPC Peering (but were afraid to ask)
An overview of Google Cloud VPC network peerings, their anatomy, major misconceptions, and some watchpoints, so that users can learn how to use them wisely, while designing their infrastructures.
https://medium.com/google-cloud/everything-you-always-wanted-to-know-about-vpc-peering-but-were-afraid-to-ask-2b26267ba7d9
#gcp
An overview of Google Cloud VPC network peerings, their anatomy, major misconceptions, and some watchpoints, so that users can learn how to use them wisely, while designing their infrastructures.
https://medium.com/google-cloud/everything-you-always-wanted-to-know-about-vpc-peering-but-were-afraid-to-ask-2b26267ba7d9
#gcp
Medium
Everything You Always Wanted to Know About VPC Peering* (*But Were Afraid to Ask)
TL:DR
🔷 Exploiting and defending anonymous access in Azure
Most of Azure services require some form of authentication for access. However, there are a few exceptions that allows the configuration of unauthenticated and unauthorized access. The most common ones are the Azure Blob Container and the Azure Container registry.
https://davidokeyode.medium.com/exploiting-and-defending-anonymous-access-in-azure-dcb00e032258
#azure
Most of Azure services require some form of authentication for access. However, there are a few exceptions that allows the configuration of unauthenticated and unauthorized access. The most common ones are the Azure Blob Container and the Azure Container registry.
https://davidokeyode.medium.com/exploiting-and-defending-anonymous-access-in-azure-dcb00e032258
#azure
Medium
Exploiting and defending anonymous access in Azure
Many cloud-related security breaches start with a compromised user identity. Once an attacker gets a foot in the door using the compromised…
🔶 tenchi-security/camp
A tool that automatically downloads and keeps a local copy of all AWS IAM Managed Policies, and runs Cloudsplaining on them. By Victor Grenu and Tenchi Security’s Alexandre Sieira.
https://github.com/tenchi-security/camp
#aws
A tool that automatically downloads and keeps a local copy of all AWS IAM Managed Policies, and runs Cloudsplaining on them. By Victor Grenu and Tenchi Security’s Alexandre Sieira.
https://github.com/tenchi-security/camp
#aws
GitHub
GitHub - tenchi-security/camp: CloudSplaining on AWS Managed Policies
CloudSplaining on AWS Managed Policies. Contribute to tenchi-security/camp development by creating an account on GitHub.
🔶 Do not use AWS CloudFormation
Greg Swallow argues that CloudFormation is strictly worse than Terraform: it has extra indirection and is harder to debug, Terraform has a rich set of data sources and makes transforming data is a breeze, Terraform is much faster, CloudFormation’s async nature requires polling logic, Terraform is portable across providers, and more.
https://gswallow.medium.com/do-not-use-aws-cloudformation-7cf61f58bd5f
#aws
Greg Swallow argues that CloudFormation is strictly worse than Terraform: it has extra indirection and is harder to debug, Terraform has a rich set of data sources and makes transforming data is a breeze, Terraform is much faster, CloudFormation’s async nature requires polling logic, Terraform is portable across providers, and more.
https://gswallow.medium.com/do-not-use-aws-cloudformation-7cf61f58bd5f
#aws
Medium
Do not use AWS CloudFormation
Several years ago I actually cared about the differences between AWS CloudFormation and Terraform. Namely, that Terraform did not provide…
🔶 Well, That Escalated Quickly
AfterPay’s Dorien Koelemeijer describes Cloud Cover, a tool they built to enable developers to move quickly but also with least IAM privilege, using Okta, permissions defined in a git repo, and more. Neat approach.
https://www.afterpaytechblog.com/well-that-escalated-quickly/
#aws
AfterPay’s Dorien Koelemeijer describes Cloud Cover, a tool they built to enable developers to move quickly but also with least IAM privilege, using Okta, permissions defined in a git repo, and more. Neat approach.
https://www.afterpaytechblog.com/well-that-escalated-quickly/
#aws
Afterpay Technology Blog
Well, That Escalated Quickly
An introduction to Cloud Cover, our AWS IAM tooling
🔷 CVE-2021-42306 CredManifest: App Registration Certificates Stored in Azure Active Directory
Another security issue discovered in Azure: due to a misconfiguration, Automation Account "Run as" credentials (PFX certificates) were being stored in cleartext in Azure Active Directory (AAD).
https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-cloud-vulnerability-credmanifest/
#azure
Another security issue discovered in Azure: due to a misconfiguration, Automation Account "Run as" credentials (PFX certificates) were being stored in cleartext in Azure Active Directory (AAD).
https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-cloud-vulnerability-credmanifest/
#azure
NetSPI
CVE-2021-42306 CredManifest: App Registration Certificates Stored in Azure Active Directory
The vulnerability, found by NetSPI’s cloud pentesting practice director, Karl Fosaaen, affects any organization that uses Automation Account "Run as" accounts in Azure.
🔶 Identity Federation for GitHub Actions on AWS
An useful step-by-step example on how to configure your GitHub Actions build jobs to securely and seamlessly use IAM Roles in AWS.
https://scalesec.com/blog/identity-federation-for-github-actions-on-aws/
#aws
An useful step-by-step example on how to configure your GitHub Actions build jobs to securely and seamlessly use IAM Roles in AWS.
https://scalesec.com/blog/identity-federation-for-github-actions-on-aws/
#aws
Scalesec
Identity Federation for GitHub Actions on AWS | ScaleSec
Securing access to AWS resources for GitHub Actions workflows with OpenID Connect identity federation
🔶 Effective IAM for AWS: A guide to realize IAM best practices
Learn how to secure AWS with usable IAM architecture, policies, and automation that scales security best practices efficiently to all developers.
https://www.effectiveiam.com/
#aws
Learn how to secure AWS with usable IAM architecture, policies, and automation that scales security best practices efficiently to all developers.
https://www.effectiveiam.com/
#aws
Effective IAM for AWS
Effective IAM for AWS: A guide to realize IAM best practices
Learn how to secure AWS with usable IAM architecture, policies, and automation that scales security best practices efficiently to all developers.
🔶 Updates to IAM policy evaluation logic flow chart
AWS has finally updated the documentation around determining whether a request is allowed or denied within an account.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
#aws
AWS has finally updated the documentation around determining whether a request is allowed or denied within an account.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
#aws
Amazon
Policy evaluation logic - AWS Identity and Access Management
Learn how JSON policies are evaluated within a single account to return either Allow or Deny. To learn how AWS evaluates policies for cross-account access, see .
🔷 Modernizing compliance: Introducing Risk and Compliance as Code
Google announced the launch of their Risk and Compliance as Code (RCaC) Solution. The RCaC solution stack enables compliance and security control automation through a combination of Google Cloud Products, Blueprints, Partner Integrations, workshops and services.
https://cloud.google.com/blog/products/identity-security/risk-and-compliance-as-code
#azure
Google announced the launch of their Risk and Compliance as Code (RCaC) Solution. The RCaC solution stack enables compliance and security control automation through a combination of Google Cloud Products, Blueprints, Partner Integrations, workshops and services.
https://cloud.google.com/blog/products/identity-security/risk-and-compliance-as-code
#azure
Google Cloud Blog
Risk and Compliance as Code delivers solution modern security for digital transformation and modern IT | Google Cloud Blog
The RCaC solution stack enables compliance and security control automation through a combination of Google Cloud Products, Blueprints, Partner Integrations, workshops and services to simplify and accelerate time to value.
🔶 pre:Invent 2021
There were 234 AWS announcements in pre:Invent season. Chris Farris analysed 27 of them related to security and governance.
https://www.chrisfarris.com/post/preinvent2021/
#aws
There were 234 AWS announcements in pre:Invent season. Chris Farris analysed 27 of them related to security and governance.
https://www.chrisfarris.com/post/preinvent2021/
#aws
https://www.chrisfarris.com/
pre:Invent 2021 - Chris Farris
There were 234 AWS announcements in pre:Invent season. I breakdown and snark about 27 of them relating to security and governance.
🔶🔷🔴 AWS/Azure/GCP Permissions
Continuing with efforts on the permissions.cloud project, Ian Mckay has now have both Azure and GCP spaces available: azure.permissions.cloud and gcp.permissions.cloud.
https://aws.permissions.cloud/
#aws #azure #gcp
Continuing with efforts on the permissions.cloud project, Ian Mckay has now have both Azure and GCP spaces available: azure.permissions.cloud and gcp.permissions.cloud.
https://aws.permissions.cloud/
#aws #azure #gcp
aws.permissions.cloud
Permissions Reference for AWS IAM