🔴 The 2 limits of Google Cloud IAM
2 use cases where the GCP IAM model is limited, requiring some trickery to get right.
https://www.iampulse.com/t/the-2-limits-of-google-cloud-iam
#gcp
2 use cases where the GCP IAM model is limited, requiring some trickery to get right.
https://www.iampulse.com/t/the-2-limits-of-google-cloud-iam
#gcp
IAM Pulse
The 2 limits of Google Cloud IAM | IAM Pulse
Security is paramount in cloud environments and an IAM service can help, but there are some limits to know and to manage.
🔶 Automating cloud governance at scale
Blog post from SkyScanner, introducing some recent improvements to CFRipper that have enabled them to detect issues more accurately, allow for increasing levels of customization, and facilitate dynamic stack exemptions for engineering squads.
https://medium.com/@SkyscannerEng/automating-cloud-governance-at-scale-895695fe4a1f
#aws
Blog post from SkyScanner, introducing some recent improvements to CFRipper that have enabled them to detect issues more accurately, allow for increasing levels of customization, and facilitate dynamic stack exemptions for engineering squads.
https://medium.com/@SkyscannerEng/automating-cloud-governance-at-scale-895695fe4a1f
#aws
Medium
Automating cloud governance at scale
How we automate advanced IaC security linting at scale, with latest version of Cfripper
🔶 Using New S3 Features to Give CloudTrail Logs Service-Side Enrichment
Use the recent S3 Object Lambda functionality in AWS to enrich S3-based logs with valuable intelligence.
https://www.paloaltonetworks.com/blog/security-operations/enrich-aws-cloudtrail-s3-object-lambda/
#aws
Use the recent S3 Object Lambda functionality in AWS to enrich S3-based logs with valuable intelligence.
https://www.paloaltonetworks.com/blog/security-operations/enrich-aws-cloudtrail-s3-object-lambda/
#aws
🔷 ChaosDB Explained: Azure’s Cosmos DB Vulnerability Walkthrough
Great walkthrough example of exploring attack surface, escalating privileges, and lateral movement by Wiz’s Nir Ohfeld and Sagi Tzadik.
https://www.wiz.io/blog/chaosdb-explained-azures-cosmos-db-vulnerability-walkthrough
#azure
Great walkthrough example of exploring attack surface, escalating privileges, and lateral movement by Wiz’s Nir Ohfeld and Sagi Tzadik.
https://www.wiz.io/blog/chaosdb-explained-azures-cosmos-db-vulnerability-walkthrough
#azure
wiz.io
ChaosDB explained: Azure's Cosmos DB vulnerability walkthrough | Wiz Blog
This is the full story of the Azure ChaosDB Vulnerability that was discovered and disclosed by the Wiz Research Team, where we were able to gain complete unrestricted access to the databases of several thousand Microsoft Azure customers.
🔴 Everything you always wanted to know about VPC Peering (but were afraid to ask)
An overview of Google Cloud VPC network peerings, their anatomy, major misconceptions, and some watchpoints, so that users can learn how to use them wisely, while designing their infrastructures.
https://medium.com/google-cloud/everything-you-always-wanted-to-know-about-vpc-peering-but-were-afraid-to-ask-2b26267ba7d9
#gcp
An overview of Google Cloud VPC network peerings, their anatomy, major misconceptions, and some watchpoints, so that users can learn how to use them wisely, while designing their infrastructures.
https://medium.com/google-cloud/everything-you-always-wanted-to-know-about-vpc-peering-but-were-afraid-to-ask-2b26267ba7d9
#gcp
Medium
Everything You Always Wanted to Know About VPC Peering* (*But Were Afraid to Ask)
TL:DR
🔷 Exploiting and defending anonymous access in Azure
Most of Azure services require some form of authentication for access. However, there are a few exceptions that allows the configuration of unauthenticated and unauthorized access. The most common ones are the Azure Blob Container and the Azure Container registry.
https://davidokeyode.medium.com/exploiting-and-defending-anonymous-access-in-azure-dcb00e032258
#azure
Most of Azure services require some form of authentication for access. However, there are a few exceptions that allows the configuration of unauthenticated and unauthorized access. The most common ones are the Azure Blob Container and the Azure Container registry.
https://davidokeyode.medium.com/exploiting-and-defending-anonymous-access-in-azure-dcb00e032258
#azure
Medium
Exploiting and defending anonymous access in Azure
Many cloud-related security breaches start with a compromised user identity. Once an attacker gets a foot in the door using the compromised…
🔶 tenchi-security/camp
A tool that automatically downloads and keeps a local copy of all AWS IAM Managed Policies, and runs Cloudsplaining on them. By Victor Grenu and Tenchi Security’s Alexandre Sieira.
https://github.com/tenchi-security/camp
#aws
A tool that automatically downloads and keeps a local copy of all AWS IAM Managed Policies, and runs Cloudsplaining on them. By Victor Grenu and Tenchi Security’s Alexandre Sieira.
https://github.com/tenchi-security/camp
#aws
GitHub
GitHub - tenchi-security/camp: CloudSplaining on AWS Managed Policies
CloudSplaining on AWS Managed Policies. Contribute to tenchi-security/camp development by creating an account on GitHub.
🔶 Do not use AWS CloudFormation
Greg Swallow argues that CloudFormation is strictly worse than Terraform: it has extra indirection and is harder to debug, Terraform has a rich set of data sources and makes transforming data is a breeze, Terraform is much faster, CloudFormation’s async nature requires polling logic, Terraform is portable across providers, and more.
https://gswallow.medium.com/do-not-use-aws-cloudformation-7cf61f58bd5f
#aws
Greg Swallow argues that CloudFormation is strictly worse than Terraform: it has extra indirection and is harder to debug, Terraform has a rich set of data sources and makes transforming data is a breeze, Terraform is much faster, CloudFormation’s async nature requires polling logic, Terraform is portable across providers, and more.
https://gswallow.medium.com/do-not-use-aws-cloudformation-7cf61f58bd5f
#aws
Medium
Do not use AWS CloudFormation
Several years ago I actually cared about the differences between AWS CloudFormation and Terraform. Namely, that Terraform did not provide…
🔶 Well, That Escalated Quickly
AfterPay’s Dorien Koelemeijer describes Cloud Cover, a tool they built to enable developers to move quickly but also with least IAM privilege, using Okta, permissions defined in a git repo, and more. Neat approach.
https://www.afterpaytechblog.com/well-that-escalated-quickly/
#aws
AfterPay’s Dorien Koelemeijer describes Cloud Cover, a tool they built to enable developers to move quickly but also with least IAM privilege, using Okta, permissions defined in a git repo, and more. Neat approach.
https://www.afterpaytechblog.com/well-that-escalated-quickly/
#aws
Afterpay Technology Blog
Well, That Escalated Quickly
An introduction to Cloud Cover, our AWS IAM tooling
🔷 CVE-2021-42306 CredManifest: App Registration Certificates Stored in Azure Active Directory
Another security issue discovered in Azure: due to a misconfiguration, Automation Account "Run as" credentials (PFX certificates) were being stored in cleartext in Azure Active Directory (AAD).
https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-cloud-vulnerability-credmanifest/
#azure
Another security issue discovered in Azure: due to a misconfiguration, Automation Account "Run as" credentials (PFX certificates) were being stored in cleartext in Azure Active Directory (AAD).
https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-cloud-vulnerability-credmanifest/
#azure
NetSPI
CVE-2021-42306 CredManifest: App Registration Certificates Stored in Azure Active Directory
The vulnerability, found by NetSPI’s cloud pentesting practice director, Karl Fosaaen, affects any organization that uses Automation Account "Run as" accounts in Azure.
🔶 Identity Federation for GitHub Actions on AWS
An useful step-by-step example on how to configure your GitHub Actions build jobs to securely and seamlessly use IAM Roles in AWS.
https://scalesec.com/blog/identity-federation-for-github-actions-on-aws/
#aws
An useful step-by-step example on how to configure your GitHub Actions build jobs to securely and seamlessly use IAM Roles in AWS.
https://scalesec.com/blog/identity-federation-for-github-actions-on-aws/
#aws
Scalesec
Identity Federation for GitHub Actions on AWS | ScaleSec
Securing access to AWS resources for GitHub Actions workflows with OpenID Connect identity federation
🔶 Effective IAM for AWS: A guide to realize IAM best practices
Learn how to secure AWS with usable IAM architecture, policies, and automation that scales security best practices efficiently to all developers.
https://www.effectiveiam.com/
#aws
Learn how to secure AWS with usable IAM architecture, policies, and automation that scales security best practices efficiently to all developers.
https://www.effectiveiam.com/
#aws
Effective IAM for AWS
Effective IAM for AWS: A guide to realize IAM best practices
Learn how to secure AWS with usable IAM architecture, policies, and automation that scales security best practices efficiently to all developers.
🔶 Updates to IAM policy evaluation logic flow chart
AWS has finally updated the documentation around determining whether a request is allowed or denied within an account.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
#aws
AWS has finally updated the documentation around determining whether a request is allowed or denied within an account.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
#aws
Amazon
Policy evaluation logic - AWS Identity and Access Management
Learn how JSON policies are evaluated within a single account to return either Allow or Deny. To learn how AWS evaluates policies for cross-account access, see .
🔷 Modernizing compliance: Introducing Risk and Compliance as Code
Google announced the launch of their Risk and Compliance as Code (RCaC) Solution. The RCaC solution stack enables compliance and security control automation through a combination of Google Cloud Products, Blueprints, Partner Integrations, workshops and services.
https://cloud.google.com/blog/products/identity-security/risk-and-compliance-as-code
#azure
Google announced the launch of their Risk and Compliance as Code (RCaC) Solution. The RCaC solution stack enables compliance and security control automation through a combination of Google Cloud Products, Blueprints, Partner Integrations, workshops and services.
https://cloud.google.com/blog/products/identity-security/risk-and-compliance-as-code
#azure
Google Cloud Blog
Risk and Compliance as Code delivers solution modern security for digital transformation and modern IT | Google Cloud Blog
The RCaC solution stack enables compliance and security control automation through a combination of Google Cloud Products, Blueprints, Partner Integrations, workshops and services to simplify and accelerate time to value.
🔶 pre:Invent 2021
There were 234 AWS announcements in pre:Invent season. Chris Farris analysed 27 of them related to security and governance.
https://www.chrisfarris.com/post/preinvent2021/
#aws
There were 234 AWS announcements in pre:Invent season. Chris Farris analysed 27 of them related to security and governance.
https://www.chrisfarris.com/post/preinvent2021/
#aws
https://www.chrisfarris.com/
pre:Invent 2021 - Chris Farris
There were 234 AWS announcements in pre:Invent season. I breakdown and snark about 27 of them relating to security and governance.
🔶🔷🔴 AWS/Azure/GCP Permissions
Continuing with efforts on the permissions.cloud project, Ian Mckay has now have both Azure and GCP spaces available: azure.permissions.cloud and gcp.permissions.cloud.
https://aws.permissions.cloud/
#aws #azure #gcp
Continuing with efforts on the permissions.cloud project, Ian Mckay has now have both Azure and GCP spaces available: azure.permissions.cloud and gcp.permissions.cloud.
https://aws.permissions.cloud/
#aws #azure #gcp
aws.permissions.cloud
Permissions Reference for AWS IAM
🔶 Is AWS Recycling your Access Keys?
Temporary AWS API access key IDs, issued by AWS, are not unique and could repeat, which can impair AWS security tools detection capabilities.
https://www.hunters.ai/blog/hunters-research-is-aws-recycling-your-access-keys
#aws
Temporary AWS API access key IDs, issued by AWS, are not unique and could repeat, which can impair AWS security tools detection capabilities.
https://www.hunters.ai/blog/hunters-research-is-aws-recycling-your-access-keys
#aws
www.hunters.security
Hunters Research: Is AWS Recycling your Access Keys?
Hunters' research team discovered that temporary AWS API access key IDs, issued by AWS, are not unique and could repeat, which can impair AWS security tools detection capabilities.
🔶 twistlock/splash
By Palo Alto Networks’s Yuval Avrahami: A pseudo shell re-invoking the Lambda for each command. For curious fellows who want to hack on AWS Lambda’s infrastructure.
https://github.com/twistlock/splash
#aws
By Palo Alto Networks’s Yuval Avrahami: A pseudo shell re-invoking the Lambda for each command. For curious fellows who want to hack on AWS Lambda’s infrastructure.
https://github.com/twistlock/splash
#aws
Twitter
Yuval Avrahami (@yuvalavra) | Twitter
The latest Tweets from Yuval Avrahami (@yuvalavra). Container & Cloud Security at @PaloAltoNtwks אבטחת חמגשים
🔴 Illicit coin mining, ransomware, APTs target cloud users in first Google Cybersecurity Action Team Threat Horizons report
The first threat report from the Google Cybersecurity Action Team finds cloud users are often targeted by illicit coin mining, ransomware, and APTs.
https://cloud.google.com/blog/products/identity-security/coin-mining-ransomware-apts-target-cloud-gcat-report
#gcp
The first threat report from the Google Cybersecurity Action Team finds cloud users are often targeted by illicit coin mining, ransomware, and APTs.
https://cloud.google.com/blog/products/identity-security/coin-mining-ransomware-apts-target-cloud-gcat-report
#gcp
Google Cloud Blog
Coin mining, ransomware, APTs target cloud: GCAT report | Google Cloud Blog
The first threat report from the Google Cybersecurity Action Team finds cloud users are often targeted by illicit coin mining, ransomware, and APTs.
🔷 Azure Privilege Escalation via Azure API Permissions Abuse
How Azure API Permissions can be abused to escalate to Global Admin.
https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48
#azure
How Azure API Permissions can be abused to escalate to Global Admin.
https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48
#azure
Medium
Azure Privilege Escalation via Azure API Permissions Abuse
Turn particular API permissions into Global Admin
🔶 Data Perimeter Workshop
This workshop takes you through some of the best practices and available AWS services and features for creating a boundary around your resources in AWS.
https://data-perimeter.workshop.aws/
#aws
This workshop takes you through some of the best practices and available AWS services and features for creating a boundary around your resources in AWS.
https://data-perimeter.workshop.aws/
#aws
catalog.us-east-1.prod.workshops.aws
Workshop Studio
Discover and participate in AWS workshops and GameDays