🔷 Modernizing compliance: Introducing Risk and Compliance as Code
Google announced the launch of their Risk and Compliance as Code (RCaC) Solution. The RCaC solution stack enables compliance and security control automation through a combination of Google Cloud Products, Blueprints, Partner Integrations, workshops and services.
https://cloud.google.com/blog/products/identity-security/risk-and-compliance-as-code
#azure
Google announced the launch of their Risk and Compliance as Code (RCaC) Solution. The RCaC solution stack enables compliance and security control automation through a combination of Google Cloud Products, Blueprints, Partner Integrations, workshops and services.
https://cloud.google.com/blog/products/identity-security/risk-and-compliance-as-code
#azure
Google Cloud Blog
Risk and Compliance as Code delivers solution modern security for digital transformation and modern IT | Google Cloud Blog
The RCaC solution stack enables compliance and security control automation through a combination of Google Cloud Products, Blueprints, Partner Integrations, workshops and services to simplify and accelerate time to value.
🔶 pre:Invent 2021
There were 234 AWS announcements in pre:Invent season. Chris Farris analysed 27 of them related to security and governance.
https://www.chrisfarris.com/post/preinvent2021/
#aws
There were 234 AWS announcements in pre:Invent season. Chris Farris analysed 27 of them related to security and governance.
https://www.chrisfarris.com/post/preinvent2021/
#aws
https://www.chrisfarris.com/
pre:Invent 2021 - Chris Farris
There were 234 AWS announcements in pre:Invent season. I breakdown and snark about 27 of them relating to security and governance.
🔶🔷🔴 AWS/Azure/GCP Permissions
Continuing with efforts on the permissions.cloud project, Ian Mckay has now have both Azure and GCP spaces available: azure.permissions.cloud and gcp.permissions.cloud.
https://aws.permissions.cloud/
#aws #azure #gcp
Continuing with efforts on the permissions.cloud project, Ian Mckay has now have both Azure and GCP spaces available: azure.permissions.cloud and gcp.permissions.cloud.
https://aws.permissions.cloud/
#aws #azure #gcp
aws.permissions.cloud
Permissions Reference for AWS IAM
🔶 Is AWS Recycling your Access Keys?
Temporary AWS API access key IDs, issued by AWS, are not unique and could repeat, which can impair AWS security tools detection capabilities.
https://www.hunters.ai/blog/hunters-research-is-aws-recycling-your-access-keys
#aws
Temporary AWS API access key IDs, issued by AWS, are not unique and could repeat, which can impair AWS security tools detection capabilities.
https://www.hunters.ai/blog/hunters-research-is-aws-recycling-your-access-keys
#aws
www.hunters.security
Hunters Research: Is AWS Recycling your Access Keys?
Hunters' research team discovered that temporary AWS API access key IDs, issued by AWS, are not unique and could repeat, which can impair AWS security tools detection capabilities.
🔶 twistlock/splash
By Palo Alto Networks’s Yuval Avrahami: A pseudo shell re-invoking the Lambda for each command. For curious fellows who want to hack on AWS Lambda’s infrastructure.
https://github.com/twistlock/splash
#aws
By Palo Alto Networks’s Yuval Avrahami: A pseudo shell re-invoking the Lambda for each command. For curious fellows who want to hack on AWS Lambda’s infrastructure.
https://github.com/twistlock/splash
#aws
Twitter
Yuval Avrahami (@yuvalavra) | Twitter
The latest Tweets from Yuval Avrahami (@yuvalavra). Container & Cloud Security at @PaloAltoNtwks אבטחת חמגשים
🔴 Illicit coin mining, ransomware, APTs target cloud users in first Google Cybersecurity Action Team Threat Horizons report
The first threat report from the Google Cybersecurity Action Team finds cloud users are often targeted by illicit coin mining, ransomware, and APTs.
https://cloud.google.com/blog/products/identity-security/coin-mining-ransomware-apts-target-cloud-gcat-report
#gcp
The first threat report from the Google Cybersecurity Action Team finds cloud users are often targeted by illicit coin mining, ransomware, and APTs.
https://cloud.google.com/blog/products/identity-security/coin-mining-ransomware-apts-target-cloud-gcat-report
#gcp
Google Cloud Blog
Coin mining, ransomware, APTs target cloud: GCAT report | Google Cloud Blog
The first threat report from the Google Cybersecurity Action Team finds cloud users are often targeted by illicit coin mining, ransomware, and APTs.
🔷 Azure Privilege Escalation via Azure API Permissions Abuse
How Azure API Permissions can be abused to escalate to Global Admin.
https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48
#azure
How Azure API Permissions can be abused to escalate to Global Admin.
https://posts.specterops.io/azure-privilege-escalation-via-azure-api-permissions-abuse-74aee1006f48
#azure
Medium
Azure Privilege Escalation via Azure API Permissions Abuse
Turn particular API permissions into Global Admin
🔶 Data Perimeter Workshop
This workshop takes you through some of the best practices and available AWS services and features for creating a boundary around your resources in AWS.
https://data-perimeter.workshop.aws/
#aws
This workshop takes you through some of the best practices and available AWS services and features for creating a boundary around your resources in AWS.
https://data-perimeter.workshop.aws/
#aws
catalog.us-east-1.prod.workshops.aws
Workshop Studio
Discover and participate in AWS workshops and GameDays
🔶 IAM roles for Kubernetes service accounts - deep dive
How IAM and Kubernetes work together allowing you to call AWS services from your pods with no hussle.
https://mjarosie.github.io/dev/2021/09/15/iam-roles-for-kubernetes-service-accounts-deep-dive.html
#aws
How IAM and Kubernetes work together allowing you to call AWS services from your pods with no hussle.
https://mjarosie.github.io/dev/2021/09/15/iam-roles-for-kubernetes-service-accounts-deep-dive.html
#aws
🔶 AWS Policy as Code Workshop
This workshop explores how to codify a set of rules that make up a policy, use a DevSecOps workflow to quickly address policy issues, and redeploy a policy compliant workload.
https://catalog.us-east-1.prod.workshops.aws/v2/workshops/9da471a0-266a-4d36-8596-e5934aeedd1f/en-US/
#aws
This workshop explores how to codify a set of rules that make up a policy, use a DevSecOps workflow to quickly address policy issues, and redeploy a policy compliant workload.
https://catalog.us-east-1.prod.workshops.aws/v2/workshops/9da471a0-266a-4d36-8596-e5934aeedd1f/en-US/
#aws
catalog.us-east-1.prod.workshops.aws
Workshop Studio
Discover and participate in AWS workshops and GameDays
🔶🔷🔴 Cloud service provider security mistakes
Cloud historian Scott Piper has created a GitHub repo to catalogue security mistakes by cloud service providers (AWS, GCP, and Azure); that is, public mistakes on the cloud providers’ side of the shared responsibility model. Includes CVEs, SOC 2 Type 2 failures, security researchers compromising managed services, and more.
https://github.com/SummitRoute/csp_security_mistakes
#aws #azure #gcp
Cloud historian Scott Piper has created a GitHub repo to catalogue security mistakes by cloud service providers (AWS, GCP, and Azure); that is, public mistakes on the cloud providers’ side of the shared responsibility model. Includes CVEs, SOC 2 Type 2 failures, security researchers compromising managed services, and more.
https://github.com/SummitRoute/csp_security_mistakes
#aws #azure #gcp
GitHub
GitHub - SummitRoute/csp_security_mistakes: This repo has been replaced by https://www.cloudvulndb.org
This repo has been replaced by https://www.cloudvulndb.org - SummitRoute/csp_security_mistakes
🔴 Over-Privileged Service Accounts Create Escalation of Privileges and Lateral Movement in Google Cloud
There are standard best practices for service accounts but many GCP environments lag behind in implementing these best practices. This research shown how these violations in best practices can allow attackers to chain together attack steps to gain broader access to resources in a GCP environment.
https://www.netskope.com/blog/over-privileged-service-accounts-create-escalation-of-privileges-and-lateral-movement-in-google-cloud
#gcp
There are standard best practices for service accounts but many GCP environments lag behind in implementing these best practices. This research shown how these violations in best practices can allow attackers to chain together attack steps to gain broader access to resources in a GCP environment.
https://www.netskope.com/blog/over-privileged-service-accounts-create-escalation-of-privileges-and-lateral-movement-in-google-cloud
#gcp
Netskope
Over-Privileged Service Accounts Create Escalation of Privileges and Lateral Movement in Google Cloud
Introduction In this blog, we've analyzed data from Netskope customers that include security settings of over 1 million entities in 156,737 Google Cloud
🔶 AWS SageMaker Jupyter Notebook Instance Takeover
An attacker can run any code on a victim's SageMaker JupyterLab Notebook Instance across accounts. This means that an attacker can access the Notebook Instance metadata endpoint and steal the access token for the attached role.
https://blog.lightspin.io/aws-sagemaker-notebook-takeover-vulnerability
#aws
An attacker can run any code on a victim's SageMaker JupyterLab Notebook Instance across accounts. This means that an attacker can access the Notebook Instance metadata endpoint and steal the access token for the attached role.
https://blog.lightspin.io/aws-sagemaker-notebook-takeover-vulnerability
#aws
🔴 Using Google Cloud Service Account impersonation in your Terraform code
This blog details different ways to authenticate as a service account in Terraform code using short-lived credentials.
https://cloud.google.com/blog/topics/developers-practitioners/using-google-cloud-service-account-impersonation-your-terraform-code
#gcp
This blog details different ways to authenticate as a service account in Terraform code using short-lived credentials.
https://cloud.google.com/blog/topics/developers-practitioners/using-google-cloud-service-account-impersonation-your-terraform-code
#gcp
Google Cloud Blog
Using Google Cloud Service Account impersonation in your Terraform code | Google Cloud Blog
🔶 Snaring the Bad Folks
Blog post introducing Snare, Netflix's Detection, Enrichment, and Response platform for handling cloud security related findings. Snare is responsible for receiving millions of records a minute, analyzing, alerting, and responding to them.
https://netflixtechblog.com/snaring-the-bad-folks-66726a1f4c80
#aws
Blog post introducing Snare, Netflix's Detection, Enrichment, and Response platform for handling cloud security related findings. Snare is responsible for receiving millions of records a minute, analyzing, alerting, and responding to them.
https://netflixtechblog.com/snaring-the-bad-folks-66726a1f4c80
#aws
Medium
Snaring the Bad Folks
Project by Netflix’s Cloud Infrastructure Security team (Alex Bainbridge, Mike Grima, Nick Siow)
🔴 Best practices for using workload identity federation
This guide presents best practices for deciding when to use workload identity federation, and how to configure it in a way that helps you minimize risks.
https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation
#gcp
This guide presents best practices for deciding when to use workload identity federation, and how to configure it in a way that helps you minimize risks.
https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation
#gcp
Google Cloud Documentation
Best practices for using Workload Identity Federation | IAM Documentation | Google Cloud Documentation
🔶🔷🔴 Cloud Security Remediation Guides
CloudSploit's remediation guides are intended to be an open-source resource for improving cloud security. Many cloud IaaS providers like AWS, Azure, and Google Cloud have a shared responsibility model. They provide the physical and architectural security, along with tools to properly secure the services they offer, but it is up to the user to configure those settings properly.
https://github.com/aquasecurity/cloud-security-remediation-guides
#aws #azure #gcp
CloudSploit's remediation guides are intended to be an open-source resource for improving cloud security. Many cloud IaaS providers like AWS, Azure, and Google Cloud have a shared responsibility model. They provide the physical and architectural security, along with tools to properly secure the services they offer, but it is up to the user to configure those settings properly.
https://github.com/aquasecurity/cloud-security-remediation-guides
#aws #azure #gcp
GitHub
GitHub - aquasecurity/cloud-security-remediation-guides: Security Remediation Guides
Security Remediation Guides. Contribute to aquasecurity/cloud-security-remediation-guides development by creating an account on GitHub.
🔶 Determining AWS IAM Policies According To Terraform And AWS CLI
The process of granting the least privileges required to execute "aws s3 ls" and "terraform apply" by a CI/CD runner.
https://www.iampulse.com/t/determining-aws-iam-policies-according-to-terraform-and-aws-cli
#aws
The process of granting the least privileges required to execute "aws s3 ls" and "terraform apply" by a CI/CD runner.
https://www.iampulse.com/t/determining-aws-iam-policies-according-to-terraform-and-aws-cli
#aws
🔶 Running AWS PCI DSS with CloudQuery Policies
CloudQuery policies gives you a powerful way to automate, customize, codify, and run your cloud security & compliance continuously with HCL and SQL. CloudQuery’s Yevgeny Pats describes their new AWS PCI DSS Policy, containing over 40 checks.
https://www.cloudquery.io/blog/running-aws-pci-dss-with-cloudquery-policies
#aws
CloudQuery policies gives you a powerful way to automate, customize, codify, and run your cloud security & compliance continuously with HCL and SQL. CloudQuery’s Yevgeny Pats describes their new AWS PCI DSS Policy, containing over 40 checks.
https://www.cloudquery.io/blog/running-aws-pci-dss-with-cloudquery-policies
#aws
CloudQuery
Running AWS PCI DSS with CloudQuery Policies | CloudQuery
Automate, customize, codify and run PCI DSS Compliance with CloudQuery Policies.
🔶 Achieving Least Privilege with AWS IAM
Anthony Barbieri shares a few tips and tricks on the authorization side of IAM. Topics: client side monitoring and Cloudtrail, understanding which actions support resources restrictions, policy management, and leveraging conditions.
https://dev.to/prince_of_pasta/achieving-least-privilege-with-aws-iam-10i
#aws
Anthony Barbieri shares a few tips and tricks on the authorization side of IAM. Topics: client side monitoring and Cloudtrail, understanding which actions support resources restrictions, policy management, and leveraging conditions.
https://dev.to/prince_of_pasta/achieving-least-privilege-with-aws-iam-10i
#aws
DEV Community 👩💻👨💻
Achieving Least Privilege with AWS IAM
AWS IAM (Identity and Access Management) is a powerful tool to help ensure your teams and...
🔴 Investigating the usage of GCP Service Accounts
Three GCP services to help you to investigate Google Cloud Service Account usage and mitigate against unintended consequences during key rotation.
https://cloud.google.com/blog/products/identity-security/three-services-to-investigate-gcp-service-account-usage
#gcp
Three GCP services to help you to investigate Google Cloud Service Account usage and mitigate against unintended consequences during key rotation.
https://cloud.google.com/blog/products/identity-security/three-services-to-investigate-gcp-service-account-usage
#gcp
Google Cloud Blog
Three services to investigate GCP Service Account usage | Google Cloud Blog
Three GCP services to help you to investigate Google Cloud Service Account usage and mitigate against unintended consequences during key rotation.