🔶🔷🔴 Cloud service provider security mistakes
Cloud historian Scott Piper has created a GitHub repo to catalogue security mistakes by cloud service providers (AWS, GCP, and Azure); that is, public mistakes on the cloud providers’ side of the shared responsibility model. Includes CVEs, SOC 2 Type 2 failures, security researchers compromising managed services, and more.
https://github.com/SummitRoute/csp_security_mistakes
#aws #azure #gcp
Cloud historian Scott Piper has created a GitHub repo to catalogue security mistakes by cloud service providers (AWS, GCP, and Azure); that is, public mistakes on the cloud providers’ side of the shared responsibility model. Includes CVEs, SOC 2 Type 2 failures, security researchers compromising managed services, and more.
https://github.com/SummitRoute/csp_security_mistakes
#aws #azure #gcp
GitHub
GitHub - SummitRoute/csp_security_mistakes: This repo has been replaced by https://www.cloudvulndb.org
This repo has been replaced by https://www.cloudvulndb.org - SummitRoute/csp_security_mistakes
🔴 Over-Privileged Service Accounts Create Escalation of Privileges and Lateral Movement in Google Cloud
There are standard best practices for service accounts but many GCP environments lag behind in implementing these best practices. This research shown how these violations in best practices can allow attackers to chain together attack steps to gain broader access to resources in a GCP environment.
https://www.netskope.com/blog/over-privileged-service-accounts-create-escalation-of-privileges-and-lateral-movement-in-google-cloud
#gcp
There are standard best practices for service accounts but many GCP environments lag behind in implementing these best practices. This research shown how these violations in best practices can allow attackers to chain together attack steps to gain broader access to resources in a GCP environment.
https://www.netskope.com/blog/over-privileged-service-accounts-create-escalation-of-privileges-and-lateral-movement-in-google-cloud
#gcp
Netskope
Over-Privileged Service Accounts Create Escalation of Privileges and Lateral Movement in Google Cloud
Introduction In this blog, we've analyzed data from Netskope customers that include security settings of over 1 million entities in 156,737 Google Cloud
🔶 AWS SageMaker Jupyter Notebook Instance Takeover
An attacker can run any code on a victim's SageMaker JupyterLab Notebook Instance across accounts. This means that an attacker can access the Notebook Instance metadata endpoint and steal the access token for the attached role.
https://blog.lightspin.io/aws-sagemaker-notebook-takeover-vulnerability
#aws
An attacker can run any code on a victim's SageMaker JupyterLab Notebook Instance across accounts. This means that an attacker can access the Notebook Instance metadata endpoint and steal the access token for the attached role.
https://blog.lightspin.io/aws-sagemaker-notebook-takeover-vulnerability
#aws
🔴 Using Google Cloud Service Account impersonation in your Terraform code
This blog details different ways to authenticate as a service account in Terraform code using short-lived credentials.
https://cloud.google.com/blog/topics/developers-practitioners/using-google-cloud-service-account-impersonation-your-terraform-code
#gcp
This blog details different ways to authenticate as a service account in Terraform code using short-lived credentials.
https://cloud.google.com/blog/topics/developers-practitioners/using-google-cloud-service-account-impersonation-your-terraform-code
#gcp
Google Cloud Blog
Using Google Cloud Service Account impersonation in your Terraform code | Google Cloud Blog
🔶 Snaring the Bad Folks
Blog post introducing Snare, Netflix's Detection, Enrichment, and Response platform for handling cloud security related findings. Snare is responsible for receiving millions of records a minute, analyzing, alerting, and responding to them.
https://netflixtechblog.com/snaring-the-bad-folks-66726a1f4c80
#aws
Blog post introducing Snare, Netflix's Detection, Enrichment, and Response platform for handling cloud security related findings. Snare is responsible for receiving millions of records a minute, analyzing, alerting, and responding to them.
https://netflixtechblog.com/snaring-the-bad-folks-66726a1f4c80
#aws
Medium
Snaring the Bad Folks
Project by Netflix’s Cloud Infrastructure Security team (Alex Bainbridge, Mike Grima, Nick Siow)
🔴 Best practices for using workload identity federation
This guide presents best practices for deciding when to use workload identity federation, and how to configure it in a way that helps you minimize risks.
https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation
#gcp
This guide presents best practices for deciding when to use workload identity federation, and how to configure it in a way that helps you minimize risks.
https://cloud.google.com/iam/docs/best-practices-for-using-workload-identity-federation
#gcp
Google Cloud Documentation
Best practices for using Workload Identity Federation | IAM Documentation | Google Cloud Documentation
🔶🔷🔴 Cloud Security Remediation Guides
CloudSploit's remediation guides are intended to be an open-source resource for improving cloud security. Many cloud IaaS providers like AWS, Azure, and Google Cloud have a shared responsibility model. They provide the physical and architectural security, along with tools to properly secure the services they offer, but it is up to the user to configure those settings properly.
https://github.com/aquasecurity/cloud-security-remediation-guides
#aws #azure #gcp
CloudSploit's remediation guides are intended to be an open-source resource for improving cloud security. Many cloud IaaS providers like AWS, Azure, and Google Cloud have a shared responsibility model. They provide the physical and architectural security, along with tools to properly secure the services they offer, but it is up to the user to configure those settings properly.
https://github.com/aquasecurity/cloud-security-remediation-guides
#aws #azure #gcp
GitHub
GitHub - aquasecurity/cloud-security-remediation-guides: Security Remediation Guides
Security Remediation Guides. Contribute to aquasecurity/cloud-security-remediation-guides development by creating an account on GitHub.
🔶 Determining AWS IAM Policies According To Terraform And AWS CLI
The process of granting the least privileges required to execute "aws s3 ls" and "terraform apply" by a CI/CD runner.
https://www.iampulse.com/t/determining-aws-iam-policies-according-to-terraform-and-aws-cli
#aws
The process of granting the least privileges required to execute "aws s3 ls" and "terraform apply" by a CI/CD runner.
https://www.iampulse.com/t/determining-aws-iam-policies-according-to-terraform-and-aws-cli
#aws
🔶 Running AWS PCI DSS with CloudQuery Policies
CloudQuery policies gives you a powerful way to automate, customize, codify, and run your cloud security & compliance continuously with HCL and SQL. CloudQuery’s Yevgeny Pats describes their new AWS PCI DSS Policy, containing over 40 checks.
https://www.cloudquery.io/blog/running-aws-pci-dss-with-cloudquery-policies
#aws
CloudQuery policies gives you a powerful way to automate, customize, codify, and run your cloud security & compliance continuously with HCL and SQL. CloudQuery’s Yevgeny Pats describes their new AWS PCI DSS Policy, containing over 40 checks.
https://www.cloudquery.io/blog/running-aws-pci-dss-with-cloudquery-policies
#aws
CloudQuery
Running AWS PCI DSS with CloudQuery Policies | CloudQuery
Automate, customize, codify and run PCI DSS Compliance with CloudQuery Policies.
🔶 Achieving Least Privilege with AWS IAM
Anthony Barbieri shares a few tips and tricks on the authorization side of IAM. Topics: client side monitoring and Cloudtrail, understanding which actions support resources restrictions, policy management, and leveraging conditions.
https://dev.to/prince_of_pasta/achieving-least-privilege-with-aws-iam-10i
#aws
Anthony Barbieri shares a few tips and tricks on the authorization side of IAM. Topics: client side monitoring and Cloudtrail, understanding which actions support resources restrictions, policy management, and leveraging conditions.
https://dev.to/prince_of_pasta/achieving-least-privilege-with-aws-iam-10i
#aws
DEV Community 👩💻👨💻
Achieving Least Privilege with AWS IAM
AWS IAM (Identity and Access Management) is a powerful tool to help ensure your teams and...
🔴 Investigating the usage of GCP Service Accounts
Three GCP services to help you to investigate Google Cloud Service Account usage and mitigate against unintended consequences during key rotation.
https://cloud.google.com/blog/products/identity-security/three-services-to-investigate-gcp-service-account-usage
#gcp
Three GCP services to help you to investigate Google Cloud Service Account usage and mitigate against unintended consequences during key rotation.
https://cloud.google.com/blog/products/identity-security/three-services-to-investigate-gcp-service-account-usage
#gcp
Google Cloud Blog
Three services to investigate GCP Service Account usage | Google Cloud Blog
Three GCP services to help you to investigate Google Cloud Service Account usage and mitigate against unintended consequences during key rotation.
🔶 Modernize your Penetration Testing Architecture on AWS Fargate
How you can use modern cloud technologies to build a scalable penetration testing platform, with no infrastructure to manage.
https://aws.amazon.com/ru/blogs/architecture/modernize-your-penetration-testing-architecture-on-aws-fargate/
#aws
How you can use modern cloud technologies to build a scalable penetration testing platform, with no infrastructure to manage.
https://aws.amazon.com/ru/blogs/architecture/modernize-your-penetration-testing-architecture-on-aws-fargate/
#aws
Amazon
Modernize your Penetration Testing Architecture on AWS Fargate | Amazon Web Services
Organizations in all industries are innovating their application stack through modernization. Developers have found that modular architecture patterns, serverless operational models, and agile development processes provide great benefits. They offer faster…
🔴 Continuous Compliance Engineering GCP case studies
Three real GCP controls framework technical examples for regulated FSI Google Cloud customers to help maintain security and compliance postures.
https://cloud.google.com/blog/products/compliance/continuous-compliance-engineering-gcp-case-studies
#gcp
Three real GCP controls framework technical examples for regulated FSI Google Cloud customers to help maintain security and compliance postures.
https://cloud.google.com/blog/products/compliance/continuous-compliance-engineering-gcp-case-studies
#gcp
Google Cloud Blog
Continuous Compliance Engineering GCP case studies | Google Cloud Blog
Here are 3 real GCP controls framework technical examples for regulated FSI Google Cloud customers to help maintain security and compliance postures.
🔶 Using AWS security services to protect against, detect, and respond to the Log4j vulnerability
Post providing guidance to help customers who are responding to the recently disclosed log4j vulnerability.
https://aws.amazon.com/ru/blogs/security/using-aws-security-services-to-protect-against-detect-and-respond-to-the-log4j-vulnerability/
#aws
Post providing guidance to help customers who are responding to the recently disclosed log4j vulnerability.
https://aws.amazon.com/ru/blogs/security/using-aws-security-services-to-protect-against-detect-and-respond-to-the-log4j-vulnerability/
#aws
Amazon
Using AWS security services to protect against, detect, and respond to the Log4j vulnerability | Amazon Web Services
April 21, 2022: The blog post has been updated to include information on the updated version of the hotpatch. See this security advisory for more details. Overview In this post we will provide guidance to help customers who are responding to the recently…
🔶 Using CloudTrail to identify unexpected behaviors in individual workloads
A practical approach that you can use to detect anomalous behaviors within AWS workloads by using behavioral analysis techniques that can be used to augment existing threat detection solutions.
https://aws.amazon.com/ru/blogs/security/using-cloudtrail-to-identify-unexpected-behaviors-in-individual-workloads/
#aws
A practical approach that you can use to detect anomalous behaviors within AWS workloads by using behavioral analysis techniques that can be used to augment existing threat detection solutions.
https://aws.amazon.com/ru/blogs/security/using-cloudtrail-to-identify-unexpected-behaviors-in-individual-workloads/
#aws
Amazon
Using CloudTrail to identify unexpected behaviors in individual workloads | Amazon Web Services
In this post, we describe a practical approach that you can use to detect anomalous behaviors within Amazon Web Services (AWS) cloud workloads by using behavioral analysis techniques that can be used to augment existing threat detection solutions. Anomaly…
🙂 Dear friends,
Happy New Year 2022! 🎅
We wish you personal and career success. Stay with us. Next year we will continue to delight you with only high-quality content!
#HappyNewYear
Happy New Year 2022! 🎅
We wish you personal and career success. Stay with us. Next year we will continue to delight you with only high-quality content!
#HappyNewYear
🔷 NotLegit: Azure App Service vulnerability exposed hundreds of source code repositories
Another vulnerability discovered by the Wiz Research Team, where the Azure App Service exposed hundreds of source code repositories.
https://blog.wiz.io/azure-app-service-source-code-leak/
#azure
Another vulnerability discovered by the Wiz Research Team, where the Azure App Service exposed hundreds of source code repositories.
https://blog.wiz.io/azure-app-service-source-code-leak/
#azure
wiz.io
NotLegit: Azure App Service vulnerability exposed hundreds of source code repositories | Wiz Blog
Read about the NotLegit vulnerability discovered by the Wiz Research Team, where the Azure App Service exposed hundreds of source code repositories.
🔴 Cloud-Native Ransomware Protection in GCP
The five pillars of the NIST CSF help create a layered security approach to the fight against ransomware.
https://scalesec.com/blog/cloud-native-ransomware-protection-gcp/
#gcp
The five pillars of the NIST CSF help create a layered security approach to the fight against ransomware.
https://scalesec.com/blog/cloud-native-ransomware-protection-gcp/
#gcp
Scalesec
Cloud-Native Ransomware Protection in GCP | ScaleSec
GCP Cloud-Native way to fend off ransomware.
🔶 Get Email Notification On AWS IAM User Creation
Example CloudWatch rule and Lambda function to send an email via SES whenever an IAM user is created.
https://www.iampulse.com/t/get-email-notification-on-aws-iam-user-creation
#aws
Example CloudWatch rule and Lambda function to send an email via SES whenever an IAM user is created.
https://www.iampulse.com/t/get-email-notification-on-aws-iam-user-creation
#aws
🔷 Azure AD & IAM (Part II) ' Leveraging Managed Identities For Privilege Escalation
How to escalate privileges in Azure from low-privileged users to managed-identities.
https://orca.security/resources/blog/azure-ad-iam-part-ii-leveraging-managed-identities-for-privilege-escalation/
#azure
How to escalate privileges in Azure from low-privileged users to managed-identities.
https://orca.security/resources/blog/azure-ad-iam-part-ii-leveraging-managed-identities-for-privilege-escalation/
#azure
Orca Security
Azure AD & IAM (Part II) - Managed Identities - Orca Security
In the second part of the Orca blog post series about Azure AD and IAM, we share our research on leveraging managed identities for privilege escalation.
🔴 Impersonate the Cloud: Running your app locally as if you were on Google Cloud
Some ways to securely run an app locally with the exact same context as on Google Cloud.
https://www.iampulse.com/t/impersonate-the-cloud-running-your-app-locally-as-if-you-were-on-google-cloud
#gcp
Some ways to securely run an app locally with the exact same context as on Google Cloud.
https://www.iampulse.com/t/impersonate-the-cloud-running-your-app-locally-as-if-you-were-on-google-cloud
#gcp