🔴 Auditing GKE operations? Configure Data Access audit logs

The GKE Admin Activity logs are missing "get" operations on Secret objects by default. So for example, if you store a service account password in your cluster as a Kubernetes secret, a "kubectl get secret service_account_password -o yaml" will get an attacker the entire secret without logging a single line into the audit logs.

https://padlock.argh.in/2022/02/10/gke-audit.html

#gcp

🔶 Elastic and AWS Serverless Application Repository (SAR)

How to use the Elastic serverless forwarder, that is published in the AWS Serverless Application Repository (SAR), to simplify log ingestion from S3.

https://www.elastic.co/blog/elastic-and-aws-serverless-application-repository-speed-time-to-actionable-insights-with-frictionless-log-ingestion-from-amazon-s3

#aws

🔶 Terraform AWS Provider 4.0 Refactors S3 Bucket Resource

Version 4.0 of the HashiCorp Terraform AWS provider brings usability improvements to data sources and attribute validations along with a refactored S3 bucket resource. The list of breaking changes for this release is quite long.

https://www.hashicorp.com/blog/terraform-aws-provider-4-0-refactors-s3-bucket-resource

#aws

🔷 10 ways of gaining control over Azure function Apps

Some techniques for taking over Azure Function Apps.

https://medium.com/xm-cyber/10-ways-of-gaining-control-over-azure-function-apps-7e7b84367ce6

#azure

🔶 imdsv2_wall_of_shame

List of vendors that do not allow IMDSv2 enforcement.

https://github.com/SummitRoute/imdsv2_wall_of_shame

#aws

🔷 Secure Azure Cosmos DB access by using Azure Managed Identities

How to use Azure RBAC to connect to Cosmos DB and increase the security of your application by using Azure Managed Identities.

https://itnext.io/secure-azure-cosmos-db-access-by-using-azure-managed-identities-55f9fdf48fda?gi=eec46e048be1

#azure

🔶 AdminTurnedDevOps/DevOps-The-Hard-Way-AWS

Free labs, documentation, and diagrams for setting up an environment that is using DevOps technologies and practices for deploying apps and cloud services/cloud infrastructure to AWS, by Mike Levan.

https://github.com/AdminTurnedDevOps/DevOps-The-Hard-Way-AWS

#aws

🔶 Top 2021 AWS Security service launches security professionals should review - Part 1

An overview of some of the most important 2021 AWS Security launches that security professionals should be aware of.

https://aws.amazon.com/ru/blogs/security/top-2021-aws-security-service-launches-part-1

#aws

🔷🔴 Google Cloud: configuring workload identity federation with Azure

How to configure workload identity federation with Azure (OIDC-compliant IdP) so workloads running on an Azure VM can impersonate a service account to perform operations on a Google Cloud resource.

https://medium.com/google-cloud/configuring-workload-identity-federation-with-azure-672a1e1f3eec

#azure #gcp

🔶 Are AWS account IDs sensitive information?

One of the often-debated questions in AWS is whether AWS account IDs are sensitive information or not and the question has been oddly-difficult to answer definitively.

https://www.lastweekinaws.com/blog/are-aws-account-ids-sensitive-information/

#aws

🔶🔷🔴 Cloud 9: Top Cloud Penetration Testing Tools

Here are nine cloud pen testing tools use by pentesters in 2022, and additional resources for enhancing your cloud pentesting skills.

https://bishopfox.com/blog/cloud-pen-testing-tools

#aws #azure #gcp

🔷 Observability from cloud to edge in Azure

Some use cases for Azure Monitor.

https://azure.microsoft.com/en-gb/blog/observability-from-cloud-to-edge-in-azure

#azure

🔶 Let’s Architect! Architecting for Security

Post collecting security content to help you protect data, manage access, protect networks and applications, detect and monitor threats, and ensure privacy and compliance.

https://aws.amazon.com/ru/blogs/architecture/lets-architect-architecting-for-security

#aws

🔶 Granted.dev

A CLI tool by Common Fate that simplifies access to cloud roles and allows multiple cloud accounts to be opened in your web browser simultaneously. It’s designed for AWS SSO and encrypts cached credentials to avoid plaintext SSO tokens being saved on disk.

https://granted.dev/

#aws

🔴 GCP launches deny policies

IAM deny policies let you set guardrails on access to Google Cloud resources. With deny policies, you can define deny rules that prevent certain principals from using certain permissions, regardless of the roles they're granted.

https://cloud.google.com/iam/docs/deny-overview

#gcp

🔶 awslabs/aws-cloudsaga

Tool to test security controls and alerts within your AWS environment, using generated alerts based on security events seen by the AWS Customer Incident Response Team (CIRT).

https://github.com/awslabs/aws-cloudsaga

#aws

🔷 Stay on top of database threats with Microsoft Defender for Azure Cosmos DB

Microsoft announced a new addition to their database protection offering Microsoft Defender for Azure Cosmos DB in preview.

https://azure.microsoft.com/en-gb/blog/stay-on-top-of-database-threats-with-microsoft-defender-for-azure-cosmos-db

#azure

🔶 AWS Security Reference Architecture

60pg PDF by AWS Professional services containing a holistic set of guidelines for deploying the full complement of AWS security services in a multi-account environment. GitHub repo with example solutions.

https://github.com/aws-samples/aws-security-reference-architecture-examples

#aws

🔶🔷🔴 CVE-2022-0847 (aka Dirty Pipe): What does it mean for defenders

A quick summary and actionable advice for defenders of cloud environments and those teams who are asked to determine the impact of CVE-2022-0847 on their company's infrastructure.

https://www.marcolancini.it/2022/blog-cve-2022-0847-dirty-pipe

#aws #azure #gcp

🔷 AutoWarp: Critical Cross-Account Vulnerability in Microsoft Azure Automation Service

AutoWarp is a critical vulnerability in Microsoft Azure Automation Service that allows unauthorized access to other customer accounts using the service.

https://orca.security/resources/blog/autowarp-microsoft-azure-automation-service-vulnerability

#azure