🔶🔷🔴 The Open Cloud Vulnerability & Security Issue Database

An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues.

https://www.cloudvulndb.org

#aws #azure #gcp

🔷 Kubernetes Workload Identity with AKS

Post explaining how workload identity federation on AKS works, and how to set it up.

https://blog.baeke.info/2022/01/31/kubernetes-workload-identity-with-aks

#azure

🔶Building AWS Security Guardrails

Kinnaird McQuade joins Ashish Rajan on the Cloud Security Podcast to discussing building AWS security guardrails that prevent classes of bugs, scaling guardrails, the difference between preventative and detective security controls, and more.

https://www.youtube.com/watch?v=jW-LkpVvsLk

#aws

🔶turbot/steampipe-mod-aws-perimeter

An AWS perimeter checking tool that can be used to look for resources that are publicly accessible, shared with untrusted accounts, have insecure network configurations, and more, by Steampipe.

https://github.com/turbot/steampipe-mod-aws-perimeter

#aws

🔶Amazon Cognito - A Complete Beginner Guide

Great guide by Daniel at Be A Better Dev explaining the core concepts of Cognito from a beginner perspective. You’ll learn about User Pools, Identity Pools/Federated Identities, and how to tie them together.

https://beabetterdev.com/2022/06/26/amazon-cognito-a-complete-beginner-guide

#aws

🔶AWS Identity and Access Management introduces IAM Roles Anywhere for workloads outside of AWS

IAM Roles Anywhere allows your workloads such as servers, containers, and applications to use X.509 digital certificates to obtain temporary AWS credentials and use the same IAM roles and policies that you have configured for your AWS workloads to access AWS resources.

https://aws.amazon.com/ru/about-aws/whats-new/2022/07/aws-identity-access-management-iam-roles-anywhere-workloads-outside-aws

#aws

🔷 Cloud design patterns

Design patterns for building reliable, scalable, secure applications in the cloud by walking through examples based on Microsoft Azure.

https://docs.microsoft.com/en-us/azure/architecture/patterns

#azure

🔶Exploiting Authentication in AWS IAM Authenticator for Kubernetes

This blog post explains three vulnerabilities detected in the AWS IAM Authenticator where all of them were caused by the same code line.

https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aws-iam-authenticator

#aws

🔴 How to think about threat detection in the cloud

Detecting cybersecurity threats in the cloud is different from on-premises. Here's why.

https://cloud.google.com/blog/products/identity-security/how-to-think-about-threat-detection-in-the-cloud

#gcp

🔶aidansteele/openrolesanywhere

An open-source proof-of-concept client for AWS IAM Roles Anywhere by Aidan Steele. Unlike the official client, this project lets you use private keys stored in an SSH agent. This is more flexible - and more secure if you use something like Secretive which stores unexportable keys in the macOS Secure Enclave hardware.

https://github.com/aidansteele/openrolesanywhere

#aws

🔶Tracking the Effectiveness of Cloud Adoption

AWS’s Nurani Parasuraman discusses how best to track the effectiveness of a company’s cloud adoption.

https://aws.amazon.com/ru/blogs/enterprise-strategy/tracking-effectiveness-of-cloud-adoption

#aws

🔷 Azure’s Security Vulnerabilities Are Out of Control

Azure's multiple security vulnerabilities are highly concerning, for both customer data and the cloud's reputation. It's time we put public pressure on Azure.

https://www.lastweekinaws.com/blog/azures_vulnerabilities_are_quack

#azure

🔶 Abusing the Replicator: Silently Exfiltrating Data with the AWS S3 Replication Service

A comprehensive backup strategy is a cornerstone of any DR plan. But how would you distinguish between legitimate backup activity and malicious data exfiltration?

https://www.vectra.ai/blogpost/abusing-the-replicator-silently-exfiltrating-data-with-the-aws-s3-replication-service

#aws

🔴 How to overcome 5 common SecOps challenges

Here are 5 common issues that many SecOps teams struggle with, and how to fix them.

https://cloud.google.com/blog/products/identity-security/how-to-overcome-5-common-secops-challenges

#gcp

(in Russian)

Встречайте наше первое небольшое, но полноценное мероприятие по облачной безопасности в гибридном формате в уютном (но пока еще тайном) месте в центре летней Москвы.

Ждем с нетерпением инженеров по безопасности, директоров по ИБ, специалистов по DevSecOps, security инженеров и всех, кто интересуется этой тематикой.

На офлайн-мероприятие приглашаем участников нашего чата по безопасности, которые зарегистрируются в форме ниже. Мероприятие бесплатное.

Для тех, кто не сможет посетить нас очно, мы организуем трансляцию мероприятия.

Подробнее о мероприятии →
Творческое объединение WIP, Яузский бул., 11, стр. 1

#advertising

🔶 Best Practices for AWS Organizations Service Control Policies in a Multi-Account Environment

AWS’s Rajeswari Malladi and People’s United Bank’s Jim Kozlowski provide a representative organization unit (OU) structure for a financial services industry customer, and also best practice guidance and starter service control policies (SCPs) to consider in a multi-account AWS environment to establish governance and control.

https://aws.amazon.com/ru/blogs/industries/best-practices-for-aws-organizations-service-control-policies-in-a-multi-account-environment

#aws

🔴 Protecting GCP Services with VPC Service Controls and Terraform

Post exploring VPC Service Controls through an example of a common use case of VPC Service Control perimeters, deep dive on some key concepts, and learn how to automate administration with Terraform.

https://blog.scalesec.com/protecting-gcp-services-with-vpc-service-controls-and-terraform-858019d8b4ff

#gcp

🔶 Hacking an AWS hosted Kubernetes backed product, and failing

Tales from a recent pentest of a product hosted on the AWS cloud backed by Kubernetes (EKS) and a whole lot of secure design goodness that withstood attack attempts.

https://blog.appsecco.com/hacking-an-aws-hosted-kubernetes-backed-product-and-failing-904cbe0b7c0d

#aws

🔶 Security best practices in IAM

An updated list of 14 IAM best practices by AWS.

https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

#aws

🔶 IAM-Deescalate: An Open Source Tool to Help Users Reduce the Risk of Privilege Escalation

Palo Alto Networks Jay Chen describes IAM-Deescalate, a tool to mitigate privilege escalation risks in AWS. It first identifies the users and roles with privilege escalation risks using PMapper.

For each risky principal, IAM-Deescalate calculates a minimal set of permissions granted to this principal that can be revoked to eliminate the risks. IAM-Deescalate inserts an inline policy to explicitly deny the risky permissions that could allow the principal to escalate to administrator privilege.

https://unit42.paloaltonetworks.com/iam-deescalate

#aws

🔶 AWS glossary and fwd:cloudsec 2022

Hundreds of AWS product names and terms, described in a sentence or two, by Amazon.

https://docs.aws.amazon.com/general/latest/gr/glos-chap.html

Also a nice YouTube playlist is now live! Some excellent talks, as always.

https://www.youtube.com/playlist?list=PLCPCP1pNWD7N2SPaz4cmuS27xutaf32jy

#aws