🔶 Security best practices in IAM
An updated list of 14 IAM best practices by AWS.
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
#aws
An updated list of 14 IAM best practices by AWS.
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
#aws
Amazon
Security best practices in IAM - AWS Identity and Access Management
Follow these best practices for using AWS Identity and Access Management (IAM) to help secure your AWS account and resources.
🔥1
🔶 IAM-Deescalate: An Open Source Tool to Help Users Reduce the Risk of Privilege Escalation
Palo Alto Networks Jay Chen describes IAM-Deescalate, a tool to mitigate privilege escalation risks in AWS. It first identifies the users and roles with privilege escalation risks using PMapper.
For each risky principal, IAM-Deescalate calculates a minimal set of permissions granted to this principal that can be revoked to eliminate the risks. IAM-Deescalate inserts an inline policy to explicitly deny the risky permissions that could allow the principal to escalate to administrator privilege.
https://unit42.paloaltonetworks.com/iam-deescalate
#aws
Palo Alto Networks Jay Chen describes IAM-Deescalate, a tool to mitigate privilege escalation risks in AWS. It first identifies the users and roles with privilege escalation risks using PMapper.
For each risky principal, IAM-Deescalate calculates a minimal set of permissions granted to this principal that can be revoked to eliminate the risks. IAM-Deescalate inserts an inline policy to explicitly deny the risky permissions that could allow the principal to escalate to administrator privilege.
https://unit42.paloaltonetworks.com/iam-deescalate
#aws
Unit 42
IAM-Deescalate: An Open Source Tool to Help Users Reduce the Risk of Privilege Escalation
We developed an open source tool, IAM-Deescalate, to help mitigate the privilege escalation risks of overly permissive identities in AWS.
🔥2
🔶 AWS glossary and fwd:cloudsec 2022
Hundreds of AWS product names and terms, described in a sentence or two, by Amazon.
https://docs.aws.amazon.com/general/latest/gr/glos-chap.html
Also a nice YouTube playlist is now live! Some excellent talks, as always.
https://www.youtube.com/playlist?list=PLCPCP1pNWD7N2SPaz4cmuS27xutaf32jy
#aws
Hundreds of AWS product names and terms, described in a sentence or two, by Amazon.
https://docs.aws.amazon.com/general/latest/gr/glos-chap.html
Also a nice YouTube playlist is now live! Some excellent talks, as always.
https://www.youtube.com/playlist?list=PLCPCP1pNWD7N2SPaz4cmuS27xutaf32jy
#aws
YouTube
fwd:cloudsec 2022 - YouTube
🔥1
🔶 Dependency confusion in AWS CodeArtifact
At the time of the finding Code Artifact did not have any features to specify which packages were internal and therefore should not be pulled from public repositories.
https://zego.engineering/dependency-confusion-in-aws-codeartifact-86b9ff68963d?gi=eb56bfabbd85
#aws
At the time of the finding Code Artifact did not have any features to specify which packages were internal and therefore should not be pulled from public repositories.
https://zego.engineering/dependency-confusion-in-aws-codeartifact-86b9ff68963d?gi=eb56bfabbd85
#aws
Medium
Dependency confusion in AWS CodeArtifact
Last year we found AWS Code Artifact to be vulnerable to dependency confusion. This blogs covers the disclosure and remediation process.
👏1
🔶 AWS Security by Dylan Shields
An excellent book by software engineer working on Quantum Computing at Amazon Dylan Shields describing that running your systems in the cloud doesn’t automatically make them secure. Learn the tools and new management approaches you need to create secure apps and infrastructure on AWS.
#aws
An excellent book by software engineer working on Quantum Computing at Amazon Dylan Shields describing that running your systems in the cloud doesn’t automatically make them secure. Learn the tools and new management approaches you need to create secure apps and infrastructure on AWS.
#aws
🔥3❤2
🔶 Uncomplicate Security for developers using Reference Architectures
Post walking through some of the salient features of a meaningful security reference architecture and the process required to develop one, as well as looking at the challenges that one might expect to face.
https://anunay-bhatt.medium.com/embedding-security-into-sdlc-using-reference-architectures-for-developers-29403c00fb3d
#aws
Post walking through some of the salient features of a meaningful security reference architecture and the process required to develop one, as well as looking at the challenges that one might expect to face.
https://anunay-bhatt.medium.com/embedding-security-into-sdlc-using-reference-architectures-for-developers-29403c00fb3d
#aws
🔥2
🔶 Setup GitHub Codespaces with AWS IAM Roles Anywhere
Demonstration of how you could leverage IAM Roles Anywhere to authenticate your GitHub Codespaces.
https://devopstar.com/2022/08/01/github-codespaces-and-iam-roles-anywhere
#aws
Demonstration of how you could leverage IAM Roles Anywhere to authenticate your GitHub Codespaces.
https://devopstar.com/2022/08/01/github-codespaces-and-iam-roles-anywhere
#aws
Devopstar
Setup GitHub Codespaces with AWS IAM Roles Anywhere
In this blog post, I'm going to try out AWS IAM Roles Anywhere by setting it up for use inside GitHub Codespaces. The [offical documentation…
👍1🔥1
🔶🔷🔴 HashiCorp State of Cloud Strategy Survey
Insights from HashiCorp’s 2022 State of Cloud Strategy Survey, commissioned by HashiCorp and conducted by Forrester Consulting. Forrester surveyed more than 1,000 technology practitioners and decision makers from around the world, drawn from random samplings as well as the HashiCorp opt-in contact database.
Some stats that stuck out to us:
1️⃣ 81% of companies are or are planning to use multiple cloud providers
2️⃣ 86% have a centralized function or group responsible for cloud operations or strategy
https://www.hashicorp.com/state-of-the-cloud
#aws #azure #gcp
Insights from HashiCorp’s 2022 State of Cloud Strategy Survey, commissioned by HashiCorp and conducted by Forrester Consulting. Forrester surveyed more than 1,000 technology practitioners and decision makers from around the world, drawn from random samplings as well as the HashiCorp opt-in contact database.
Some stats that stuck out to us:
1️⃣ 81% of companies are or are planning to use multiple cloud providers
2️⃣ 86% have a centralized function or group responsible for cloud operations or strategy
https://www.hashicorp.com/state-of-the-cloud
#aws #azure #gcp
😱1
🔷🔴 The cloud has an isolation problem: PostgreSQL vulnerabilities affect multiple cloud vendors
How Wiz Research uncovered multiple related vulnerabilities in PostgreSQL-as-a-Service offerings from GCP, Azure, and others.
https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities
#azure #gcp
How Wiz Research uncovered multiple related vulnerabilities in PostgreSQL-as-a-Service offerings from GCP, Azure, and others.
https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities
#azure #gcp
wiz.io
The cloud has an isolation problem: PostgreSQL vulnerabilities affect multiple cloud vendors | Wiz Blog
How Wiz Research uncovered multiple related vulnerabilities in PostgreSQL-as-a-Service offerings from GCP, Azure, and others.
🔥3
🔶 AWS Account Setup and Root User
A guide through the introductory steps to configure contacts for an AWS account & secure the root user.
https://wellarchitectedlabs.com/security/100_labs/100_aws_account_and_root_user
#aws
A guide through the introductory steps to configure contacts for an AWS account & secure the root user.
https://wellarchitectedlabs.com/security/100_labs/100_aws_account_and_root_user
#aws
Wellarchitectedlabs
AWS Account Setup and Root User :: AWS Well-Architected Labs
Hands on labs and real world design scenarios for Well-Architected workloads
🔥1
🔶 How to manage Route53 hosted zones in a multi-account environment
How to manage Route53 hosted zones in a multi-account environment so each account has full authority over its subdomain.
https://theburningmonk.com/2021/05/how-to-manage-route53-hosted-zones-in-a-multi-account-environment
#aws
How to manage Route53 hosted zones in a multi-account environment so each account has full authority over its subdomain.
https://theburningmonk.com/2021/05/how-to-manage-route53-hosted-zones-in-a-multi-account-environment
#aws
theburningmonk.com
How to manage Route53 hosted zones in a multi-account environment
Learn to build production-ready serverless applications on AWS
🔥1
🔶Granted Approvals - an Open Source Permission Management Framework
"We’ve designed Approvals so that it only has the ability to assign roles to existing users, rather than create new roles or new users. By design, the blast radius of Granted Approvals being compromised is that existing users in your directory could be granted access to roles, rather than external users being created. Better yet — Approvals is deployed as a serverless application which runs in your own AWS account, so Common Fate won’t have access to any data in your Granted Approvals deployment."
https://commonfate.io/blog/granted-approvals-release
#aws
"We’ve designed Approvals so that it only has the ability to assign roles to existing users, rather than create new roles or new users. By design, the blast radius of Granted Approvals being compromised is that existing users in your directory could be granted access to roles, rather than external users being created. Better yet — Approvals is deployed as a serverless application which runs in your own AWS account, so Common Fate won’t have access to any data in your Granted Approvals deployment."
https://commonfate.io/blog/granted-approvals-release
#aws
www.commonfate.io
Granted Approvals - an Open Source Permission Management Framework | Common Fate
An open source privileged access management framework which makes requesting access a breeze.
🔥2❤1
🔶awslabs/assisted-log-enabler-for-aws
Assisted Log Enabler for AWS is for customers who do not have logging turned on for various services, and lack knowledge of best practices and/or how to turn them on.
https://github.com/awslabs/assisted-log-enabler-for-aws
#aws
Assisted Log Enabler for AWS is for customers who do not have logging turned on for various services, and lack knowledge of best practices and/or how to turn them on.
https://github.com/awslabs/assisted-log-enabler-for-aws
#aws
GitHub
GitHub - awslabs/assisted-log-enabler-for-aws: Assisted Log Enabler for AWS - Find AWS resources that are not logging, and turn…
Assisted Log Enabler for AWS - Find AWS resources that are not logging, and turn them on. - awslabs/assisted-log-enabler-for-aws
👏2
🔷Automating Insecurity In Azure
Slides of the homonym talk at cloudvillage_dc (on Twitter).
https://notpayloads.blob.core.windows.net/slides/DC-AzureAutomationAccounts.pdf
#azure
Slides of the homonym talk at cloudvillage_dc (on Twitter).
https://notpayloads.blob.core.windows.net/slides/DC-AzureAutomationAccounts.pdf
#azure
👍3
🔴 GCP: Monitor IAM role assignments via Log Alerts in GCP
How to create Log alerts in GCP to track specific IAM role assignments.
https://medium.com/google-cloud/audit-iam-role-assignments-in-gcp-through-log-alerts-3bcdf3d7a504
#gcp
How to create Log alerts in GCP to track specific IAM role assignments.
https://medium.com/google-cloud/audit-iam-role-assignments-in-gcp-through-log-alerts-3bcdf3d7a504
#gcp
Medium
GCP: Monitor IAM role assignments via Log Alerts in GCP
GCP IAM enables Organization and Project administrators to manage role based access to users on specific resources. Typically enterprises…
👏2
🔶Three Guardrails for AWS Lambda
Three guardrails you can put in place around that Lambda code: code signing, function versions and aliases, and Amazon CodeGuru Reviewer.
https://blog.symops.com/2022/08/17/lambda-guardrails
#aws
Three guardrails you can put in place around that Lambda code: code signing, function versions and aliases, and Amazon CodeGuru Reviewer.
https://blog.symops.com/2022/08/17/lambda-guardrails
#aws
The Sym Blog
Three Guardrails for AWS Lambda
While most articles about Lambda security focus on the actual Lambda code, it’s worth looking at the guardrails you can put in place around that code. In this article, I’ll go over three practices that should be considered table stakes.
👍2🔥1
🔶How to setup geofencing and IP allow-list for Cognito user pool
AWS announced a new feature this week that lets you enable WAF protection for Cognito user pools. And one of the things you can do with this is to implement geo-fencing and IP allow/deny lists.
https://theburningmonk.com/2022/08/how-to-setup-geofencing-and-ip-allow-list-for-cognito-user-pool
#aws
AWS announced a new feature this week that lets you enable WAF protection for Cognito user pools. And one of the things you can do with this is to implement geo-fencing and IP allow/deny lists.
https://theburningmonk.com/2022/08/how-to-setup-geofencing-and-ip-allow-list-for-cognito-user-pool
#aws
theburningmonk.com
How to setup geofencing and IP allow-list for Cognito user pool
Learn to build production-ready serverless applications on AWS
🔥1
Специальный выпуск Monthly Cloud News, посвященный информационной безопасности в облаке
В беседе Антона Черноусова с Алексеем Миртовым и Евгением Сидоровым окунемся в вопросы терзающие безопасников и разработчиков, ведущих проекты в облаке.
Темы августовского выпуска:
🔹 IT-сотрудники хотят в облака
🔹 Лучше ли безопаснику в облаке?
🔹 Обсудим топ-рисков ИБ в облаках
🔹 Утечки статических Сredentials
🔹 DevSecOps как симбиоз полезных практик для разработки
🔹 Audit Trails и все все все...
🔹 Повышение культуры разработки через обучение ИБ
Регистрируйтесь!
#advertising
В беседе Антона Черноусова с Алексеем Миртовым и Евгением Сидоровым окунемся в вопросы терзающие безопасников и разработчиков, ведущих проекты в облаке.
Темы августовского выпуска:
🔹 IT-сотрудники хотят в облака
🔹 Лучше ли безопаснику в облаке?
🔹 Обсудим топ-рисков ИБ в облаках
🔹 Утечки статических Сredentials
🔹 DevSecOps как симбиоз полезных практик для разработки
🔹 Audit Trails и все все все...
🔹 Повышение культуры разработки через обучение ИБ
Регистрируйтесь!
#advertising
🔥5👍1
🔶How to detect suspicious activity in your AWS account by using private decoy resources
AWS’s Maitreya Ranganath and Mark Keating describe how you can create low-cost private decoy AWS resources in your AWS accounts and configure them to generate alerts when they are accessed.
https://aws.amazon.com/ru/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources
#aws
AWS’s Maitreya Ranganath and Mark Keating describe how you can create low-cost private decoy AWS resources in your AWS accounts and configure them to generate alerts when they are accessed.
https://aws.amazon.com/ru/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources
#aws
🔥2
🔷Hunt for compromised Azure subscriptions using Microsoft Defender for Cloud Apps
How Microsoft Defender for Cloud Apps data can help hunt and mitigate the risk of compromised subscriptions.
https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
#azure
How Microsoft Defender for Cloud Apps data can help hunt and mitigate the risk of compromised subscriptions.
https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121
#azure
TECHCOMMUNITY.MICROSOFT.COM
Hunt for compromised Azure subscriptions using Microsoft Defender for Cloud Apps
In our present threat landscape, attackers are constantly trying to compromise organizations, each with their own set of motives. They may want to compromise...
🔥1