🔷🔴 The cloud has an isolation problem: PostgreSQL vulnerabilities affect multiple cloud vendors

How Wiz Research uncovered multiple related vulnerabilities in PostgreSQL-as-a-Service offerings from GCP, Azure, and others.

https://www.wiz.io/blog/the-cloud-has-an-isolation-problem-postgresql-vulnerabilities

#azure #gcp

🔶 AWS Account Setup and Root User

A guide through the introductory steps to configure contacts for an AWS account & secure the root user.

https://wellarchitectedlabs.com/security/100_labs/100_aws_account_and_root_user

#aws

🔶 How to manage Route53 hosted zones in a multi-account environment

How to manage Route53 hosted zones in a multi-account environment so each account has full authority over its subdomain.

https://theburningmonk.com/2021/05/how-to-manage-route53-hosted-zones-in-a-multi-account-environment

#aws

🔶Granted Approvals - an Open Source Permission Management Framework

"We’ve designed Approvals so that it only has the ability to assign roles to existing users, rather than create new roles or new users. By design, the blast radius of Granted Approvals being compromised is that existing users in your directory could be granted access to roles, rather than external users being created. Better yet — Approvals is deployed as a serverless application which runs in your own AWS account, so Common Fate won’t have access to any data in your Granted Approvals deployment."

https://commonfate.io/blog/granted-approvals-release

#aws

🔶awslabs/assisted-log-enabler-for-aws

Assisted Log Enabler for AWS is for customers who do not have logging turned on for various services, and lack knowledge of best practices and/or how to turn them on.

https://github.com/awslabs/assisted-log-enabler-for-aws

#aws

🔷Automating Insecurity In Azure

Slides of the homonym talk at cloudvillage_dc (on Twitter).

https://notpayloads.blob.core.windows.net/slides/DC-AzureAutomationAccounts.pdf

#azure

🔴 GCP: Monitor IAM role assignments via Log Alerts in GCP

How to create Log alerts in GCP to track specific IAM role assignments.

https://medium.com/google-cloud/audit-iam-role-assignments-in-gcp-through-log-alerts-3bcdf3d7a504

#gcp

🔶Three Guardrails for AWS Lambda

Three guardrails you can put in place around that Lambda code: code signing, function versions and aliases, and Amazon CodeGuru Reviewer.

https://blog.symops.com/2022/08/17/lambda-guardrails

#aws

🔶How to setup geofencing and IP allow-list for Cognito user pool

AWS announced a new feature this week that lets you enable WAF protection for Cognito user pools. And one of the things you can do with this is to implement geo-fencing and IP allow/deny lists.

https://theburningmonk.com/2022/08/how-to-setup-geofencing-and-ip-allow-list-for-cognito-user-pool

#aws

Специальный выпуск Monthly Cloud News, посвященный информационной безопасности в облаке

В беседе Антона Черноусова с Алексеем Миртовым и Евгением Сидоровым окунемся в вопросы терзающие безопасников и разработчиков, ведущих проекты в облаке.

Темы августовского выпуска:

🔹 IT-сотрудники хотят в облака
🔹 Лучше ли безопаснику в облаке?
🔹 Обсудим топ-рисков ИБ в облаках
🔹 Утечки статических Сredentials
🔹 DevSecOps как симбиоз полезных практик для разработки
🔹 Audit Trails и все все все...
🔹 Повышение культуры разработки через обучение ИБ

Регистрируйтесь!

#advertising

🔶How to detect suspicious activity in your AWS account by using private decoy resources

AWS’s Maitreya Ranganath and Mark Keating describe how you can create low-cost private decoy AWS resources in your AWS accounts and configure them to generate alerts when they are accessed.

https://aws.amazon.com/ru/blogs/security/how-to-detect-suspicious-activity-in-your-aws-account-by-using-private-decoy-resources

#aws

🔷Hunt for compromised Azure subscriptions using Microsoft Defender for Cloud Apps

How Microsoft Defender for Cloud Apps data can help hunt and mitigate the risk of compromised subscriptions.

https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/hunt-for-compromised-azure-subscriptions-using-microsoft/ba-p/3607121

#azure

🔴 Controls to restrict access to individually approved APIs

How to restrict access to individually approved Google APIs using the Organization Policy Service and other network controls.

https://cloud.google.com/architecture/network-controls-limit-access-individually-approved-apis

#gcp

🔶 AWS WAF Fraud Control - Account takeover prevention for Amazon CloudFront

AWS WAF Fraud Control - Account Takeover Prevention protects your application's login page against credential stuffing attacks, brute force attempts, and other anomalous login activities.

https://aws.amazon.com/ru/about-aws/whats-new/2022/08/aws-waf-fraud-control-account-takeover-prevention-cloudfront

#aws

🔴 Announcing Virtual Machine Threat Detection now generally available to Cloud customers

Google announced that Virtual Machine Threat Detection (VMTD) in Security Command Center is now generally available for all Google Cloud customers.

https://cloud.google.com/blog/products/identity-security/introducing-virtual-machine-threat-detection-to-block-critical-threats

#gcp

🔷 Securing Azure middleware agents with new auto-patching capabilities

It turns out when you require your customers to manually patch critical vulnerabilities in software you installed for them that they often don’t know they have, update rates are low. Nice work from Wiz in pushing for auto-patching functionality.

https://www.wiz.io/blog/auto-patching-for-omi

#azure

🔷 Automating Azure Abuse Research - Part 2

Second part of a series, this time focusing on how to use the BloodHound Attack Research Kit (BARK) to perform so-called "continuous abuse primitive validation".

https://posts.specterops.io/automating-azure-abuse-research-part-2-3e5bbe7a20c0

#azure

🔶 AWS IAM Interview Questions

Some AWS IAM interview questions to help understand how much an engineer might know about AWS IAM, and how to apply it.

https://www.k9security.io/docs/aws-iam-interview-questions

#aws

🔷 SMTP Matching Abuse in Azure AD

How SMTP matching can be abused to obtain privileged access via eligible role assignments, and how to prevent it.

https://www.semperis.com/blog/smtp-matching-abuse-in-azure-ad

#azure

🔶 Incident Response in AWS

Post intended to help those already familiar with the principles of Incident Response to understand what to do when the incident involves the AWS Control Plane.

https://www.chrisfarris.com/post/aws-ir

#aws

🔶 CJ Moses might be the CISO of AWS, but service leaders own their own security

Interesting interview with AWS’s CJ Moses covering topics including:

1️⃣ What are your duties as CISO?
2️⃣ What is AWS’ security strategy?
3️⃣ What’s the biggest threat to cloud security right now and how do you stay ahead of all these bad actors?
4️⃣ What are the biggest security mistakes that you see enterprise customers repeating?

https://www.protocol.com/enterprise/cj-moses-aws-ciso

#aws