🔶 Attacking Firecracker: AWS' microVM Monitor Written in Rust
Firecracker is a microVM manager in Rust that powers AWS services like Lambda and Fargate. Here's how a red team team attacked a vulnerability in Firecracker.
https://www.graplsecurity.com/post/attacking-firecracker
#aws
Firecracker is a microVM manager in Rust that powers AWS services like Lambda and Fargate. Here's how a red team team attacked a vulnerability in Firecracker.
https://www.graplsecurity.com/post/attacking-firecracker
#aws
🔥2
🔶 A Federated Approach To Providing User Privacy Rights
How Lyft approaches managing user privacy in order to seamlessly handle compliance, data export, and deletion.
https://eng.lyft.com/a-federated-approach-to-providing-user-privacy-rights-3d9ab73441d9
#aws
How Lyft approaches managing user privacy in order to seamlessly handle compliance, data export, and deletion.
https://eng.lyft.com/a-federated-approach-to-providing-user-privacy-rights-3d9ab73441d9
#aws
🔥1
🔶 The Complete Guide to AWS KMS
An intro guide to AWS Key Management Service (AWS KMS), its different key types, and access (IAM) best practices.
https://blog.lightspin.io/the-complete-guide-to-aws-kms
#aws
An intro guide to AWS Key Management Service (AWS KMS), its different key types, and access (IAM) best practices.
https://blog.lightspin.io/the-complete-guide-to-aws-kms
#aws
👏2
🔴 Understanding basic networking in GKE - Networking basics
Post exploring the networking components of GKE and the various options that exist.
https://cloud.google.com/blog/topics/developers-practitioners/understanding-basic-networking-gke-networking-basics
#gcp
Post exploring the networking components of GKE and the various options that exist.
https://cloud.google.com/blog/topics/developers-practitioners/understanding-basic-networking-gke-networking-basics
#gcp
Google Cloud Blog
Understanding basic networking in GKE - Networking basics | Google Cloud Blog
👍2🔥1
🔶 awslabs/aws-security-assessment-solution
An AWS tool to help you create a point in time assessment of your AWS account using Prowler and Scout as well as optional AWS developed ransomware checks.
https://github.com/awslabs/aws-security-assessment-solution
#aws
An AWS tool to help you create a point in time assessment of your AWS account using Prowler and Scout as well as optional AWS developed ransomware checks.
https://github.com/awslabs/aws-security-assessment-solution
#aws
🔥3
🔷 Azure Active Directory Pass-Through Authentication Flaws
Secureworks researchers analyzed how the protocols used by Pass-Through Authentication (PTA) could be exploited. The result? A compromised PTA agent certificate gives threat actors persistent and undetectable access to a target organization.
https://www.secureworks.com/research/azure-active-directory-pass-through-authentication-flaws
#azure
Secureworks researchers analyzed how the protocols used by Pass-Through Authentication (PTA) could be exploited. The result? A compromised PTA agent certificate gives threat actors persistent and undetectable access to a target organization.
https://www.secureworks.com/research/azure-active-directory-pass-through-authentication-flaws
#azure
Secureworks
Azure Active Directory Pass-Through Authentication Flaws
In May 2022, Secureworks® Counter Threat Unit™ (CTU) researchers analyzed how the protocols used by Pass-Through Authentication could be exploited.
🔥1
🔶 AWS Ramp-Up Guide: Security
A guide that can help you prepare for the "AWS Certified Security - Specialty" certification exam.
https://d1.awsstatic.com/training-and-certification/ramp-up_guides/Ramp-Up_Guide_Security.pdf
#aws
A guide that can help you prepare for the "AWS Certified Security - Specialty" certification exam.
https://d1.awsstatic.com/training-and-certification/ramp-up_guides/Ramp-Up_Guide_Security.pdf
#aws
🔥4
🔶 matanolabs/matano
An open source security lake platform for AWS that lets you ingest petabytes of security and log data from various sources, store and query them in an open Apache Iceberg data lake, and create Python detections as code for realtime alerting. Matano is fully serverless and designed specifically for AWS and focuses on enabling high scale, low cost, and zero-ops.
https://github.com/matanolabs/matano
#aws
An open source security lake platform for AWS that lets you ingest petabytes of security and log data from various sources, store and query them in an open Apache Iceberg data lake, and create Python detections as code for realtime alerting. Matano is fully serverless and designed specifically for AWS and focuses on enabling high scale, low cost, and zero-ops.
https://github.com/matanolabs/matano
#aws
👍1🔥1
🔶 Authenticating to AWS the right way for (almost) every use-case
Lee Briggs covers the right way to authenticate to AWS in a variety of scenarios:
1️⃣ Authenticate to AWS as a Human User: AWS IAM Identity Center
2️⃣ Authenticate to AWS as an EC2 Instance: IAM Role, possibly Instance Profile
3️⃣ Authenticate to AWS as an application that only manages content in an S3 bucket: Presigned URLs
4️⃣ Authenticate to AWS as a CI/CD Pipeline: OIDC Providers
5️⃣ Authenticate to AWS as compute I manage that isn’t running inside AWS: IAM Roles Anywhere
https://leebriggs.co.uk/blog/2022/09/05/authenticating-to-aws-the-right-way
#aws
Lee Briggs covers the right way to authenticate to AWS in a variety of scenarios:
1️⃣ Authenticate to AWS as a Human User: AWS IAM Identity Center
2️⃣ Authenticate to AWS as an EC2 Instance: IAM Role, possibly Instance Profile
3️⃣ Authenticate to AWS as an application that only manages content in an S3 bucket: Presigned URLs
4️⃣ Authenticate to AWS as a CI/CD Pipeline: OIDC Providers
5️⃣ Authenticate to AWS as compute I manage that isn’t running inside AWS: IAM Roles Anywhere
https://leebriggs.co.uk/blog/2022/09/05/authenticating-to-aws-the-right-way
#aws
🔥3
🔶 thundra-io/merloc
By Thundra: A live AWS Lambda function development and debugging tool. MerLoc allows you to run AWS Lambda functions on your local while they are still part of a flow in the AWS cloud remote.
https://github.com/thundra-io/merloc
#aws
By Thundra: A live AWS Lambda function development and debugging tool. MerLoc allows you to run AWS Lambda functions on your local while they are still part of a flow in the AWS cloud remote.
https://github.com/thundra-io/merloc
#aws
👍1🔥1
🔷 Azure Cloud Shell Command Injection: Stealing User's Access Tokens
This post describes how a researcher took over an Azure Cloud Shell trusted domain and leveraged it to inject and execute commands in other users' terminals.
https://blog.lightspin.io/azure-cloud-shell-command-injection-stealing-users-access-tokens
#azure
This post describes how a researcher took over an Azure Cloud Shell trusted domain and leveraged it to inject and execute commands in other users' terminals.
https://blog.lightspin.io/azure-cloud-shell-command-injection-stealing-users-access-tokens
#azure
🔥1
🔷 Azure Attack Paths
Post shedding some light on known attack paths in an Azure environment.
https://cloudbrothers.info/azure-attack-paths
#azure
Post shedding some light on known attack paths in an Azure environment.
https://cloudbrothers.info/azure-attack-paths
#azure
🔥3
🔶 AWS IAM Identity Center Access Tokens are Stored in Clear Text and No, That's Not a Critical Vulnerability
Assuming constant full compromise of all machines is probably going to lead to controls where users can't reasonably do work.
https://itnext.io/aws-iam-identity-center-access-tokens-are-stored-in-clear-text-and-no-thats-not-a-critical-68a48c1e398
#aws
Assuming constant full compromise of all machines is probably going to lead to controls where users can't reasonably do work.
https://itnext.io/aws-iam-identity-center-access-tokens-are-stored-in-clear-text-and-no-thats-not-a-critical-68a48c1e398
#aws
🔥1
🔶 How DoorDash Ensures Velocity and Reliability through Policy Automation
How DoorDash leverages OPA to build policy-based guardrails with codified rules that ensure velocity and reliability for cloud infrastructure automated deployments.
https://doordash.engineering/2022/09/20/how-doordash-ensures-velocity-and-reliability-through-policy-automation
#aws
How DoorDash leverages OPA to build policy-based guardrails with codified rules that ensure velocity and reliability for cloud infrastructure automated deployments.
https://doordash.engineering/2022/09/20/how-doordash-ensures-velocity-and-reliability-through-policy-automation
#aws
🔥1
🔶 zoph-io/aws-security-survival-kit
Victor Grenu helps you set up minimal alerting on typical suspicious activities on your AWS Account. Using this kit, you will deploy CloudWatch EventRules and CW alarms on:
1️⃣ Root User activities
2️⃣ CloudTrail changes
3️⃣ AWS Personal Health Events
4️⃣ IAM Users changes
5️⃣ MFA updates
6️⃣ Unauthorized Operations
7️⃣ Failed AWS Console login authentication
https://github.com/zoph-io/aws-security-survival-kit
#aws
Victor Grenu helps you set up minimal alerting on typical suspicious activities on your AWS Account. Using this kit, you will deploy CloudWatch EventRules and CW alarms on:
1️⃣ Root User activities
2️⃣ CloudTrail changes
3️⃣ AWS Personal Health Events
4️⃣ IAM Users changes
5️⃣ MFA updates
6️⃣ Unauthorized Operations
7️⃣ Failed AWS Console login authentication
https://github.com/zoph-io/aws-security-survival-kit
#aws
👍1🔥1
🔶 Using Kyverno To Enforce AWS Load Balancer Annotations For Centralized Logging To S3
Post covering the steps to take in order to use Kyverno to automatically configure the annotations that enable access logs for an AWS Network Load Balancer (NLB) to be forwarded to an S3 bucket.
https://silvr.medium.com/using-kyverno-to-enforce-aws-load-balancer-annotations-for-centralized-logging-to-s3-af5dc1f1f3e0
#aws
Post covering the steps to take in order to use Kyverno to automatically configure the annotations that enable access logs for an AWS Network Load Balancer (NLB) to be forwarded to an S3 bucket.
https://silvr.medium.com/using-kyverno-to-enforce-aws-load-balancer-annotations-for-centralized-logging-to-s3-af5dc1f1f3e0
#aws
👍1🔥1
🔶 Run a Tailscale VPN relay on ECS/Fargate
A step by step tutorial on how to run Tailscale in ECS.
https://platformers.dev/log/2022/tailscale-ecs
#aws
A step by step tutorial on how to run Tailscale in ECS.
https://platformers.dev/log/2022/tailscale-ecs
#aws
👍1
🔶 The Many Ways to Manage Access to an EC2 Instance
By Sym’s Mathew Pregasen. Options: EC2 key pairs, SSH access via 3rd-party tools, SSH access via IAM policies, eliminate direct access via GitOps (SSM’s Run Command), and temporary or JIT access.
https://blog.symops.com/2022/09/22/ec2-access
#aws
By Sym’s Mathew Pregasen. Options: EC2 key pairs, SSH access via 3rd-party tools, SSH access via IAM policies, eliminate direct access via GitOps (SSM’s Run Command), and temporary or JIT access.
https://blog.symops.com/2022/09/22/ec2-access
#aws
👍1🔥1
🔶 AWS services, explained in Victorian English
By GPT-3 and @thesephist. How all companies should describe their products.
1️⃣ S3 is a glorious bastion of uptime in the otherwise storm-tossed sea of the World Wide Web, a shining beacon of safety to which one may entrust one’s most valuable data, whether files, or precious objects, or even blobs of the most unique and ephemeral content.
2️⃣ Route 53, the fleet-footed messenger of the gods, delivers your DNS traffic across the Internet with the speed of a Thracian chariot, and at a fraction of the cost.
https://victorianaws.com
#aws
By GPT-3 and @thesephist. How all companies should describe their products.
1️⃣ S3 is a glorious bastion of uptime in the otherwise storm-tossed sea of the World Wide Web, a shining beacon of safety to which one may entrust one’s most valuable data, whether files, or precious objects, or even blobs of the most unique and ephemeral content.
2️⃣ Route 53, the fleet-footed messenger of the gods, delivers your DNS traffic across the Internet with the speed of a Thracian chariot, and at a fraction of the cost.
https://victorianaws.com
#aws
🔥1
🔶🔷🔴 Cloud Architecture Diagrams as Code
Create diagrams for AWS, GCP, Azure, a data ETL pipeline and more.
https://docs.tryeraser.com/docs/examples
#aws #azure #gcp
Create diagrams for AWS, GCP, Azure, a data ETL pipeline and more.
https://docs.tryeraser.com/docs/examples
#aws #azure #gcp
Eraser
Cloud Architecture Diagrams – Examples
Here are some examples of diagrams you can create. AWS Diagram Open in Eraser to duplicate. // Define groups and nodes API gateway [icon: aws-api-gateway] Lambda [icon: aws-lambda] S3 [icon: aws-simple-storage-service] VPC Subnet { Main Server { Server [icon:…
👏2👍1
🔶 State of AWS Security in 2022: A Look Into Real-World AWS Environments
Datadog analyzed trends in the implementation of security best practices and took a closer look at various types of misconfigurations that contribute to the most common causes of security breaches.
https://www.datadoghq.com/state-of-aws-security
#aws
Datadog analyzed trends in the implementation of security best practices and took a closer look at various types of misconfigurations that contribute to the most common causes of security breaches.
https://www.datadoghq.com/state-of-aws-security
#aws
👏1