🔶🔷🔴 Cloud Architecture Diagrams as Code

Create diagrams for AWS, GCP, Azure, a data ETL pipeline and more.

https://docs.tryeraser.com/docs/examples

#aws #azure #gcp

🔶 State of AWS Security in 2022: A Look Into Real-World AWS Environments

Datadog analyzed trends in the implementation of security best practices and took a closer look at various types of misconfigurations that contribute to the most common causes of security breaches.

https://www.datadoghq.com/state-of-aws-security

#aws

🔶 Unofficial list of free resources to learn AWS for absolute beginners

An unofficial list of free resources to learn AWS for absolute beginners. This will be a living document.

https://docs.google.com/document/d/1fDTumqm5oc_nLAQBUnW8c6hAGmGx95a8-BZ92GqlbUs/edit

#aws

🔶 Diving Deeply into IAM Policy Evaluation

A post going through confounding conditions, double and triple negatives, and principals matched and unmatched to explain a more accurate model of how IAM evaluates permissions internally.

https://ermetic.com/blog/aws/diving-deeply-into-iam-policy-evaluation-highlights-from-aws-reinforce-session-iam433

#aws

🔶 AWS Permission Boundaries for Dummies

Tl;dr: if you want someone to admin some IAM in an account but not all the IAM, then you might need one.

https://www.firemon.com/aws-permission-boundaries-for-dummies

#aws

🔶 pop3ret/AWSome-Pentesting

A guide to help pentesters learning more about AWS misconfigurations and ways to abuse them. Cheatsheet of useful commands for a variety of AWS services, covering enumeration, data exfiltration, privilege escalation, and more.

https://github.com/pop3ret/AWSome-Pentesting/blob/main/AWSome-Pentesting-Cheatsheet.md

#aws

🔷 Public Network Access to Azure Resources Is Too Easy to Configure

For some types of Azure resources and subnets, it's extremely easy to configure what is essentially public network access. This post describes some examples and how to reduce such risks.

https://ermetic.com/blog/azure/public-network-access-to-azure-resources-is-too-easy-to-configure

#azure

🔴 Security Logging in Cloud Environments - GCP

Another update to my "Security Logging in Cloud Environments - GCP" post, this time adding the new Sensitive Actions Service to the SCC section.

https://blog.marcolancini.it/2021/blog-security-logging-cloud-environments-gcp

#gcp

На связи команда рекрутинга Yandex Cloud и Инфраструктуры Яндекса.

Мы на две недели включаем турбо-режим и готовы нанимать backend-разработчиков и SRE за 2-3 дня.

Собрали всю информацию в telegram-канал: https://t.me/cloud_track

Решайте задания Яндекс Контеста до 23 октября 2022 и присоединяйтесь к нам!

Будем вместе строить и развивать мощное облако.

#advertising

🔶 Lateral movement risks in the cloud and how to prevent them - Part 1: the network layer (VPC)

Post introducing lateral movement as it pertains to VPCs. It discusses attacker TTPs, and outlines best practices for security practitioners and cloud builders to help secure their cloud environment and reduce risk.

https://www.wiz.io/blog/lateral-movement-risks-in-the-cloud-and-how-to-prevent-them-part-1-the-network-layer

#aws

🔶 You should have lots of AWS accounts

Lots of AWS accounts working together in harmony will net you a more secure, more reliable, and more compliant cloud infrastructure.

https://src-bin.com/you-should-have-lots-of-aws-accounts

#aws

🔶 tuladhar/cleanup-aws-access-keys

A cloud security tool to search and clean up unused AWS access keys, written in Go, by Puru Tuladhar.

https://github.com/tuladhar/cleanup-aws-access-keys

#aws

🔷 FabriXss: How We Managed to Abuse a Custom Role User Using CSTI and Stored XSS in Azure Fabric Explorer

The Orca Research Pod has discovered FabriXss a vulnerability in Azure Service Fabric Explorer that allows attackers to gain full Administrator permissions.

https://orca.security/resources/blog/fabrixss-vulnerability-azure-fabric-explorer

#azure

🔶 The Danger of Falling to System Role in AWS SDK Client

Writeup of a vulnerability identified in a web application that was using the AWS SDK for Go (v1) to implement an "Import Data From S3" functionality.

https://blog.doyensec.com/2022/10/18/cloudsectidbit-dataimport.html

#aws

🔷 Untangling Azure Active Directory Principals & Access Permissions

Post untangling the question of 'who has access to what' in an Azure Active Directory environment. A PowerShell tool was also released to automatically enumerate this.

https://csandker.io/2022/10/19/Untangling-Azure-Permissions.html

#azure

Для безопасной работы над совместным проектом важно уметь управлять полномочиями и правами доступа. Этой теме посвящён наш вебинар «Тонкости управления пользователями и доступом в облачном окружении». На примере Yandex Identity and Access Management — сервиса идентификации и контроля доступа — мы расскажем, как выстроить процессы так, чтобы все операции над ресурсами выполнялись только пользователями с необходимыми правами.

На встрече мы разберём различные сценарии работы, важные технические особенности сервиса IAM и затронем следующие темы:

• рекомендации по выстраиванию ресурсной модели;
• возможности ролевой модели;
• привилегированные пользователи и безопасность их учётных записей;
• работа с группами пользователей;
• события безопасности, связанные с управлением пользователями и группами.

Вебинар будет полезен архитекторам, разработчикам, специалистам по безопасности уровня middle+.

Зарегистрироваться на вебинар ➡️

🔶 How to list all resources in your AWS account

You may have been there before: you got access to an AWS account and just want to list which resources are configured in it. The seemingly simple task of listing all resources quickly turns out to be complicated.

https://awstip.com/how-to-list-all-resources-in-your-aws-account-c3f18061f71b

#aws

🔶🔷 Enrich AWS account data in Microsoft Sentinel

As organisations are integrating Amazon Web Services data sources with Microsoft Sentinel, many are facing a common problem: how to identify AWS resources and handle contextual data such as AWS account information for alerts and incidents?

https://secopslab.fi/2022-10-microsoftsentinel-awswatchlist

#aws #azure

🔶 AWS Security Groups Guide

Knowing how security groups & NACLs work together is extremely important for controlling network traffic to your instances & subnets.

https://sysdig.com/blog/aws-security-groups-guide

(Use VPN if you can’t open it)

#aws

🔶 flosell/trailscraper

By Thoughtworks’s Florian Sellmayr: A command-line tool to get valuable information out of AWS CloudTrail and a general purpose toolbox for working with IAM policies.

https://github.com/flosell/trailscraper

#aws

🔴 Announcing Sensitive Actions to help keep accounts secure

Google introduced Sensitive Actions, a new way to understand user account behaviour. They are changes made in a Google Cloud environment that are security relevant, and therefore important to be aware of and evaluate.

https://cloud.google.com/blog/products/identity-security/announcing-sensitive-actions-to-help-keep-accounts-secure

#gcp