🔸Netflix/consoleme
New tool from the Netflix cloud security team that “strives to be a multi-account AWS swiss-army knife, making AWS easier for your end-users and cloud administrators.”
- Consolidates the management of multiple accounts into a single web UI.
- Allows your end-users and admins to get credentials / console access to your different AWS accounts, depending on their authorization level.
- Provides mechanisms for end-users and admins to both request and manage permissions for IAM roles, S3 buckets, SQS queues, and SNS topics.
- A self-service wizard is also provided to guide users into requesting the permissions they desire.
https://github.com/Netflix/consoleme
#aws
New tool from the Netflix cloud security team that “strives to be a multi-account AWS swiss-army knife, making AWS easier for your end-users and cloud administrators.”
- Consolidates the management of multiple accounts into a single web UI.
- Allows your end-users and admins to get credentials / console access to your different AWS accounts, depending on their authorization level.
- Provides mechanisms for end-users and admins to both request and manage permissions for IAM roles, S3 buckets, SQS queues, and SNS topics.
- A self-service wizard is also provided to guide users into requesting the permissions they desire.
https://github.com/Netflix/consoleme
#aws
GitHub
GitHub - Netflix/consoleme: A Central Control Plane for AWS Permissions and Access
A Central Control Plane for AWS Permissions and Access - Netflix/consoleme
🔸AWS Systems Manager Attack and defense strategies
Post covering multiple aspects of Systems Manager, Documents and how to protect and detect techniques leveraging its "Run Command".
https://blog.karims.cloud/2020/12/08/ssm-attack-and-defense-strategies.html
#aws
Post covering multiple aspects of Systems Manager, Documents and how to protect and detect techniques leveraging its "Run Command".
https://blog.karims.cloud/2020/12/08/ssm-attack-and-defense-strategies.html
#aws
Personal notes on Cybersecurity and Cloud
AWS Systems Manager Attack and defense strategies
Background AWS Systems Manager is long known for its “Run Command” allowing an attacker to move from AWS API Access to compromise instances that may be within the network. This post will try to cover multiple aspects of Systems Manager, Documents and how…
🔸AWS Audit Manager Simplifies Audit Preparation
Audit Manager is a new AWS service that “provides prebuilt frameworks for common industry standards and regulations, and automates the continual collection of evidence to help you in preparing for an audit.”
https://aws.amazon.com/blogs/aws/aws-audit-manager-simplifies-audit-preparation/
#aws
Audit Manager is a new AWS service that “provides prebuilt frameworks for common industry standards and regulations, and automates the continual collection of evidence to help you in preparing for an audit.”
https://aws.amazon.com/blogs/aws/aws-audit-manager-simplifies-audit-preparation/
#aws
Amazon
AWS Audit Manager Simplifies Audit Preparation | Amazon Web Services
Gathering evidence in a timely manner to support an audit can be a significant challenge due to manual, error-prone, and sometimes, distributed processes. If your business is subject to compliance requirements, preparing for an audit can cause significant…
🔸Gaining Persistency on Vulnerable Lambdas
What can an attacker do if they found a Remote Code Execution (RCE) vulnerability in a Lambda function?
https://unit42.paloaltonetworks.com/gaining-persistency-vulnerable-lambdas/
#aws
What can an attacker do if they found a Remote Code Execution (RCE) vulnerability in a Lambda function?
https://unit42.paloaltonetworks.com/gaining-persistency-vulnerable-lambdas/
#aws
Unit 42
Gaining Persistency on Vulnerable Lambdas
Serverless Security AWS Lambda was released in 2014 and introduced a new cloud execution model – serverless computing, which is now widely adopted. Since
🔴Google Cloud Platform (GCP) Service Account-based Privilege Escalation paths
The Praetorian team uncovered a GCP risk scenario in which privileges in a compromised service can be used to further escalate privileges.
https://www.praetorian.com/blog/google-cloud-platform-gcp-service-account-based-privilege-escalation-paths
#gcp
The Praetorian team uncovered a GCP risk scenario in which privileges in a compromised service can be used to further escalate privileges.
https://www.praetorian.com/blog/google-cloud-platform-gcp-service-account-based-privilege-escalation-paths
#gcp
Forwarded from Технологический Болт Генона
Azure Kubernetes (AKS) Security Best Practices
Part 1: Designing Secure Clusters and Container Images
https://www.stackrox.com/post/2020/01/azure-kubernetes-aks-security-best-practices-part-1-of-4/
Part 2: Networking
https://www.stackrox.com/post/2020/02/azure-kubernetes-aks-security-best-practices-part-2-of-4/
Part 3: Runtime Security
https://www.stackrox.com/post/2020/02/azure-kubernetes-aks-security-best-practices-part-3-of-4/
Part 4: Cluster Maintenance
https://www.stackrox.com/post/2020/03/azure-kubernetes-aks-security-best-practices-part-4-of-4/
Part 1: Designing Secure Clusters and Container Images
https://www.stackrox.com/post/2020/01/azure-kubernetes-aks-security-best-practices-part-1-of-4/
Part 2: Networking
https://www.stackrox.com/post/2020/02/azure-kubernetes-aks-security-best-practices-part-2-of-4/
Part 3: Runtime Security
https://www.stackrox.com/post/2020/02/azure-kubernetes-aks-security-best-practices-part-3-of-4/
Part 4: Cluster Maintenance
https://www.stackrox.com/post/2020/03/azure-kubernetes-aks-security-best-practices-part-4-of-4/
www.stackrox.io
Azure Kubernetes (AKS) Security Best Practices Part 1 of 4: Designing Secure Clusters and Container Images | StackRox Community
In this article (part 1 of 4), we discuss what you need to know to securely create your AKS clusters and container images.
🔸Lesser Known Techniques for Attacking AWS Environments
"This post will discuss lesser known attack techniques that I would use in attacking AWS accounts and conclude with a discussion of defenses. A common theme among many of these concepts is abusing trust, whether that is incorrectly trusting attacker controlled resources hosted on AWS, or the trust relationships between accounts or within an account.
I’ll discuss a few techniques in gaining initial access, recon, lateral movement between accounts, and data exfiltration."
https://tldrsec.com/blog/lesser-known-aws-attacks/
#aws
"This post will discuss lesser known attack techniques that I would use in attacking AWS accounts and conclude with a discussion of defenses. A common theme among many of these concepts is abusing trust, whether that is incorrectly trusting attacker controlled resources hosted on AWS, or the trust relationships between accounts or within an account.
I’ll discuss a few techniques in gaining initial access, recon, lateral movement between accounts, and data exfiltration."
https://tldrsec.com/blog/lesser-known-aws-attacks/
#aws
🔹Azure Security Basics: Log Analytics, Security Center, and Sentinel
Log Analytics, Sentinel, and ATP can produce a complete picture of your Azure authentication border defenses, virtual server happenings, and everything in between them.
https://www.blackhillsinfosec.com/azure-security-basics-log-analytics-security-center-and-sentinel/
#azure
Log Analytics, Sentinel, and ATP can produce a complete picture of your Azure authentication border defenses, virtual server happenings, and everything in between them.
https://www.blackhillsinfosec.com/azure-security-basics-log-analytics-security-center-and-sentinel/
#azure
Black Hills Information Security, Inc.
Azure Security Basics: Log Analytics, Security Center, and Sentinel - Black Hills Information Security, Inc.
Jordan Drysdale // TL;DR The problem with a pentester’s perspective on defense, hunting, and security: Lab demographics versus scale. If it costs $15 bucks per month per server for me […]
🔹CrowdStrike Reporting Tool for Azure (CRT)
A tool which helps organizations quickly and easily review excessive permissions in their Azure AD environments, helps determine configuration weaknesses, and provides advice to mitigate risk.
https://github.com/CrowdStrike/CRT
#azure
A tool which helps organizations quickly and easily review excessive permissions in their Azure AD environments, helps determine configuration weaknesses, and provides advice to mitigate risk.
https://github.com/CrowdStrike/CRT
#azure
GitHub
GitHub - CrowdStrike/CRT: Contact: CRT@crowdstrike.com
Contact: CRT@crowdstrike.com. Contribute to CrowdStrike/CRT development by creating an account on GitHub.
🔸AWS Lambda $LATEST is dangerous
You should always use function versioning. You should almost always use function aliases, which have a handful of benefits involving metrics in CloudWatch, IAM permissions, traffic-shifting, etc.
https://awsteele.com/blog/2020/12/24/aws-lambda-latest-is-dangerous.html
#aws
You should always use function versioning. You should almost always use function aliases, which have a handful of benefits involving metrics in CloudWatch, IAM permissions, traffic-shifting, etc.
https://awsteele.com/blog/2020/12/24/aws-lambda-latest-is-dangerous.html
#aws
Aidan Steele’s blog (usually about AWS)
AWS Lambda $LATEST is dangerous
AWS Lambda has supported function versions since October 2015, only a couple of months after the service itself was publicly launched. Versions are an optional feature - you can develop and use Lambda functions without versioning, in which case you are working…
Aqua_CSPM_Cloud_Security_Posture_Management_Guide.pdf
3.2 MB
The Essential Guide to Cloud Security Posture Management
How CSPM automates security configuration across clouds
"Cloud Security Posture Management, or CSPM, is a relatively new cloud security
category designed to address configuration and compliance risks in your cloud infrastructure. The concept of CSPM is to enable organizations to automatically discover, assess, and remediate security configuration issues and gaps across multiple cloud providers and accounts. This approach ensures that at any given moment you have a consistent, secure, and compliant cloud infrastructure."
https://info.aquasec.com/cspm-essential-guide
#aws #gcp #azure
How CSPM automates security configuration across clouds
"Cloud Security Posture Management, or CSPM, is a relatively new cloud security
category designed to address configuration and compliance risks in your cloud infrastructure. The concept of CSPM is to enable organizations to automatically discover, assess, and remediate security configuration issues and gaps across multiple cloud providers and accounts. This approach ensures that at any given moment you have a consistent, secure, and compliant cloud infrastructure."
https://info.aquasec.com/cspm-essential-guide
#aws #gcp #azure
aws_security_maturity_roadmap 2021.pdf
273.5 KB
🔸AWS Security Maturity Roadmap 2021
The third annual release of Scott Piper’s excellent guide for securely running on AWS. Probably one of the best, concise, actionable guides on this I know of.
https://summitroute.com/blog/2021/01/12/2021_aws_security_maturity_roadmap_2021/
#aws
The third annual release of Scott Piper’s excellent guide for securely running on AWS. Probably one of the best, concise, actionable guides on this I know of.
https://summitroute.com/blog/2021/01/12/2021_aws_security_maturity_roadmap_2021/
#aws
🔸Auditing PassRole: A Problematic Privilege Escalation Permission
https://ermetic.com/whats-new/blog/auditing-passrole-a-problematic-privilege-escalation-permission/
#aws
iam:PassRole is an AWS permission that enables critical privilege escalation; many supposedly low-privilege identities tend to have it. The PassRole permission requirement is ubiquitous. It extends to more than 300 actions in more than 90 services and, in some cases, is obscured by parameters that indirectly contain the role being passed. Comprehensively auditing it can be a handful but is absolutely worth it as not doing so means leaving relatively easy avenues for privilege escalation wide open.https://ermetic.com/whats-new/blog/auditing-passrole-a-problematic-privilege-escalation-permission/
#aws
Tenable®
Secure cloud exposure with Tenable Cloud Security
Cloud security at Tenable starts with a unified CNAPP powerful enough to manage posture, secure workloads, govern identity & access management, and much more.
🔸Top Ten Security Updates from AWS re:Invent 2020
AWS re:Invent ran for three weeks last year. It is more important than ever to help everyone by summarizing AWS' biggest security announcements.
https://www.linkedin.com/pulse/top-ten-security-updates-from-aws-reinvent-2020-phil-rodrigues/
#aws
AWS re:Invent ran for three weeks last year. It is more important than ever to help everyone by summarizing AWS' biggest security announcements.
https://www.linkedin.com/pulse/top-ten-security-updates-from-aws-reinvent-2020-phil-rodrigues/
#aws
LinkedIn
"Top Ten" Security Updates from AWS re:Invent 2020
This article represents my own view points and not the views of my employer, Amazon Web Services. (Update: Added a bonus item.
🔹🔴Abusing cloud services to fly under the radar
NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through to data from the airline industry. In their intrusions they regularly abuse cloud services from Google and Microsoft to achieve their goals.
https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
#gcp #azure
NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through to data from the airline industry. In their intrusions they regularly abuse cloud services from Google and Microsoft to achieve their goals.
https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
#gcp #azure
🔸Compliance-as-code and auto-remediation with Cloud Custodian
AWS blog post about using Cloud Custodian + Lambdas to enforce compliance-as-code and auto-remediation. Cloud Custodian is an open source, stateless rules engine that offers policy-level execution against multiple kinds of event streams, including CloudWatch Events, CloudTrail events, and more.
https://aws.amazon.com/blogs/opensource/compliance-as-code-and-auto-remediation-with-cloud-custodian/
#aws
AWS blog post about using Cloud Custodian + Lambdas to enforce compliance-as-code and auto-remediation. Cloud Custodian is an open source, stateless rules engine that offers policy-level execution against multiple kinds of event streams, including CloudWatch Events, CloudTrail events, and more.
https://aws.amazon.com/blogs/opensource/compliance-as-code-and-auto-remediation-with-cloud-custodian/
#aws
Amazon
Compliance as code and auto-remediation with Cloud Custodian | Amazon Web Services
Many organizations identify governance and compliance as challenges, and a lack of visibility into cloud infrastructure as a prevalent problem. Companies spend thousands of hours a year maintaining compliance. Automating compliance monitoring and response…
82% of companies unknowingly give 3rd parties access to all their cloud data
The Wiz team conducted a research of permissions provided to 3rd party vendors in cloud environments and the results should be a wake-up call. In the majority of cases these permissions are there for no reason: the vendor doesn't actually need them, and the customers aren't even aware that they gave them to the vendor.
https://wiz.io/blog/82-of-companies-unknowingly-give-3rd-parties-access-to-all-their-cloud-data/
#aws #gcp #azure
The Wiz team conducted a research of permissions provided to 3rd party vendors in cloud environments and the results should be a wake-up call. In the majority of cases these permissions are there for no reason: the vendor doesn't actually need them, and the customers aren't even aware that they gave them to the vendor.
https://wiz.io/blog/82-of-companies-unknowingly-give-3rd-parties-access-to-all-their-cloud-data/
#aws #gcp #azure
wiz.io
82% of companies unknowingly give 3rd parties access to all their cloud data | Wiz Blog
Cloud identity permissions are complex. So complex that innocent looking permissions provided to 3rd party vendors can lead to unintended exposure of all of your data.
Overview-AWS-Lambda-Security.pdf
366.9 KB
🔸Security Overview of AWS
Lambda
An In-Depth Look at AWS Lambda Security, February 2021
This whitepaper presents a deep dive into the AWS Lambda service through a security lens. It provides a well-rounded picture of the service, which is useful for new adopters, and deepens understanding of Lambda for current users. The intended audience for this whitepaper is Chief Information Security Officers (CISOs), information security groups, security engineers, enterprise architects, compliance teams, and any others interested in understanding the underpinnings of AWS Lambda.
#aws
Lambda
An In-Depth Look at AWS Lambda Security, February 2021
This whitepaper presents a deep dive into the AWS Lambda service through a security lens. It provides a well-rounded picture of the service, which is useful for new adopters, and deepens understanding of Lambda for current users. The intended audience for this whitepaper is Chief Information Security Officers (CISOs), information security groups, security engineers, enterprise architects, compliance teams, and any others interested in understanding the underpinnings of AWS Lambda.
#aws
🔴GCP OAuth Token Hijacking in Google Cloud
If an attacker compromises an engineer's workstation, they can easily steal and abuse cached credentials, even if MFA is enabled (Part 1, Part 2).
https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1
🔴Google Kubernetes Engine IAM Roles
What separates the GKE IAM Roles "Kubernetes Engine Developer" from "Kubernetes Engine Admin"? In most cases, not that much.
https://darkbit.io/blog/kubernetes-engine-iam-roles
🔴Google Cloud IAM Custom Role and Permissions Debugging Tricks
An approach for creating and verifying least-privilege custom IAM Roles using the gcloud sdk Docker image, Data Access Logging, and the IAM Policy Troubleshooter.
https://darkbit.io/blog/google-cloud-custom-iam-role-debugging-tricks
#gcp
If an attacker compromises an engineer's workstation, they can easily steal and abuse cached credentials, even if MFA is enabled (Part 1, Part 2).
https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1
🔴Google Kubernetes Engine IAM Roles
What separates the GKE IAM Roles "Kubernetes Engine Developer" from "Kubernetes Engine Admin"? In most cases, not that much.
https://darkbit.io/blog/kubernetes-engine-iam-roles
🔴Google Cloud IAM Custom Role and Permissions Debugging Tricks
An approach for creating and verifying least-privilege custom IAM Roles using the gcloud sdk Docker image, Data Access Logging, and the IAM Policy Troubleshooter.
https://darkbit.io/blog/google-cloud-custom-iam-role-debugging-tricks
#gcp
Netskope
GCP OAuth Token Hijacking in Google Cloud - Part 1
If an attacker compromises a Google Cloud Platform (GCP) user's device, he can easily steal and abuse cached credentials, even if MFA is enabled. In this
CSA_CCMv4.0_Final_012021.xlsx
41.5 KB
The CSA Cloud Controls Matrix (CCM) V4: Raising the cloud security bar to the next level
The Cloud Security Alliance released version 4 of the Cloud Controls Matrix (CCM). The upgrade from CCM v3.0.1 to v4 has been imperative considering the evolution of the cloud security landscape, both from the technical and legal and regulatory standpoint. There was also a need for organizations to make the implementation of security and privacy controls more efficient and streamline compliance.
https://cloudsecurityalliance.org/blog/2021/01/21/the-csa-cloud-controls-matrix-ccm-v4-raising-the-cloud-security-bar-to-the-next-level/
The Cloud Security Alliance released version 4 of the Cloud Controls Matrix (CCM). The upgrade from CCM v3.0.1 to v4 has been imperative considering the evolution of the cloud security landscape, both from the technical and legal and regulatory standpoint. There was also a need for organizations to make the implementation of security and privacy controls more efficient and streamline compliance.
https://cloudsecurityalliance.org/blog/2021/01/21/the-csa-cloud-controls-matrix-ccm-v4-raising-the-cloud-security-bar-to-the-next-level/