Overview-AWS-Lambda-Security.pdf
366.9 KB
🔸Security Overview of AWS
Lambda
An In-Depth Look at AWS Lambda Security, February 2021
This whitepaper presents a deep dive into the AWS Lambda service through a security lens. It provides a well-rounded picture of the service, which is useful for new adopters, and deepens understanding of Lambda for current users. The intended audience for this whitepaper is Chief Information Security Officers (CISOs), information security groups, security engineers, enterprise architects, compliance teams, and any others interested in understanding the underpinnings of AWS Lambda.
#aws
Lambda
An In-Depth Look at AWS Lambda Security, February 2021
This whitepaper presents a deep dive into the AWS Lambda service through a security lens. It provides a well-rounded picture of the service, which is useful for new adopters, and deepens understanding of Lambda for current users. The intended audience for this whitepaper is Chief Information Security Officers (CISOs), information security groups, security engineers, enterprise architects, compliance teams, and any others interested in understanding the underpinnings of AWS Lambda.
#aws
🔴GCP OAuth Token Hijacking in Google Cloud
If an attacker compromises an engineer's workstation, they can easily steal and abuse cached credentials, even if MFA is enabled (Part 1, Part 2).
https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1
🔴Google Kubernetes Engine IAM Roles
What separates the GKE IAM Roles "Kubernetes Engine Developer" from "Kubernetes Engine Admin"? In most cases, not that much.
https://darkbit.io/blog/kubernetes-engine-iam-roles
🔴Google Cloud IAM Custom Role and Permissions Debugging Tricks
An approach for creating and verifying least-privilege custom IAM Roles using the gcloud sdk Docker image, Data Access Logging, and the IAM Policy Troubleshooter.
https://darkbit.io/blog/google-cloud-custom-iam-role-debugging-tricks
#gcp
If an attacker compromises an engineer's workstation, they can easily steal and abuse cached credentials, even if MFA is enabled (Part 1, Part 2).
https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1
🔴Google Kubernetes Engine IAM Roles
What separates the GKE IAM Roles "Kubernetes Engine Developer" from "Kubernetes Engine Admin"? In most cases, not that much.
https://darkbit.io/blog/kubernetes-engine-iam-roles
🔴Google Cloud IAM Custom Role and Permissions Debugging Tricks
An approach for creating and verifying least-privilege custom IAM Roles using the gcloud sdk Docker image, Data Access Logging, and the IAM Policy Troubleshooter.
https://darkbit.io/blog/google-cloud-custom-iam-role-debugging-tricks
#gcp
Netskope
GCP OAuth Token Hijacking in Google Cloud - Part 1
If an attacker compromises a Google Cloud Platform (GCP) user's device, he can easily steal and abuse cached credentials, even if MFA is enabled. In this
CSA_CCMv4.0_Final_012021.xlsx
41.5 KB
The CSA Cloud Controls Matrix (CCM) V4: Raising the cloud security bar to the next level
The Cloud Security Alliance released version 4 of the Cloud Controls Matrix (CCM). The upgrade from CCM v3.0.1 to v4 has been imperative considering the evolution of the cloud security landscape, both from the technical and legal and regulatory standpoint. There was also a need for organizations to make the implementation of security and privacy controls more efficient and streamline compliance.
https://cloudsecurityalliance.org/blog/2021/01/21/the-csa-cloud-controls-matrix-ccm-v4-raising-the-cloud-security-bar-to-the-next-level/
The Cloud Security Alliance released version 4 of the Cloud Controls Matrix (CCM). The upgrade from CCM v3.0.1 to v4 has been imperative considering the evolution of the cloud security landscape, both from the technical and legal and regulatory standpoint. There was also a need for organizations to make the implementation of security and privacy controls more efficient and streamline compliance.
https://cloudsecurityalliance.org/blog/2021/01/21/the-csa-cloud-controls-matrix-ccm-v4-raising-the-cloud-security-bar-to-the-next-level/
🔹How We Escaped Docker in Azure Functions
Vulnerability in Azure Functions which would allow an attacker to escalate privileges and escape the Azure Functions Docker container to the Docker host. Microsoft has determined that the vulnerability has no security impact on Function users as the Docker host itself is protected by a Hyper-V boundary.
https://www.intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
#azure
Vulnerability in Azure Functions which would allow an attacker to escalate privileges and escape the Azure Functions Docker container to the Docker host. Microsoft has determined that the vulnerability has no security impact on Function users as the Docker host itself is protected by a Hyper-V boundary.
https://www.intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
#azure
Intezer
How We Escaped Docker in Azure Functions
New vulnerability could allow an attacker to escalate privileges and escape the Azure Functions Docker container to the Docker host.
🔸Cloud Security Table Top Exercises
A great list of scenarios to think through by Matt Fuller, including:
- Malicious VPC peering request
- Compromised Lambda Layers
- Injected CloudFormation Templates
- Broken CloudTrail Logs
- and a bunch more
https://matthewdf10.medium.com/cloud-security-table-top-exercises-629d353c268e?
#aws
A great list of scenarios to think through by Matt Fuller, including:
- Malicious VPC peering request
- Compromised Lambda Layers
- Injected CloudFormation Templates
- Broken CloudTrail Logs
- and a bunch more
https://matthewdf10.medium.com/cloud-security-table-top-exercises-629d353c268e?
#aws
🔴New whitepaper: Designing and deploying a data security strategy with Google Cloud
New 23 page whitepaper from the GCP team: “we wanted to explore both the question of starting a data security program in a cloud-native way, as well as adjusting your existing daily security program when you start utilizing cloud computing.” It covers the 3 pillars of effective cloud security (Identity, Boundary and Access, Visibility), controls that enable the pillars, rethinking your data security strategy, and more.
https://cloud.google.com/blog/products/identity-security/start-a-data-security-program-in-a-cloud-native-way-on-google-cloud
#gcp
New 23 page whitepaper from the GCP team: “we wanted to explore both the question of starting a data security program in a cloud-native way, as well as adjusting your existing daily security program when you start utilizing cloud computing.” It covers the 3 pillars of effective cloud security (Identity, Boundary and Access, Visibility), controls that enable the pillars, rethinking your data security strategy, and more.
https://cloud.google.com/blog/products/identity-security/start-a-data-security-program-in-a-cloud-native-way-on-google-cloud
#gcp
Google Cloud Blog
Designing your data security program in a cloud-native way on Google Cloud | Google Cloud Blog
Our new whitepaper helps you start a data security program in a cloud-native way and adjust your existing data security program when you start utilizing cloud computing.
🔸AWS Service Control Policies (SCPs)
Nice overview page of SCPs by Marco Lancini covering what they are, what they can’t do, and example policies like denying API calls from root users, denying the ability to disrupt CloudTrail or GuardDuty, and more.
https://cloudsecdocs.com/aws/devops/resources/scps/
#aws
Nice overview page of SCPs by Marco Lancini covering what they are, what they can’t do, and example policies like denying API calls from root users, denying the ability to disrupt CloudTrail or GuardDuty, and more.
https://cloudsecdocs.com/aws/devops/resources/scps/
#aws
🔸Building a secure CI/CD pipeline for Terraform Infrastructure as Code
How the OVO team created a model for delivering infrastructure changes with robust security practices, and used to it build a secure Terraform CI/CD solution for AWS.
https://tech.ovoenergy.com/building-a-secure-ci-cd-pipeline-for-terraform-infrastructure-as-code/
#aws
How the OVO team created a model for delivering infrastructure changes with robust security practices, and used to it build a secure Terraform CI/CD solution for AWS.
https://tech.ovoenergy.com/building-a-secure-ci-cd-pipeline-for-terraform-infrastructure-as-code/
#aws
🔸Security Logging in Cloud Environments - AWS
Post by Marco Lancini describing how to design a multi-account security-related logging platform in AWS. He discusses various services (CloudTrail, CloudWatch, GuardDuty, Config), access logs, collecting logs, long-term storage and audit trail, and monitoring and alerting.
https://www.marcolancini.it/2021/blog-security-logging-cloud-environments-aws/
#aws
Post by Marco Lancini describing how to design a multi-account security-related logging platform in AWS. He discusses various services (CloudTrail, CloudWatch, GuardDuty, Config), access logs, collecting logs, long-term storage and audit trail, and monitoring and alerting.
https://www.marcolancini.it/2021/blog-security-logging-cloud-environments-aws/
#aws
CISO’s Guide to Cloud Security Transformation
New whitepaper by GCP covering: “prepare your company culture for cloud security, evolve how your company works, evolve key security roles and responsibilities, and design your security operating model.”
https://cloud.google.com/blog/products/identity-security/cisos-guide-to-cloud-security-transformation
New whitepaper by GCP covering: “prepare your company culture for cloud security, evolve how your company works, evolve key security roles and responsibilities, and design your security operating model.”
https://cloud.google.com/blog/products/identity-security/cisos-guide-to-cloud-security-transformation
Google Cloud Blog
New Google whitepaper examines a CISOs best approach to a cloud security transformation | Google Cloud Blog
Switching to the cloud presents a huge opportunity for CISOs to transform their company's approach to security. Here’s what you need to know.
🔴Lateral Movement & Privilege Escalation in GCP; Compromise Organizations without Dropping an Implant
"In this talk, we'll demonstrate several techniques to perform identity compromise via the ActAs permission, privilege escalation, lateral movement, and widespread project compromise in Google Cloud. We will also release tools for exploitation."
https://youtu.be/kyqeBGNSEIc
#gcp
"In this talk, we'll demonstrate several techniques to perform identity compromise via the ActAs permission, privilege escalation, lateral movement, and widespread project compromise in Google Cloud. We will also release tools for exploitation."
https://youtu.be/kyqeBGNSEIc
#gcp
YouTube
Lateral Movement & Privilege Escalation in GCP; Compromise Organizations without Dropping an Implant
Google Cloud's security model in many ways is quite different from AWS. Spark jobs, Cloud Functions, Jupyter Notebooks, and more default to having administrative capabilities over cloud API's. Instead of defaulting to no capabilities, permissions are granted…
🔸Top ten AWS identity health checks to improve security in the cloud
Ten recommended AWS identity health checks which can help you understand your IAM health, prioritize improvements to your IAM implementation, and operationalize effective access management processes.
https://k9security.io/docs/aws-identity-health-checks/
#aws
Ten recommended AWS identity health checks which can help you understand your IAM health, prioritize improvements to your IAM implementation, and operationalize effective access management processes.
https://k9security.io/docs/aws-identity-health-checks/
#aws
🔸Retrieving AWS security credentials from the AWS console
How to retrieve AWS security credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN) when authenticated in the AWS Console.
https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/
#aws
How to retrieve AWS security credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN) when authenticated in the AWS Console.
https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/
#aws
Christophe Tafani-Dereeper
Retrieving AWS security credentials from the AWS console
Retrieve AWS security credentials from the AWS console using CloudShell.
🔸AWS Visibility & Enforcement
A cheatsheet of a number of useful tools for getting visibility into your cloud environment and continuously enforcing security policies, by Marco Lancini.
https://cloudsecdocs.com/aws/devops/tooling/visibility/
#aws
A cheatsheet of a number of useful tools for getting visibility into your cloud environment and continuously enforcing security policies, by Marco Lancini.
https://cloudsecdocs.com/aws/devops/tooling/visibility/
#aws
🔸iam-service-account-controller
Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts.
https://github.com/ovotech/iam-service-account-controller
#aws
Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts.
https://github.com/ovotech/iam-service-account-controller
#aws
GitHub
GitHub - ovotech/iam-service-account-controller: Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts
Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts - ovotech/iam-service-account-controller