🔸Cloud Security Table Top Exercises
A great list of scenarios to think through by Matt Fuller, including:
- Malicious VPC peering request
- Compromised Lambda Layers
- Injected CloudFormation Templates
- Broken CloudTrail Logs
- and a bunch more
https://matthewdf10.medium.com/cloud-security-table-top-exercises-629d353c268e?
#aws
A great list of scenarios to think through by Matt Fuller, including:
- Malicious VPC peering request
- Compromised Lambda Layers
- Injected CloudFormation Templates
- Broken CloudTrail Logs
- and a bunch more
https://matthewdf10.medium.com/cloud-security-table-top-exercises-629d353c268e?
#aws
🔴New whitepaper: Designing and deploying a data security strategy with Google Cloud
New 23 page whitepaper from the GCP team: “we wanted to explore both the question of starting a data security program in a cloud-native way, as well as adjusting your existing daily security program when you start utilizing cloud computing.” It covers the 3 pillars of effective cloud security (Identity, Boundary and Access, Visibility), controls that enable the pillars, rethinking your data security strategy, and more.
https://cloud.google.com/blog/products/identity-security/start-a-data-security-program-in-a-cloud-native-way-on-google-cloud
#gcp
New 23 page whitepaper from the GCP team: “we wanted to explore both the question of starting a data security program in a cloud-native way, as well as adjusting your existing daily security program when you start utilizing cloud computing.” It covers the 3 pillars of effective cloud security (Identity, Boundary and Access, Visibility), controls that enable the pillars, rethinking your data security strategy, and more.
https://cloud.google.com/blog/products/identity-security/start-a-data-security-program-in-a-cloud-native-way-on-google-cloud
#gcp
Google Cloud Blog
Designing your data security program in a cloud-native way on Google Cloud | Google Cloud Blog
Our new whitepaper helps you start a data security program in a cloud-native way and adjust your existing data security program when you start utilizing cloud computing.
🔸AWS Service Control Policies (SCPs)
Nice overview page of SCPs by Marco Lancini covering what they are, what they can’t do, and example policies like denying API calls from root users, denying the ability to disrupt CloudTrail or GuardDuty, and more.
https://cloudsecdocs.com/aws/devops/resources/scps/
#aws
Nice overview page of SCPs by Marco Lancini covering what they are, what they can’t do, and example policies like denying API calls from root users, denying the ability to disrupt CloudTrail or GuardDuty, and more.
https://cloudsecdocs.com/aws/devops/resources/scps/
#aws
🔸Building a secure CI/CD pipeline for Terraform Infrastructure as Code
How the OVO team created a model for delivering infrastructure changes with robust security practices, and used to it build a secure Terraform CI/CD solution for AWS.
https://tech.ovoenergy.com/building-a-secure-ci-cd-pipeline-for-terraform-infrastructure-as-code/
#aws
How the OVO team created a model for delivering infrastructure changes with robust security practices, and used to it build a secure Terraform CI/CD solution for AWS.
https://tech.ovoenergy.com/building-a-secure-ci-cd-pipeline-for-terraform-infrastructure-as-code/
#aws
🔸Security Logging in Cloud Environments - AWS
Post by Marco Lancini describing how to design a multi-account security-related logging platform in AWS. He discusses various services (CloudTrail, CloudWatch, GuardDuty, Config), access logs, collecting logs, long-term storage and audit trail, and monitoring and alerting.
https://www.marcolancini.it/2021/blog-security-logging-cloud-environments-aws/
#aws
Post by Marco Lancini describing how to design a multi-account security-related logging platform in AWS. He discusses various services (CloudTrail, CloudWatch, GuardDuty, Config), access logs, collecting logs, long-term storage and audit trail, and monitoring and alerting.
https://www.marcolancini.it/2021/blog-security-logging-cloud-environments-aws/
#aws
CISO’s Guide to Cloud Security Transformation
New whitepaper by GCP covering: “prepare your company culture for cloud security, evolve how your company works, evolve key security roles and responsibilities, and design your security operating model.”
https://cloud.google.com/blog/products/identity-security/cisos-guide-to-cloud-security-transformation
New whitepaper by GCP covering: “prepare your company culture for cloud security, evolve how your company works, evolve key security roles and responsibilities, and design your security operating model.”
https://cloud.google.com/blog/products/identity-security/cisos-guide-to-cloud-security-transformation
Google Cloud Blog
New Google whitepaper examines a CISOs best approach to a cloud security transformation | Google Cloud Blog
Switching to the cloud presents a huge opportunity for CISOs to transform their company's approach to security. Here’s what you need to know.
🔴Lateral Movement & Privilege Escalation in GCP; Compromise Organizations without Dropping an Implant
"In this talk, we'll demonstrate several techniques to perform identity compromise via the ActAs permission, privilege escalation, lateral movement, and widespread project compromise in Google Cloud. We will also release tools for exploitation."
https://youtu.be/kyqeBGNSEIc
#gcp
"In this talk, we'll demonstrate several techniques to perform identity compromise via the ActAs permission, privilege escalation, lateral movement, and widespread project compromise in Google Cloud. We will also release tools for exploitation."
https://youtu.be/kyqeBGNSEIc
#gcp
YouTube
Lateral Movement & Privilege Escalation in GCP; Compromise Organizations without Dropping an Implant
Google Cloud's security model in many ways is quite different from AWS. Spark jobs, Cloud Functions, Jupyter Notebooks, and more default to having administrative capabilities over cloud API's. Instead of defaulting to no capabilities, permissions are granted…
🔸Top ten AWS identity health checks to improve security in the cloud
Ten recommended AWS identity health checks which can help you understand your IAM health, prioritize improvements to your IAM implementation, and operationalize effective access management processes.
https://k9security.io/docs/aws-identity-health-checks/
#aws
Ten recommended AWS identity health checks which can help you understand your IAM health, prioritize improvements to your IAM implementation, and operationalize effective access management processes.
https://k9security.io/docs/aws-identity-health-checks/
#aws
🔸Retrieving AWS security credentials from the AWS console
How to retrieve AWS security credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN) when authenticated in the AWS Console.
https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/
#aws
How to retrieve AWS security credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN) when authenticated in the AWS Console.
https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/
#aws
Christophe Tafani-Dereeper
Retrieving AWS security credentials from the AWS console
Retrieve AWS security credentials from the AWS console using CloudShell.
🔸AWS Visibility & Enforcement
A cheatsheet of a number of useful tools for getting visibility into your cloud environment and continuously enforcing security policies, by Marco Lancini.
https://cloudsecdocs.com/aws/devops/tooling/visibility/
#aws
A cheatsheet of a number of useful tools for getting visibility into your cloud environment and continuously enforcing security policies, by Marco Lancini.
https://cloudsecdocs.com/aws/devops/tooling/visibility/
#aws
🔸iam-service-account-controller
Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts.
https://github.com/ovotech/iam-service-account-controller
#aws
Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts.
https://github.com/ovotech/iam-service-account-controller
#aws
GitHub
GitHub - ovotech/iam-service-account-controller: Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts
Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts - ovotech/iam-service-account-controller
🔸🔴Access Service: Temporary Access to the Cloud
How the Segment Security Engineering Team approaches access to AWS/GCP roles and SaaS apps, and how they implemented a time-based, peer-reviewed access.
https://segment.com/blog/access-service/
#aws #gcp
How the Segment Security Engineering Team approaches access to AWS/GCP roles and SaaS apps, and how they implemented a time-based, peer-reviewed access.
https://segment.com/blog/access-service/
#aws #gcp
Segment
Access Service: Temporary Access to the Cloud
🔸Protecting Amazon S3 Data from Ransomware
Ransomware targeting S3 is more than likely to simply delete your data and claim that it's being held ransom than actually encrypting it
https://securingthe.cloud/aws/protecting-amazon-s3-data-from-ransomware/
#aws
Ransomware targeting S3 is more than likely to simply delete your data and claim that it's being held ransom than actually encrypting it
https://securingthe.cloud/aws/protecting-amazon-s3-data-from-ransomware/
#aws
Securing The Cloud
Protecting Amazon S3 Data from Ransomware
Learn how to to protect your Amazon S3 (Simple Storage Service) data from ransomware attacks.
🔸AWS Accounts as Security Boundaries - 97+Ways Data Can be Shared Across Accounts
Security teams cannot simply rely on the AWS account boundary to limit access between environments. Instead, they must carefully audit IAM policies, resource policies, Organization membership, RAM shares, service-level integrations, and sometimes combinations of one of more of these options, in order to properly evaluate how data from one account is being sent to others.
https://matthewdf10.medium.com/aws-accounts-as-security-boundaries-97-ways-data-can-be-shared-across-accounts-b933ce9c837e
#aws
Security teams cannot simply rely on the AWS account boundary to limit access between environments. Instead, they must carefully audit IAM policies, resource policies, Organization membership, RAM shares, service-level integrations, and sometimes combinations of one of more of these options, in order to properly evaluate how data from one account is being sent to others.
https://matthewdf10.medium.com/aws-accounts-as-security-boundaries-97-ways-data-can-be-shared-across-accounts-b933ce9c837e
#aws
Medium
AWS Accounts as Security Boundaries — 97+Ways Data Can be Shared Across Accounts
Although AWS accounts start off as secure boundaries, there are nearly 100 ways data can be sent across this boundary to other accounts.
🔸Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion
Tenchi Security’s Alexandre Sieira and Leonardo Viveiros describe how wildcard expansion when specifying HTTP verbs and paths that are allowed can potentially expose things you did not intend. Man, sometimes AWS feels like Complexity/Footguns-as-a-Service. Like Intuit lobbying against making taxes easier because it’s not in their financial interests.
https://www.tenchisecurity.com/blog/thefaultinourstars
#aws
Tenchi Security’s Alexandre Sieira and Leonardo Viveiros describe how wildcard expansion when specifying HTTP verbs and paths that are allowed can potentially expose things you did not intend. Man, sometimes AWS feels like Complexity/Footguns-as-a-Service. Like Intuit lobbying against making taxes easier because it’s not in their financial interests.
https://www.tenchisecurity.com/blog/thefaultinourstars
#aws