🔸Security Logging in Cloud Environments - AWS
Post by Marco Lancini describing how to design a multi-account security-related logging platform in AWS. He discusses various services (CloudTrail, CloudWatch, GuardDuty, Config), access logs, collecting logs, long-term storage and audit trail, and monitoring and alerting.
https://www.marcolancini.it/2021/blog-security-logging-cloud-environments-aws/
#aws
Post by Marco Lancini describing how to design a multi-account security-related logging platform in AWS. He discusses various services (CloudTrail, CloudWatch, GuardDuty, Config), access logs, collecting logs, long-term storage and audit trail, and monitoring and alerting.
https://www.marcolancini.it/2021/blog-security-logging-cloud-environments-aws/
#aws
CISO’s Guide to Cloud Security Transformation
New whitepaper by GCP covering: “prepare your company culture for cloud security, evolve how your company works, evolve key security roles and responsibilities, and design your security operating model.”
https://cloud.google.com/blog/products/identity-security/cisos-guide-to-cloud-security-transformation
New whitepaper by GCP covering: “prepare your company culture for cloud security, evolve how your company works, evolve key security roles and responsibilities, and design your security operating model.”
https://cloud.google.com/blog/products/identity-security/cisos-guide-to-cloud-security-transformation
Google Cloud Blog
New Google whitepaper examines a CISOs best approach to a cloud security transformation | Google Cloud Blog
Switching to the cloud presents a huge opportunity for CISOs to transform their company's approach to security. Here’s what you need to know.
🔴Lateral Movement & Privilege Escalation in GCP; Compromise Organizations without Dropping an Implant
"In this talk, we'll demonstrate several techniques to perform identity compromise via the ActAs permission, privilege escalation, lateral movement, and widespread project compromise in Google Cloud. We will also release tools for exploitation."
https://youtu.be/kyqeBGNSEIc
#gcp
"In this talk, we'll demonstrate several techniques to perform identity compromise via the ActAs permission, privilege escalation, lateral movement, and widespread project compromise in Google Cloud. We will also release tools for exploitation."
https://youtu.be/kyqeBGNSEIc
#gcp
YouTube
Lateral Movement & Privilege Escalation in GCP; Compromise Organizations without Dropping an Implant
Google Cloud's security model in many ways is quite different from AWS. Spark jobs, Cloud Functions, Jupyter Notebooks, and more default to having administrative capabilities over cloud API's. Instead of defaulting to no capabilities, permissions are granted…
🔸Top ten AWS identity health checks to improve security in the cloud
Ten recommended AWS identity health checks which can help you understand your IAM health, prioritize improvements to your IAM implementation, and operationalize effective access management processes.
https://k9security.io/docs/aws-identity-health-checks/
#aws
Ten recommended AWS identity health checks which can help you understand your IAM health, prioritize improvements to your IAM implementation, and operationalize effective access management processes.
https://k9security.io/docs/aws-identity-health-checks/
#aws
🔸Retrieving AWS security credentials from the AWS console
How to retrieve AWS security credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN) when authenticated in the AWS Console.
https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/
#aws
How to retrieve AWS security credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN) when authenticated in the AWS Console.
https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/
#aws
Christophe Tafani-Dereeper
Retrieving AWS security credentials from the AWS console
Retrieve AWS security credentials from the AWS console using CloudShell.
🔸AWS Visibility & Enforcement
A cheatsheet of a number of useful tools for getting visibility into your cloud environment and continuously enforcing security policies, by Marco Lancini.
https://cloudsecdocs.com/aws/devops/tooling/visibility/
#aws
A cheatsheet of a number of useful tools for getting visibility into your cloud environment and continuously enforcing security policies, by Marco Lancini.
https://cloudsecdocs.com/aws/devops/tooling/visibility/
#aws
🔸iam-service-account-controller
Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts.
https://github.com/ovotech/iam-service-account-controller
#aws
Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts.
https://github.com/ovotech/iam-service-account-controller
#aws
GitHub
GitHub - ovotech/iam-service-account-controller: Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts
Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts - ovotech/iam-service-account-controller
🔸🔴Access Service: Temporary Access to the Cloud
How the Segment Security Engineering Team approaches access to AWS/GCP roles and SaaS apps, and how they implemented a time-based, peer-reviewed access.
https://segment.com/blog/access-service/
#aws #gcp
How the Segment Security Engineering Team approaches access to AWS/GCP roles and SaaS apps, and how they implemented a time-based, peer-reviewed access.
https://segment.com/blog/access-service/
#aws #gcp
Segment
Access Service: Temporary Access to the Cloud
🔸Protecting Amazon S3 Data from Ransomware
Ransomware targeting S3 is more than likely to simply delete your data and claim that it's being held ransom than actually encrypting it
https://securingthe.cloud/aws/protecting-amazon-s3-data-from-ransomware/
#aws
Ransomware targeting S3 is more than likely to simply delete your data and claim that it's being held ransom than actually encrypting it
https://securingthe.cloud/aws/protecting-amazon-s3-data-from-ransomware/
#aws
Securing The Cloud
Protecting Amazon S3 Data from Ransomware
Learn how to to protect your Amazon S3 (Simple Storage Service) data from ransomware attacks.
🔸AWS Accounts as Security Boundaries - 97+Ways Data Can be Shared Across Accounts
Security teams cannot simply rely on the AWS account boundary to limit access between environments. Instead, they must carefully audit IAM policies, resource policies, Organization membership, RAM shares, service-level integrations, and sometimes combinations of one of more of these options, in order to properly evaluate how data from one account is being sent to others.
https://matthewdf10.medium.com/aws-accounts-as-security-boundaries-97-ways-data-can-be-shared-across-accounts-b933ce9c837e
#aws
Security teams cannot simply rely on the AWS account boundary to limit access between environments. Instead, they must carefully audit IAM policies, resource policies, Organization membership, RAM shares, service-level integrations, and sometimes combinations of one of more of these options, in order to properly evaluate how data from one account is being sent to others.
https://matthewdf10.medium.com/aws-accounts-as-security-boundaries-97-ways-data-can-be-shared-across-accounts-b933ce9c837e
#aws
Medium
AWS Accounts as Security Boundaries — 97+Ways Data Can be Shared Across Accounts
Although AWS accounts start off as secure boundaries, there are nearly 100 ways data can be sent across this boundary to other accounts.
🔸Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion
Tenchi Security’s Alexandre Sieira and Leonardo Viveiros describe how wildcard expansion when specifying HTTP verbs and paths that are allowed can potentially expose things you did not intend. Man, sometimes AWS feels like Complexity/Footguns-as-a-Service. Like Intuit lobbying against making taxes easier because it’s not in their financial interests.
https://www.tenchisecurity.com/blog/thefaultinourstars
#aws
Tenchi Security’s Alexandre Sieira and Leonardo Viveiros describe how wildcard expansion when specifying HTTP verbs and paths that are allowed can potentially expose things you did not intend. Man, sometimes AWS feels like Complexity/Footguns-as-a-Service. Like Intuit lobbying against making taxes easier because it’s not in their financial interests.
https://www.tenchisecurity.com/blog/thefaultinourstars
#aws
Forwarded from AWS Notes
AWS Security Reference Architecture (AWS SRA) — документ по комплексной настройке сервисов безопасности в мульти-аккаунтной среде:
https://docs.aws.amazon.com/prenoscriptive-guidance/latest/security-reference-architecture/welcome.html
#security
https://docs.aws.amazon.com/prenoscriptive-guidance/latest/security-reference-architecture/welcome.html
Although we rely on a one-page diagram as our foundation, an architecture goes deeper than a single block diagram and must be built on a well-structured foundation of fundamentals and security principles. You can use this document in two ways: as a narrative or as a reference.#security
🔸How we prevented subdomain takeovers and saved $000s
Blog post describing new open source tool for protecting cloud infrastructure from subdomain takeover, using AWS Lambda functions integrated with Amazon Route53.
https://tech.ovoenergy.com/how-we-prevented-subdomain-takeovers-and-saved-000s/
#aws
Blog post describing new open source tool for protecting cloud infrastructure from subdomain takeover, using AWS Lambda functions integrated with Amazon Route53.
https://tech.ovoenergy.com/how-we-prevented-subdomain-takeovers-and-saved-000s/
#aws
OVO Tech Blog
Domain Protect - prevent subdomain takeover of cloud resources
How we developed Domain Protect, an open source tool for automated scanning of cloud infrastructure for subdomains vulnerable to takeover.
🔶 Why AWS SSO is vulnerable by design to device code authentication phishing?
"In this post, we demonstrate that AWS SSO is vulnerable by design to device code authentication phishing – just like any identity provider implementing OpenID Connect device code authentication. This technique was first demonstrated by Dr. Nestori Syynimaa for Azure AD. The feature provides a powerful phishing vector for attackers, rendering ineffective controls such as MFA (including Yubikeys) or IP allow-listing at the IdP level."
https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/
#aws
"In this post, we demonstrate that AWS SSO is vulnerable by design to device code authentication phishing – just like any identity provider implementing OpenID Connect device code authentication. This technique was first demonstrated by Dr. Nestori Syynimaa for Azure AD. The feature provides a powerful phishing vector for attackers, rendering ineffective controls such as MFA (including Yubikeys) or IP allow-listing at the IdP level."
https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/
#aws