🔸Top ten AWS identity health checks to improve security in the cloud

Ten recommended AWS identity health checks which can help you understand your IAM health, prioritize improvements to your IAM implementation, and operationalize effective access management processes.

https://k9security.io/docs/aws-identity-health-checks/

#aws

🔸Retrieving AWS security credentials from the AWS console

How to retrieve AWS security credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN) when authenticated in the AWS Console.

https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/

#aws

🔸AWS Visibility & Enforcement

A cheatsheet of a number of useful tools for getting visibility into your cloud environment and continuously enforcing security policies, by Marco Lancini.

https://cloudsecdocs.com/aws/devops/tooling/visibility/

#aws

🔸iam-service-account-controller

Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts.

https://github.com/ovotech/iam-service-account-controller

#aws

🔸🔴Access Service: Temporary Access to the Cloud

How the Segment Security Engineering Team approaches access to AWS/GCP roles and SaaS apps, and how they implemented a time-based, peer-reviewed access.

https://segment.com/blog/access-service/

#aws #gcp

🔸Protecting Amazon S3 Data from Ransomware

Ransomware targeting S3 is more than likely to simply delete your data and claim that it's being held ransom than actually encrypting it

https://securingthe.cloud/aws/protecting-amazon-s3-data-from-ransomware/

#aws

🔸AWS Accounts as Security Boundaries - 97+Ways Data Can be Shared Across Accounts

Security teams cannot simply rely on the AWS account boundary to limit access between environments. Instead, they must carefully audit IAM policies, resource policies, Organization membership, RAM shares, service-level integrations, and sometimes combinations of one of more of these options, in order to properly evaluate how data from one account is being sent to others.

https://matthewdf10.medium.com/aws-accounts-as-security-boundaries-97-ways-data-can-be-shared-across-accounts-b933ce9c837e

#aws

🔸Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion

Tenchi Security’s Alexandre Sieira and Leonardo Viveiros describe how wildcard expansion when specifying HTTP verbs and paths that are allowed can potentially expose things you did not intend. Man, sometimes AWS feels like Complexity/Footguns-as-a-Service. Like Intuit lobbying against making taxes easier because it’s not in their financial interests.

https://www.tenchisecurity.com/blog/thefaultinourstars

#aws

​​AWS Security Reference Architecture (AWS SRA) — документ по комплексной настройке сервисов безопасности в мульти-аккаунтной среде:

https://docs.aws.amazon.com/prenoscriptive-guidance/latest/security-reference-architecture/welcome.html

Although we rely on a one-page diagram as our foundation, an architecture goes deeper than a single block diagram and must be built on a well-structured foundation of fundamentals and security principles. You can use this document in two ways: as a narrative or as a reference.

#security

🔸How we prevented subdomain takeovers and saved $000s

Blog post describing new open source tool for protecting cloud infrastructure from subdomain takeover, using AWS Lambda functions integrated with Amazon Route53.

https://tech.ovoenergy.com/how-we-prevented-subdomain-takeovers-and-saved-000s/

#aws

🔶 Why AWS SSO is vulnerable by design to device code authentication phishing?

"In this post, we demonstrate that AWS SSO is vulnerable by design to device code authentication phishing – just like any identity provider implementing OpenID Connect device code authentication. This technique was first demonstrated by Dr. Nestori Syynimaa for Azure AD. The feature provides a powerful phishing vector for attackers, rendering ineffective controls such as MFA (including Yubikeys) or IP allow-listing at the IdP level."

https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/

#aws

🔸Building an end-to-end Kubernetes-based DevSecOps software factory on AWS

"DevSecOps software factory implementation can significantly vary depending on the application, infrastructure, architecture, and the services and tools used. In a previous post, I provided an end-to-end DevSecOps pipeline for a three-tier web application deployed with AWS Elastic Beanstalk. The pipeline used cloud-native services along with a few open-source security tools. This solution is similar, but instead uses a containers-based approach with additional security analysis stages. It defines a software factory using Kubernetes along with necessary AWS Cloud-native services and open-source third-party tools. Code is provided in the GitHub repo to build this DevSecOps software factory, including the integration code for third-party scanning tools."

https://aws.amazon.com/ru/blogs/devops/building-an-end-to-end-kubernetes-based-devsecops-software-factory-on-aws/

#aws

🔸Automated Github Backups with ECS and S3

Architecture and implications of an automated process aiming to backup a Github account, relying on ECS Fargate and S3 Glacier. The author, Marco Lancini, explains in his blog the architecture and implications of the final setup he decided to go with.

https://www.marcolancini.it/2021/blog-github-backups-with-ecs/

#aws

🔶 Best practices for securing Identity and Access Management on Amazon Web Services

Post looking at different approaches to help keep IAM configuration tidy, auditable and right-sized.

https://bridgecrew.io/blog/best-practices-for-securing-identity-and-access-management-on-amazon-web-services/

#aws

🔶 The Gamer Guide to Playing Amazon Web Services (AWS)

In this article, the author shares a getting started guide for AWS, in a similar style to the getting started guides that many experienced MMORPG players write for new players. It is a lot easier to get into a game, understand what to do, where to go, and how to play optimally when you have tips from other players who have gone before you.

https://nathanpeck.com/gamers-guide-to-playing-aws/

#aws

🔶 Uncomplicate Security for developers using Reference Architectures
In this blog, Anunay Bhatt,
Cloud Security Architect, will walk through some of the salient features of a meaningful security reference architecture and the process required to develop one. The author will also look at the challenges that one might expect to face while launching a successful security reference architecture program.
https://ab-lumos.medium.com/embedding-security-into-sdlc-using-reference-architectures-for-developers-29403c00fb3d
#aws

🔶 AWS Service Control Policy (SCP) Repository

A repository of AWS Service Control Policy templates and examples that can be deployed using CloudFormation custom resource or AWS CLI noscripts.

Some great examples like: preventing users from disabling or altering the configuration of CloudTrail, AWS Config, and CloudWatch, preventing any VPC that doesn’t already have Internet access from getting it, and more.

https://asecure.cloud/l/scp/
#aws