🔸iam-service-account-controller
Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts.
https://github.com/ovotech/iam-service-account-controller
#aws
Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts.
https://github.com/ovotech/iam-service-account-controller
#aws
GitHub
GitHub - ovotech/iam-service-account-controller: Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts
Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts - ovotech/iam-service-account-controller
🔸🔴Access Service: Temporary Access to the Cloud
How the Segment Security Engineering Team approaches access to AWS/GCP roles and SaaS apps, and how they implemented a time-based, peer-reviewed access.
https://segment.com/blog/access-service/
#aws #gcp
How the Segment Security Engineering Team approaches access to AWS/GCP roles and SaaS apps, and how they implemented a time-based, peer-reviewed access.
https://segment.com/blog/access-service/
#aws #gcp
Segment
Access Service: Temporary Access to the Cloud
🔸Protecting Amazon S3 Data from Ransomware
Ransomware targeting S3 is more than likely to simply delete your data and claim that it's being held ransom than actually encrypting it
https://securingthe.cloud/aws/protecting-amazon-s3-data-from-ransomware/
#aws
Ransomware targeting S3 is more than likely to simply delete your data and claim that it's being held ransom than actually encrypting it
https://securingthe.cloud/aws/protecting-amazon-s3-data-from-ransomware/
#aws
Securing The Cloud
Protecting Amazon S3 Data from Ransomware
Learn how to to protect your Amazon S3 (Simple Storage Service) data from ransomware attacks.
🔸AWS Accounts as Security Boundaries - 97+Ways Data Can be Shared Across Accounts
Security teams cannot simply rely on the AWS account boundary to limit access between environments. Instead, they must carefully audit IAM policies, resource policies, Organization membership, RAM shares, service-level integrations, and sometimes combinations of one of more of these options, in order to properly evaluate how data from one account is being sent to others.
https://matthewdf10.medium.com/aws-accounts-as-security-boundaries-97-ways-data-can-be-shared-across-accounts-b933ce9c837e
#aws
Security teams cannot simply rely on the AWS account boundary to limit access between environments. Instead, they must carefully audit IAM policies, resource policies, Organization membership, RAM shares, service-level integrations, and sometimes combinations of one of more of these options, in order to properly evaluate how data from one account is being sent to others.
https://matthewdf10.medium.com/aws-accounts-as-security-boundaries-97-ways-data-can-be-shared-across-accounts-b933ce9c837e
#aws
Medium
AWS Accounts as Security Boundaries — 97+Ways Data Can be Shared Across Accounts
Although AWS accounts start off as secure boundaries, there are nearly 100 ways data can be sent across this boundary to other accounts.
🔸Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion
Tenchi Security’s Alexandre Sieira and Leonardo Viveiros describe how wildcard expansion when specifying HTTP verbs and paths that are allowed can potentially expose things you did not intend. Man, sometimes AWS feels like Complexity/Footguns-as-a-Service. Like Intuit lobbying against making taxes easier because it’s not in their financial interests.
https://www.tenchisecurity.com/blog/thefaultinourstars
#aws
Tenchi Security’s Alexandre Sieira and Leonardo Viveiros describe how wildcard expansion when specifying HTTP verbs and paths that are allowed can potentially expose things you did not intend. Man, sometimes AWS feels like Complexity/Footguns-as-a-Service. Like Intuit lobbying against making taxes easier because it’s not in their financial interests.
https://www.tenchisecurity.com/blog/thefaultinourstars
#aws
Forwarded from AWS Notes
AWS Security Reference Architecture (AWS SRA) — документ по комплексной настройке сервисов безопасности в мульти-аккаунтной среде:
https://docs.aws.amazon.com/prenoscriptive-guidance/latest/security-reference-architecture/welcome.html
#security
https://docs.aws.amazon.com/prenoscriptive-guidance/latest/security-reference-architecture/welcome.html
Although we rely on a one-page diagram as our foundation, an architecture goes deeper than a single block diagram and must be built on a well-structured foundation of fundamentals and security principles. You can use this document in two ways: as a narrative or as a reference.#security
🔸How we prevented subdomain takeovers and saved $000s
Blog post describing new open source tool for protecting cloud infrastructure from subdomain takeover, using AWS Lambda functions integrated with Amazon Route53.
https://tech.ovoenergy.com/how-we-prevented-subdomain-takeovers-and-saved-000s/
#aws
Blog post describing new open source tool for protecting cloud infrastructure from subdomain takeover, using AWS Lambda functions integrated with Amazon Route53.
https://tech.ovoenergy.com/how-we-prevented-subdomain-takeovers-and-saved-000s/
#aws
OVO Tech Blog
Domain Protect - prevent subdomain takeover of cloud resources
How we developed Domain Protect, an open source tool for automated scanning of cloud infrastructure for subdomains vulnerable to takeover.
🔶 Why AWS SSO is vulnerable by design to device code authentication phishing?
"In this post, we demonstrate that AWS SSO is vulnerable by design to device code authentication phishing – just like any identity provider implementing OpenID Connect device code authentication. This technique was first demonstrated by Dr. Nestori Syynimaa for Azure AD. The feature provides a powerful phishing vector for attackers, rendering ineffective controls such as MFA (including Yubikeys) or IP allow-listing at the IdP level."
https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/
#aws
"In this post, we demonstrate that AWS SSO is vulnerable by design to device code authentication phishing – just like any identity provider implementing OpenID Connect device code authentication. This technique was first demonstrated by Dr. Nestori Syynimaa for Azure AD. The feature provides a powerful phishing vector for attackers, rendering ineffective controls such as MFA (including Yubikeys) or IP allow-listing at the IdP level."
https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/
#aws
🔸Building an end-to-end Kubernetes-based DevSecOps software factory on AWS
"DevSecOps software factory implementation can significantly vary depending on the application, infrastructure, architecture, and the services and tools used. In a previous post, I provided an end-to-end DevSecOps pipeline for a three-tier web application deployed with AWS Elastic Beanstalk. The pipeline used cloud-native services along with a few open-source security tools. This solution is similar, but instead uses a containers-based approach with additional security analysis stages. It defines a software factory using Kubernetes along with necessary AWS Cloud-native services and open-source third-party tools. Code is provided in the GitHub repo to build this DevSecOps software factory, including the integration code for third-party scanning tools."
https://aws.amazon.com/ru/blogs/devops/building-an-end-to-end-kubernetes-based-devsecops-software-factory-on-aws/
#aws
"DevSecOps software factory implementation can significantly vary depending on the application, infrastructure, architecture, and the services and tools used. In a previous post, I provided an end-to-end DevSecOps pipeline for a three-tier web application deployed with AWS Elastic Beanstalk. The pipeline used cloud-native services along with a few open-source security tools. This solution is similar, but instead uses a containers-based approach with additional security analysis stages. It defines a software factory using Kubernetes along with necessary AWS Cloud-native services and open-source third-party tools. Code is provided in the GitHub repo to build this DevSecOps software factory, including the integration code for third-party scanning tools."
https://aws.amazon.com/ru/blogs/devops/building-an-end-to-end-kubernetes-based-devsecops-software-factory-on-aws/
#aws
🔸Automated Github Backups with ECS and S3
Architecture and implications of an automated process aiming to backup a Github account, relying on ECS Fargate and S3 Glacier. The author, Marco Lancini, explains in his blog the architecture and implications of the final setup he decided to go with.
https://www.marcolancini.it/2021/blog-github-backups-with-ecs/
#aws
Architecture and implications of an automated process aiming to backup a Github account, relying on ECS Fargate and S3 Glacier. The author, Marco Lancini, explains in his blog the architecture and implications of the final setup he decided to go with.
https://www.marcolancini.it/2021/blog-github-backups-with-ecs/
#aws
🔶 Best practices for securing Identity and Access Management on Amazon Web Services
Post looking at different approaches to help keep IAM configuration tidy, auditable and right-sized.
https://bridgecrew.io/blog/best-practices-for-securing-identity-and-access-management-on-amazon-web-services/
#aws
Post looking at different approaches to help keep IAM configuration tidy, auditable and right-sized.
https://bridgecrew.io/blog/best-practices-for-securing-identity-and-access-management-on-amazon-web-services/
#aws
Bridgecrew
Best practices for securing Identity and Access Management on Amazon Web Services - Bridgecrew Blog
Pick up these best practices and tools for Identity and Access Management, a crucial component of cloud security.
🔶 The Gamer Guide to Playing Amazon Web Services (AWS)
In this article, the author shares a getting started guide for AWS, in a similar style to the getting started guides that many experienced MMORPG players write for new players. It is a lot easier to get into a game, understand what to do, where to go, and how to play optimally when you have tips from other players who have gone before you.
https://nathanpeck.com/gamers-guide-to-playing-aws/
#aws
In this article, the author shares a getting started guide for AWS, in a similar style to the getting started guides that many experienced MMORPG players write for new players. It is a lot easier to get into a game, understand what to do, where to go, and how to play optimally when you have tips from other players who have gone before you.
https://nathanpeck.com/gamers-guide-to-playing-aws/
#aws
Nathan Peck
The Gamer Guide to Playing Amazon Web Services (AWS)
If you have played an MMORPG then you know the feeling of starting out in a new game. Your character is level one. You have a vast open world to explore, and there are tons of game systems and gear and skills to learn about.
🔶 Uncomplicate Security for developers using Reference Architectures
In this blog, Anunay Bhatt,
Cloud Security Architect, will walk through some of the salient features of a meaningful security reference architecture and the process required to develop one. The author will also look at the challenges that one might expect to face while launching a successful security reference architecture program.
https://ab-lumos.medium.com/embedding-security-into-sdlc-using-reference-architectures-for-developers-29403c00fb3d
#aws
In this blog, Anunay Bhatt,
Cloud Security Architect, will walk through some of the salient features of a meaningful security reference architecture and the process required to develop one. The author will also look at the challenges that one might expect to face while launching a successful security reference architecture program.
https://ab-lumos.medium.com/embedding-security-into-sdlc-using-reference-architectures-for-developers-29403c00fb3d
#aws
🔶 AWS Service Control Policy (SCP) Repository
A repository of AWS Service Control Policy templates and examples that can be deployed using CloudFormation custom resource or AWS CLI noscripts.
Some great examples like: preventing users from disabling or altering the configuration of CloudTrail, AWS Config, and CloudWatch, preventing any VPC that doesn’t already have Internet access from getting it, and more.
https://asecure.cloud/l/scp/
#aws
A repository of AWS Service Control Policy templates and examples that can be deployed using CloudFormation custom resource or AWS CLI noscripts.
Some great examples like: preventing users from disabling or altering the configuration of CloudTrail, AWS Config, and CloudWatch, preventing any VPC that doesn’t already have Internet access from getting it, and more.
https://asecure.cloud/l/scp/
#aws
asecure.cloud
AWS Service Control Policy (SCP) Repository
A repository of AWS Service Control Policy templates and examples that can be deployed using CloudFormation custom resource or AWS CLI noscripts.
🔶Hardening AWS EKS security with RBAC, secure IMDS, and audit logging
First in a series of blog posts looking into the default settings used in AWS Elastic Kubernetes Service (EKS) deployments, and demonstrating how small misconfigurations or unwanted side-effects may put our clusters at risk.
https://snyk.io/blog/hardening-aws-eks-security-rbac-secure-imds-audit-logging/
#aws
First in a series of blog posts looking into the default settings used in AWS Elastic Kubernetes Service (EKS) deployments, and demonstrating how small misconfigurations or unwanted side-effects may put our clusters at risk.
https://snyk.io/blog/hardening-aws-eks-security-rbac-secure-imds-audit-logging/
#aws
Snyk
Hardening Amazon EKS security with RBAC, secure IMDS, and audit logging | Snyk
In this post, we will demonstrate how small misconfigurations or unwanted side-effects can create Amazon EKS security issues. Then we will look at resolving them.
🔶 Build an end-to-end attribute-based access control strategy with AWS SSO and Okta
"This blog post discusses the benefits of using an attribute-based access control (ABAC) strategy and how to use ABAC with AWS SSO when you’re using Okta as an identity provider. With ABAC, you can simplify your access control strategy by granting access to groups of resources, which are specified by tags, instead of managing long lists of individual resources."
https://aws.amazon.com/blogs/security/build-an-end-to-end-attribute-based-access-control-strategy-with-aws-sso-and-okta/
#aws
"This blog post discusses the benefits of using an attribute-based access control (ABAC) strategy and how to use ABAC with AWS SSO when you’re using Okta as an identity provider. With ABAC, you can simplify your access control strategy by granting access to groups of resources, which are specified by tags, instead of managing long lists of individual resources."
https://aws.amazon.com/blogs/security/build-an-end-to-end-attribute-based-access-control-strategy-with-aws-sso-and-okta/
#aws
Amazon
Build an end-to-end attribute-based access control strategy with AWS IAM Identity Center and Okta | Amazon Web Services
April 25, 2023: We’ve updated this blog post to include more security learning resources. September 12, 2022: This blog post has been updated to reflect the new name of AWS Single Sign-On (SSO) – AWS IAM Identity Center. Read more about the name change here.…
🔶 How to defend against DNS exfiltration in AWS?
Key facts from the post:
1️⃣ VPCs by default use the Amazon-provided DNS which can be used to bypass some network-level protection mechanisms (e.g. NACLs or SGs) or monitoring (e.g. VPC Flow Logs).
2️⃣ Recently a new service has been released: the Route 53 Resolver DNS Firewall which allows for blocking and monitoring DNS queries to Amazon DNS.
3️⃣ GuardDuty can also detect malicious DNS traffic, but only in a limited manner.
https://towardsaws.com/how-to-defend-against-dns-exfiltration-in-aws-a65b9214d4e1
#aws
Key facts from the post:
1️⃣ VPCs by default use the Amazon-provided DNS which can be used to bypass some network-level protection mechanisms (e.g. NACLs or SGs) or monitoring (e.g. VPC Flow Logs).
2️⃣ Recently a new service has been released: the Route 53 Resolver DNS Firewall which allows for blocking and monitoring DNS queries to Amazon DNS.
3️⃣ GuardDuty can also detect malicious DNS traffic, but only in a limited manner.
https://towardsaws.com/how-to-defend-against-dns-exfiltration-in-aws-a65b9214d4e1
#aws
Medium
How to defend against DNS exfiltration in AWS?
TL;DR
🔹 MITRE ATT&CK mappings released for built-in Azure security controls
The Security Stack Mappings for Azure research project was recently published, introducing a library of mappings that link built-in Azure security controls to the MITRE ATT&CK techniques they mitigate against.
https://www.microsoft.com/security/blog/2021/06/29/mitre-attck-mappings-released-for-built-in-azure-security-controls/
#azure
The Security Stack Mappings for Azure research project was recently published, introducing a library of mappings that link built-in Azure security controls to the MITRE ATT&CK techniques they mitigate against.
https://www.microsoft.com/security/blog/2021/06/29/mitre-attck-mappings-released-for-built-in-azure-security-controls/
#azure
🔶 AWS Incident Response Playbook Samples
A collection of playbooks covering several common scenarios faced by AWS customers. They outline steps based on the NIST Computer Security Incident Handling Guide, that can be used to gather evidence, contain and then eradicate the incident, recover from the incident, and conduct post-incident activities.
https://github.com/aws-samples/aws-incident-response-playbooks
#aws
A collection of playbooks covering several common scenarios faced by AWS customers. They outline steps based on the NIST Computer Security Incident Handling Guide, that can be used to gather evidence, contain and then eradicate the incident, recover from the incident, and conduct post-incident activities.
https://github.com/aws-samples/aws-incident-response-playbooks
#aws
GitHub
GitHub - aws-samples/aws-incident-response-playbooks
Contribute to aws-samples/aws-incident-response-playbooks development by creating an account on GitHub.