🔹 Azure Flow Log Analysis
Azure flow logs don't have the same instance ID that AWS flow logs do. So how we can figure out which VM the logs came from?
https://catscrdl.io/blog/azureflowloganalysis/
#azure
Azure flow logs don't have the same instance ID that AWS flow logs do. So how we can figure out which VM the logs came from?
https://catscrdl.io/blog/azureflowloganalysis/
#azure
Catscrdl
Azure Flow Log Analysis
Azure flow logs don't have the same instance ID that AWS flow logs do. So how do you figure out which VM the logs came from?
🔶🔷🔴 Mapping of On-Premises Security Controls Versus Services Offered by Major Cloud Providers
By the link below you can find the fifth version of a diagram that started in March 2017, with just AWS and Azure versus On-Premises. The diagram began as an effort to make a translation between the typical on-premises security controls that everybody, more or less, knows what they do and the various services advertised by major public cloud providers. As the cloud providers tend to assign catchy names to products that quite often transcend the initial functionality of the on-prem control, it becomes harder and harder to stay up-to-date on what service does what.
https://www.managedsentinel.com/mapping-of-on-premises-security-controls-versus-services-offered-by-major-cloud-providers/
#aws #azure #gcp
By the link below you can find the fifth version of a diagram that started in March 2017, with just AWS and Azure versus On-Premises. The diagram began as an effort to make a translation between the typical on-premises security controls that everybody, more or less, knows what they do and the various services advertised by major public cloud providers. As the cloud providers tend to assign catchy names to products that quite often transcend the initial functionality of the on-prem control, it becomes harder and harder to stay up-to-date on what service does what.
https://www.managedsentinel.com/mapping-of-on-premises-security-controls-versus-services-offered-by-major-cloud-providers/
#aws #azure #gcp
🔶 Bye bye bastion hosts...Hello AWS IAM!
How Segment got rid of SSH bastion hosts, reducing cost, complexity, and maintenance of their infrastructure, as well as eliminating the need to distribute SSH Keys. Last but not least, they reduced their attack surface by not having any SSH port open to the world.
https://segment.com/blog/infrastructure-access/
#aws
How Segment got rid of SSH bastion hosts, reducing cost, complexity, and maintenance of their infrastructure, as well as eliminating the need to distribute SSH Keys. Last but not least, they reduced their attack surface by not having any SSH port open to the world.
https://segment.com/blog/infrastructure-access/
#aws
Segment
Bye bye bastion hosts...Hello AWS IAM!
How Twilio Segment moved from traditional SSH bastion hosts to use AWS Systems Manager SSM to manage access to infrastructure.
🔶 Ansible over AWS Systems Manager Sessions – a perfect solution for high security environments
Ansible requires an SSH connection to the target host, which is not great for hosts where SSH is not allowed or when the host is on a VPC without external connectivity. Łukasz Tomaszkiewicz describes how to execute Ansible playbooks with AWS SSM Sessions.
https://luktom.net/en/e1693-ansible-over-aws-systems-manager-sessions-a-perfect-solution-for-high-security-environments
#aws
Ansible requires an SSH connection to the target host, which is not great for hosts where SSH is not allowed or when the host is on a VPC without external connectivity. Łukasz Tomaszkiewicz describes how to execute Ansible playbooks with AWS SSM Sessions.
https://luktom.net/en/e1693-ansible-over-aws-systems-manager-sessions-a-perfect-solution-for-high-security-environments
#aws
luktom.net
Ansible over AWS Systems Manager Sessions - a perfect solution for high security environments
Ansible is great, it's one of my favorite tools. It works like a charm, but... it requires SSH connection to the target host, which can be a problem in some high security environments, like the ones where SSH on the host is not allowed or the ones that work…
🔶 Improving database security with AWS IAM database authentication and ConsoleMe
How to use Netflix's ConsoleMe to provide secure access to databases via IAM roles.
https://medium.com/followanalytics/improving-database-security-at-followanalytics-with-aws-iam-database-authentication-and-consoleme-d00ea8a6edef
#aws
How to use Netflix's ConsoleMe to provide secure access to databases via IAM roles.
https://medium.com/followanalytics/improving-database-security-at-followanalytics-with-aws-iam-database-authentication-and-consoleme-d00ea8a6edef
#aws
GitHub
GitHub - Netflix/consoleme: A Central Control Plane for AWS Permissions and Access
A Central Control Plane for AWS Permissions and Access - Netflix/consoleme
🔷 Network Isolated AKS - Part 1: Controlling network traffic
First part of a series on AKS (Azure Kubernetes Service) network isolation, elaborating how to protect AKS from a networking perspective. You can also reference the companion repository.
https://itnext.io/network-isolated-aks-part-1-controlling-network-traffic-2cd0e045352d
#azure
First part of a series on AKS (Azure Kubernetes Service) network isolation, elaborating how to protect AKS from a networking perspective. You can also reference the companion repository.
https://itnext.io/network-isolated-aks-part-1-controlling-network-traffic-2cd0e045352d
#azure
GitHub
GitHub - geekzter/azure-aks: Network Isolated AKS
Network Isolated AKS. Contribute to geekzter/azure-aks development by creating an account on GitHub.
🔷 Cloud Guardrails
Tool by Lead Security Engineer of Salesforce, Kinnaird McQuade, that allows you to rapidly cherry-pick cloud security guardrails by generating Terraform files that create Azure Policy Initiatives (basically AWS SCPs but for Azure). Cherry-pick and bulk-select the security policies you want, enforce low-friction policies within minutes, and easily roll back policies that you don’t want. See Kinnaird’s great thread about it here.
https://github.com/salesforce/cloud-guardrails
#azure
Tool by Lead Security Engineer of Salesforce, Kinnaird McQuade, that allows you to rapidly cherry-pick cloud security guardrails by generating Terraform files that create Azure Policy Initiatives (basically AWS SCPs but for Azure). Cherry-pick and bulk-select the security policies you want, enforce low-friction policies within minutes, and easily roll back policies that you don’t want. See Kinnaird’s great thread about it here.
https://github.com/salesforce/cloud-guardrails
#azure
🔶 So You Inherited an AWS Account. A 30-day security guide for engineers…
A guide to help you filter through the mess, isolate the changes you need to make, and start to tame your environment by Matt Fuller, founder of CloudSploit. He proposes: get stable access, stop using the root user, update billing info, enable CloudTrail logging and monitoring, clean up IAM entities, locate exposed services, lock down your domains, find expiring certificates, untangle the web of services, and monitor and migrate.
https://medium.com/swlh/so-you-inherited-an-aws-account-e5fe6550607d
#aws
A guide to help you filter through the mess, isolate the changes you need to make, and start to tame your environment by Matt Fuller, founder of CloudSploit. He proposes: get stable access, stop using the root user, update billing info, enable CloudTrail logging and monitoring, clean up IAM entities, locate exposed services, lock down your domains, find expiring certificates, untangle the web of services, and monitor and migrate.
https://medium.com/swlh/so-you-inherited-an-aws-account-e5fe6550607d
#aws
Twitter
Matt Fuller (@matthewdfuller) | Twitter
The latest Tweets from Matt Fuller (@matthewdfuller). Founder of @CloudSploit, acq. by @AquaSecTeam. Former Infra / Sec / Manager @Adobe, @Aviary & @Mozilla intern, @RITtigers grad, @NYC resident, @NYRangers fan. New York, NY
🔶 S3 backups and other strategies for ensuring data durability through ransomware attacks
This post will discuss options for ensuring the durability of data stored on S3, through protections in place and backup strategies. The AWS backup service on AWS unfortunately does not backup S3 buckets and a lot of discussions of backups and data durability on AWS do not describe the implementation in sufficient detail, which allows a number of potential dangers. This post will show you the two best options (s3 object locks and replication policies), explains how to use these, and what to watch out for.
https://summitroute.com/blog/2021/08/03/S3_backups_and_other_strategies_for_ensuring_data_durability_through_ransomware_attacks/
#aws
This post will discuss options for ensuring the durability of data stored on S3, through protections in place and backup strategies. The AWS backup service on AWS unfortunately does not backup S3 buckets and a lot of discussions of backups and data durability on AWS do not describe the implementation in sufficient detail, which allows a number of potential dangers. This post will show you the two best options (s3 object locks and replication policies), explains how to use these, and what to watch out for.
https://summitroute.com/blog/2021/08/03/S3_backups_and_other_strategies_for_ensuring_data_durability_through_ransomware_attacks/
#aws
Summitroute
Summit Route - S3 backups and other strategies for ensuring data durability through ransomware attacks
AWS Security Consulting
🔶 Cloud Malware: Resource Injection in CloudFormation Templates
Blog focusing on a new Pacu module on cloud malware using resource injection in CloudFormation templates.
https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/
#aws
Blog focusing on a new Pacu module on cloud malware using resource injection in CloudFormation templates.
https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/
#aws
GitHub
GitHub - RhinoSecurityLabs/pacu: The AWS exploitation framework, designed for testing the security of Amazon Web Services environments.
The AWS exploitation framework, designed for testing the security of Amazon Web Services environments. - RhinoSecurityLabs/pacu
🔶 Top things to do when setting up a new Org
What you should do when setting up a new AWS Organization from scratch.
https://www.chrisfarris.com/post/aws-organizations-in-2021/
#aws
What you should do when setting up a new AWS Organization from scratch.
https://www.chrisfarris.com/post/aws-organizations-in-2021/
#aws
https://www.chrisfarris.com/
AWS Organizations - Checklist for 2021 - Chris Farris
It's 2021, time to revisit what you should do when setting up a new AWS Organization from scratch.
🔶 How to implement the principle of least privilege with CloudFormation StackSets
How to conform to the principle of least privilege while still allowing users to use CloudFormation to create the resources they need.
https://aws.amazon.com/ru/blogs/security/how-to-implement-the-principle-of-least-privilege-with-cloudformation-stacksets/
#aws
How to conform to the principle of least privilege while still allowing users to use CloudFormation to create the resources they need.
https://aws.amazon.com/ru/blogs/security/how-to-implement-the-principle-of-least-privilege-with-cloudformation-stacksets/
#aws
Amazon
How to implement the principle of least privilege with CloudFormation StackSets | Amazon Web Services
March 24, 2021: We’ve corrected errors in the policy statements in steps 2 and 3 of the section “To create the IAM policy document.” AWS CloudFormation is a service that lets you create a collection of related Amazon Web Services and third-party resources…
🔴 Security Log Scoping Tool
Security Log Scoping Tool is an interactive form to help customers discover, evaluate and enable their security-relevant logs across Google Cloud.
https://cloud.google.com/architecture/exporting-stackdriver-logging-for-security-and-access-analytics#evaluate_which_logs_to_export
#gcp
Security Log Scoping Tool is an interactive form to help customers discover, evaluate and enable their security-relevant logs across Google Cloud.
https://cloud.google.com/architecture/exporting-stackdriver-logging-for-security-and-access-analytics#evaluate_which_logs_to_export
#gcp
Google Cloud
Scenarios for exporting logging data: Security and access analytics | Cloud Architecture Center | Google Cloud
🔶 Building an AWS Perimeter
Whitepaper by AWS covering perimeter objectives, identity, resource, and network boundaries, preventing access to internal credentials, and cross-region requests.
https://d1.awsstatic.com/whitepapers/building_an_aws_perimeter.pdf
#aws
Whitepaper by AWS covering perimeter objectives, identity, resource, and network boundaries, preventing access to internal credentials, and cross-region requests.
https://d1.awsstatic.com/whitepapers/building_an_aws_perimeter.pdf
#aws
🔶 Expanding Secrets Infrastructure to AWS Lambda
How Square extended their datacenter-based secrets infrastructure to enable a cloud migration supporting Lambda. They added SPIFFE compatibility to their secrets infrastructure and developed a Lambda secrets syncer that Square engineers can deploy via a Terraform module.
https://developer.squareup.com/blog/expanding-secrets-infrastructure-to-aws-lambda/
#aws
How Square extended their datacenter-based secrets infrastructure to enable a cloud migration supporting Lambda. They added SPIFFE compatibility to their secrets infrastructure and developed a Lambda secrets syncer that Square engineers can deploy via a Terraform module.
https://developer.squareup.com/blog/expanding-secrets-infrastructure-to-aws-lambda/
#aws
Square Corner Blog
Expanding Secrets Infrastructure to AWS Lambda
Extending our data center to the cloud
🔶🔷🔴 Cloud Security Orienteering
A cloud and environment agnostic methodology for getting your bearings if tasked with securing a novel cloud environment.
https://engagement.cloudseclist.com/CL0/https:%2F%2Fspeakerdeck.com%2Framimac%2Fcloud-security-orienteering/1/0102017b49d91665-a615638b-8c75-4354-8b9e-7506b2f22c63-000000/rSHPkoLqfgzw0mml10F-sffbOTmikixij_N4osfUoN0=210
#aws #azure #gcp
A cloud and environment agnostic methodology for getting your bearings if tasked with securing a novel cloud environment.
https://engagement.cloudseclist.com/CL0/https:%2F%2Fspeakerdeck.com%2Framimac%2Fcloud-security-orienteering/1/0102017b49d91665-a615638b-8c75-4354-8b9e-7506b2f22c63-000000/rSHPkoLqfgzw0mml10F-sffbOTmikixij_N4osfUoN0=210
#aws #azure #gcp
🔶 Lightsail object storage concerns
Part one of a two part series that will discuss AWS’s new Lightsail object storage. The first part looks at the new Lightsail access key capability and its security issues.
https://summitroute.com/blog/2021/08/05/lightsail_object_storage_concerns-part_1/
#aws
Part one of a two part series that will discuss AWS’s new Lightsail object storage. The first part looks at the new Lightsail access key capability and its security issues.
https://summitroute.com/blog/2021/08/05/lightsail_object_storage_concerns-part_1/
#aws
Amazon
Amazon Lightsail now offers object storage for storing static content
👍1
🔶 Remediating AWS IMDSv1
An article on remediating IMDSv1 in AWS, a common server-side request forgery vector targeting lateral movement and persistence.
https://docs.google.com/document/d/1X737xoQviufdxZk_l33bnpp6noOmNIYvMilQCdhtwoY/edit?usp=drivesdk
#aws
An article on remediating IMDSv1 in AWS, a common server-side request forgery vector targeting lateral movement and persistence.
https://docs.google.com/document/d/1X737xoQviufdxZk_l33bnpp6noOmNIYvMilQCdhtwoY/edit?usp=drivesdk
#aws
Google Docs
Remediating AWS IMDSv1
Remediating AWS IMDSv1 Introduction Compute resources in AWS get access to AWS credentials, such as temporary instance role credentials, via the Instance Metadata Service (IMDS). The compute resources use these credentials to access other AWS-hosted services…
🔶 How to create IAM roles for deploying your AWS Serverless app
An in-depth guide to creating production-ready, least privilege IAM roles for deploying your serverless application across multiple AWS accounts.
https://serverlessfirst.com/create-iam-deployer-roles-serverless-app/
#aws
An in-depth guide to creating production-ready, least privilege IAM roles for deploying your serverless application across multiple AWS accounts.
https://serverlessfirst.com/create-iam-deployer-roles-serverless-app/
#aws
Serverless First
How to create IAM roles for deploying your AWS Serverless app | Serverless First
An in-depth guide to creating production-ready, least privilege IAM roles for deploying your serverless application across multiple AWS accounts.
🔶 An Introduction to AWS Firewall Manager
What is AWS Firewall Manger and how can it help you secure your organization?
https://scalesec.com/blog/an-introduction-to-aws-firewall-manager/
#aws
What is AWS Firewall Manger and how can it help you secure your organization?
https://scalesec.com/blog/an-introduction-to-aws-firewall-manager/
#aws
Scalesec
An Introduction to AWS Firewall Manager | ScaleSec
What AWS Firewall Manager is and how it will help you secure your organization.
🔴 Leaving Bastion Hosts Behind
Post examining GCP services like OS Login and Identity-Aware Proxy (IAP), and showing how they can be used as an alternative to bastion hosts.
https://www.netskope.com/blog/leaving-bastion-hosts-behind-part-1-gcp
#gcp
Post examining GCP services like OS Login and Identity-Aware Proxy (IAP), and showing how they can be used as an alternative to bastion hosts.
https://www.netskope.com/blog/leaving-bastion-hosts-behind-part-1-gcp
#gcp
Netskope
Leaving Bastion Hosts Behind Part 1: GCP
Introduction Any enterprise running virtual machines in the cloud needs to securely manage them, which is commonly done with Remote Desktop Protocol (RDP)