🔷 Cloud Guardrails

Tool by Lead Security Engineer of Salesforce, Kinnaird McQuade, that allows you to rapidly cherry-pick cloud security guardrails by generating Terraform files that create Azure Policy Initiatives (basically AWS SCPs but for Azure). Cherry-pick and bulk-select the security policies you want, enforce low-friction policies within minutes, and easily roll back policies that you don’t want. See Kinnaird’s great thread about it here.

https://github.com/salesforce/cloud-guardrails

#azure

🔶 So You Inherited an AWS Account. A 30-day security guide for engineers…

A guide to help you filter through the mess, isolate the changes you need to make, and start to tame your environment by Matt Fuller, founder of CloudSploit. He proposes: get stable access, stop using the root user, update billing info, enable CloudTrail logging and monitoring, clean up IAM entities, locate exposed services, lock down your domains, find expiring certificates, untangle the web of services, and monitor and migrate.

https://medium.com/swlh/so-you-inherited-an-aws-account-e5fe6550607d

#aws

🔶 S3 backups and other strategies for ensuring data durability through ransomware attacks

This post will discuss options for ensuring the durability of data stored on S3, through protections in place and backup strategies. The AWS backup service on AWS unfortunately does not backup S3 buckets and a lot of discussions of backups and data durability on AWS do not describe the implementation in sufficient detail, which allows a number of potential dangers. This post will show you the two best options (s3 object locks and replication policies), explains how to use these, and what to watch out for.

https://summitroute.com/blog/2021/08/03/S3_backups_and_other_strategies_for_ensuring_data_durability_through_ransomware_attacks/

#aws

🔶 Cloud Malware: Resource Injection in CloudFormation Templates

Blog focusing on a new Pacu module on cloud malware using resource injection in CloudFormation templates.

https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/

#aws

🔶 Top things to do when setting up a new Org

What you should do when setting up a new AWS Organization from scratch.

https://www.chrisfarris.com/post/aws-organizations-in-2021/

#aws

🔶 How to implement the principle of least privilege with CloudFormation StackSets

How to conform to the principle of least privilege while still allowing users to use CloudFormation to create the resources they need.

https://aws.amazon.com/ru/blogs/security/how-to-implement-the-principle-of-least-privilege-with-cloudformation-stacksets/

#aws

🔴 Security Log Scoping Tool

Security Log Scoping Tool is an interactive form to help customers discover, evaluate and enable their security-relevant logs across Google Cloud.

https://cloud.google.com/architecture/exporting-stackdriver-logging-for-security-and-access-analytics#evaluate_which_logs_to_export

#gcp

🔶 Building an AWS Perimeter

Whitepaper by AWS covering perimeter objectives, identity, resource, and network boundaries, preventing access to internal credentials, and cross-region requests.

https://d1.awsstatic.com/whitepapers/building_an_aws_perimeter.pdf

#aws

🔶 Expanding Secrets Infrastructure to AWS Lambda

How Square extended their datacenter-based secrets infrastructure to enable a cloud migration supporting Lambda. They added SPIFFE compatibility to their secrets infrastructure and developed a Lambda secrets syncer that Square engineers can deploy via a Terraform module.

https://developer.squareup.com/blog/expanding-secrets-infrastructure-to-aws-lambda/

#aws

🔶🔷🔴 Cloud Security Orienteering

A cloud and environment agnostic methodology for getting your bearings if tasked with securing a novel cloud environment.

https://engagement.cloudseclist.com/CL0/https:%2F%2Fspeakerdeck.com%2Framimac%2Fcloud-security-orienteering/1/0102017b49d91665-a615638b-8c75-4354-8b9e-7506b2f22c63-000000/rSHPkoLqfgzw0mml10F-sffbOTmikixij_N4osfUoN0=210

#aws #azure #gcp

🔶 Lightsail object storage concerns

Part one of a two part series that will discuss AWS’s new Lightsail object storage. The first part looks at the new Lightsail access key capability and its security issues.

https://summitroute.com/blog/2021/08/05/lightsail_object_storage_concerns-part_1/

#aws

🔶 Remediating AWS IMDSv1

An article on remediating IMDSv1 in AWS, a common server-side request forgery vector targeting lateral movement and persistence.

https://docs.google.com/document/d/1X737xoQviufdxZk_l33bnpp6noOmNIYvMilQCdhtwoY/edit?usp=drivesdk

#aws

🔶 How to create IAM roles for deploying your AWS Serverless app

An in-depth guide to creating production-ready, least privilege IAM roles for deploying your serverless application across multiple AWS accounts.

https://serverlessfirst.com/create-iam-deployer-roles-serverless-app/

#aws

🔶 An Introduction to AWS Firewall Manager

What is AWS Firewall Manger and how can it help you secure your organization?

https://scalesec.com/blog/an-introduction-to-aws-firewall-manager/

#aws

🔴 Leaving Bastion Hosts Behind

Post examining GCP services like OS Login and Identity-Aware Proxy (IAP), and showing how they can be used as an alternative to bastion hosts.

https://www.netskope.com/blog/leaving-bastion-hosts-behind-part-1-gcp

#gcp

🔶 AWS Condition Context Keys for Reducing Risk

Post taking a closer look at the "aws:CalledVia*" and "aws:ViaAWSService" keys, and how you can use them to achieve least privilege.

https://ermetic.com/whats-new/blog/aws/aws-condition-context-keys-for-reducing-risk

#aws

🔶 KONTRA's AWS Top 10

A series of free interactive security training modules that teach developers how to identify and mitigate security vulnerabilities in their AWS-hosted cloud applications.

https://application.security/free/kontra-aws-clould-top-10

#aws

🔶 Inside Figma: securing internal web apps

A deep-dive into how Figma built a system for securing internal web applications that lets them require SSO authentication, enforce fine-grained authorization (via Okta groups), and support CLI tools, all using ALBs, AWS Cognito, and Okta.

https://www.figma.com/blog/inside-figma-securing-internal-web-apps/

#aws

🔷 Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent

How anyone with a local administrator access to AD FS server (or proxy), can create arbitrary sign-ins events to Azure AD sign-ins log.

https://o365blog.com/post/hybridhealthagent/

#azure

🔶 Spice up Your Kubernetes Environment with AWS Lambda

How to securely integrate AWS Lambda with an existing Kubernetes environment without codes changes.

https://liavyona09.medium.com/spice-up-your-kubernetes-environment-with-aws-lambda-a07d81347607

#aws

🔶 The last S3 security document that we’ll ever need, and how to use it

163 page Threat Model of S3 by TrustOnCloud’s Jonathan Rault covering:

1️⃣ Best practices (best security/effort ratio)
2️⃣ Reviewing the service depending on your application(s), and implementing the controls based on your risk tolerance
3️⃣ Onboarding for large enterprises/agencies
4️⃣ Compliance mapping to demonstrate a risk-based approach, gap analysis and formulating an action plan

https://trustoncloud.com/the-last-s3-security-document-that-well-ever-need/

#aws