🔶 Cloud Malware: Resource Injection in CloudFormation Templates

Blog focusing on a new Pacu module on cloud malware using resource injection in CloudFormation templates.

https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/

#aws

🔶 Top things to do when setting up a new Org

What you should do when setting up a new AWS Organization from scratch.

https://www.chrisfarris.com/post/aws-organizations-in-2021/

#aws

🔶 How to implement the principle of least privilege with CloudFormation StackSets

How to conform to the principle of least privilege while still allowing users to use CloudFormation to create the resources they need.

https://aws.amazon.com/ru/blogs/security/how-to-implement-the-principle-of-least-privilege-with-cloudformation-stacksets/

#aws

🔴 Security Log Scoping Tool

Security Log Scoping Tool is an interactive form to help customers discover, evaluate and enable their security-relevant logs across Google Cloud.

https://cloud.google.com/architecture/exporting-stackdriver-logging-for-security-and-access-analytics#evaluate_which_logs_to_export

#gcp

🔶 Building an AWS Perimeter

Whitepaper by AWS covering perimeter objectives, identity, resource, and network boundaries, preventing access to internal credentials, and cross-region requests.

https://d1.awsstatic.com/whitepapers/building_an_aws_perimeter.pdf

#aws

🔶 Expanding Secrets Infrastructure to AWS Lambda

How Square extended their datacenter-based secrets infrastructure to enable a cloud migration supporting Lambda. They added SPIFFE compatibility to their secrets infrastructure and developed a Lambda secrets syncer that Square engineers can deploy via a Terraform module.

https://developer.squareup.com/blog/expanding-secrets-infrastructure-to-aws-lambda/

#aws

🔶🔷🔴 Cloud Security Orienteering

A cloud and environment agnostic methodology for getting your bearings if tasked with securing a novel cloud environment.

https://engagement.cloudseclist.com/CL0/https:%2F%2Fspeakerdeck.com%2Framimac%2Fcloud-security-orienteering/1/0102017b49d91665-a615638b-8c75-4354-8b9e-7506b2f22c63-000000/rSHPkoLqfgzw0mml10F-sffbOTmikixij_N4osfUoN0=210

#aws #azure #gcp

🔶 Lightsail object storage concerns

Part one of a two part series that will discuss AWS’s new Lightsail object storage. The first part looks at the new Lightsail access key capability and its security issues.

https://summitroute.com/blog/2021/08/05/lightsail_object_storage_concerns-part_1/

#aws

🔶 Remediating AWS IMDSv1

An article on remediating IMDSv1 in AWS, a common server-side request forgery vector targeting lateral movement and persistence.

https://docs.google.com/document/d/1X737xoQviufdxZk_l33bnpp6noOmNIYvMilQCdhtwoY/edit?usp=drivesdk

#aws

🔶 How to create IAM roles for deploying your AWS Serverless app

An in-depth guide to creating production-ready, least privilege IAM roles for deploying your serverless application across multiple AWS accounts.

https://serverlessfirst.com/create-iam-deployer-roles-serverless-app/

#aws

🔶 An Introduction to AWS Firewall Manager

What is AWS Firewall Manger and how can it help you secure your organization?

https://scalesec.com/blog/an-introduction-to-aws-firewall-manager/

#aws

🔴 Leaving Bastion Hosts Behind

Post examining GCP services like OS Login and Identity-Aware Proxy (IAP), and showing how they can be used as an alternative to bastion hosts.

https://www.netskope.com/blog/leaving-bastion-hosts-behind-part-1-gcp

#gcp

🔶 AWS Condition Context Keys for Reducing Risk

Post taking a closer look at the "aws:CalledVia*" and "aws:ViaAWSService" keys, and how you can use them to achieve least privilege.

https://ermetic.com/whats-new/blog/aws/aws-condition-context-keys-for-reducing-risk

#aws

🔶 KONTRA's AWS Top 10

A series of free interactive security training modules that teach developers how to identify and mitigate security vulnerabilities in their AWS-hosted cloud applications.

https://application.security/free/kontra-aws-clould-top-10

#aws

🔶 Inside Figma: securing internal web apps

A deep-dive into how Figma built a system for securing internal web applications that lets them require SSO authentication, enforce fine-grained authorization (via Okta groups), and support CLI tools, all using ALBs, AWS Cognito, and Okta.

https://www.figma.com/blog/inside-figma-securing-internal-web-apps/

#aws

🔷 Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent

How anyone with a local administrator access to AD FS server (or proxy), can create arbitrary sign-ins events to Azure AD sign-ins log.

https://o365blog.com/post/hybridhealthagent/

#azure

🔶 Spice up Your Kubernetes Environment with AWS Lambda

How to securely integrate AWS Lambda with an existing Kubernetes environment without codes changes.

https://liavyona09.medium.com/spice-up-your-kubernetes-environment-with-aws-lambda-a07d81347607

#aws

🔶 The last S3 security document that we’ll ever need, and how to use it

163 page Threat Model of S3 by TrustOnCloud’s Jonathan Rault covering:

1️⃣ Best practices (best security/effort ratio)
2️⃣ Reviewing the service depending on your application(s), and implementing the controls based on your risk tolerance
3️⃣ Onboarding for large enterprises/agencies
4️⃣ Compliance mapping to demonstrate a risk-based approach, gap analysis and formulating an action plan

https://trustoncloud.com/the-last-s3-security-document-that-well-ever-need/

#aws

Yandex Cloud Security Checklist

Dear friends, we have prepared for you the first checklist on the secure configuration of Yandex.Cloud. It is based on an aggregation of everything that is in the YC documentation on the topic of security, plus some experience revealed in the framework of audits. Globally, the checklist is split into network security and access control domains.

The main problem is that almost all the security mechanisms (security groups, audit trails), which are already few, are either in the preview stage or are connected on-demand. The rest of the mechanisms are connected through the marketplace from several of third-party commercial solutions.

UPD. By the way, if you want to pass some of the checks by automated means, then we recommend Cloud Advisor. There, in particular, there is still the opportunity to conduct a free scan.

#yandex

🔴 Using the new Google Cloud Config Controller to provision and manage cloud services via the Kubernetes Resource Model

How to manually configure a GKE cluster, and how to use the new Config Controller to provision and configure services via automation.

https://seroter.com/2021/08/18/using-the-new-google-cloud-config-controller-to-provision-and-manage-cloud-services-via-the-kubernetes-resource-model/

#gcp

🔶 AWS OIDC Authentication with SPIFFE

How to authenticate data center applications to AWS using automated SPIFFE credentials.

https://developer.squareup.com/blog/aws-oidc-authentication-with-spiffe/

#aws