🔶 Expanding Secrets Infrastructure to AWS Lambda
How Square extended their datacenter-based secrets infrastructure to enable a cloud migration supporting Lambda. They added SPIFFE compatibility to their secrets infrastructure and developed a Lambda secrets syncer that Square engineers can deploy via a Terraform module.
https://developer.squareup.com/blog/expanding-secrets-infrastructure-to-aws-lambda/
#aws
How Square extended their datacenter-based secrets infrastructure to enable a cloud migration supporting Lambda. They added SPIFFE compatibility to their secrets infrastructure and developed a Lambda secrets syncer that Square engineers can deploy via a Terraform module.
https://developer.squareup.com/blog/expanding-secrets-infrastructure-to-aws-lambda/
#aws
Square Corner Blog
Expanding Secrets Infrastructure to AWS Lambda
Extending our data center to the cloud
🔶🔷🔴 Cloud Security Orienteering
A cloud and environment agnostic methodology for getting your bearings if tasked with securing a novel cloud environment.
https://engagement.cloudseclist.com/CL0/https:%2F%2Fspeakerdeck.com%2Framimac%2Fcloud-security-orienteering/1/0102017b49d91665-a615638b-8c75-4354-8b9e-7506b2f22c63-000000/rSHPkoLqfgzw0mml10F-sffbOTmikixij_N4osfUoN0=210
#aws #azure #gcp
A cloud and environment agnostic methodology for getting your bearings if tasked with securing a novel cloud environment.
https://engagement.cloudseclist.com/CL0/https:%2F%2Fspeakerdeck.com%2Framimac%2Fcloud-security-orienteering/1/0102017b49d91665-a615638b-8c75-4354-8b9e-7506b2f22c63-000000/rSHPkoLqfgzw0mml10F-sffbOTmikixij_N4osfUoN0=210
#aws #azure #gcp
🔶 Lightsail object storage concerns
Part one of a two part series that will discuss AWS’s new Lightsail object storage. The first part looks at the new Lightsail access key capability and its security issues.
https://summitroute.com/blog/2021/08/05/lightsail_object_storage_concerns-part_1/
#aws
Part one of a two part series that will discuss AWS’s new Lightsail object storage. The first part looks at the new Lightsail access key capability and its security issues.
https://summitroute.com/blog/2021/08/05/lightsail_object_storage_concerns-part_1/
#aws
Amazon
Amazon Lightsail now offers object storage for storing static content
👍1
🔶 Remediating AWS IMDSv1
An article on remediating IMDSv1 in AWS, a common server-side request forgery vector targeting lateral movement and persistence.
https://docs.google.com/document/d/1X737xoQviufdxZk_l33bnpp6noOmNIYvMilQCdhtwoY/edit?usp=drivesdk
#aws
An article on remediating IMDSv1 in AWS, a common server-side request forgery vector targeting lateral movement and persistence.
https://docs.google.com/document/d/1X737xoQviufdxZk_l33bnpp6noOmNIYvMilQCdhtwoY/edit?usp=drivesdk
#aws
Google Docs
Remediating AWS IMDSv1
Remediating AWS IMDSv1 Introduction Compute resources in AWS get access to AWS credentials, such as temporary instance role credentials, via the Instance Metadata Service (IMDS). The compute resources use these credentials to access other AWS-hosted services…
🔶 How to create IAM roles for deploying your AWS Serverless app
An in-depth guide to creating production-ready, least privilege IAM roles for deploying your serverless application across multiple AWS accounts.
https://serverlessfirst.com/create-iam-deployer-roles-serverless-app/
#aws
An in-depth guide to creating production-ready, least privilege IAM roles for deploying your serverless application across multiple AWS accounts.
https://serverlessfirst.com/create-iam-deployer-roles-serverless-app/
#aws
Serverless First
How to create IAM roles for deploying your AWS Serverless app | Serverless First
An in-depth guide to creating production-ready, least privilege IAM roles for deploying your serverless application across multiple AWS accounts.
🔶 An Introduction to AWS Firewall Manager
What is AWS Firewall Manger and how can it help you secure your organization?
https://scalesec.com/blog/an-introduction-to-aws-firewall-manager/
#aws
What is AWS Firewall Manger and how can it help you secure your organization?
https://scalesec.com/blog/an-introduction-to-aws-firewall-manager/
#aws
Scalesec
An Introduction to AWS Firewall Manager | ScaleSec
What AWS Firewall Manager is and how it will help you secure your organization.
🔴 Leaving Bastion Hosts Behind
Post examining GCP services like OS Login and Identity-Aware Proxy (IAP), and showing how they can be used as an alternative to bastion hosts.
https://www.netskope.com/blog/leaving-bastion-hosts-behind-part-1-gcp
#gcp
Post examining GCP services like OS Login and Identity-Aware Proxy (IAP), and showing how they can be used as an alternative to bastion hosts.
https://www.netskope.com/blog/leaving-bastion-hosts-behind-part-1-gcp
#gcp
Netskope
Leaving Bastion Hosts Behind Part 1: GCP
Introduction Any enterprise running virtual machines in the cloud needs to securely manage them, which is commonly done with Remote Desktop Protocol (RDP)
🔶 AWS Condition Context Keys for Reducing Risk
Post taking a closer look at the "aws:CalledVia*" and "aws:ViaAWSService" keys, and how you can use them to achieve least privilege.
https://ermetic.com/whats-new/blog/aws/aws-condition-context-keys-for-reducing-risk
#aws
Post taking a closer look at the "aws:CalledVia*" and "aws:ViaAWSService" keys, and how you can use them to achieve least privilege.
https://ermetic.com/whats-new/blog/aws/aws-condition-context-keys-for-reducing-risk
#aws
Tenable®
Secure cloud exposure with Tenable Cloud Security
Cloud security at Tenable starts with a unified CNAPP powerful enough to manage posture, secure workloads, govern identity & access management, and much more.
🔶 KONTRA's AWS Top 10
A series of free interactive security training modules that teach developers how to identify and mitigate security vulnerabilities in their AWS-hosted cloud applications.
https://application.security/free/kontra-aws-clould-top-10
#aws
A series of free interactive security training modules that teach developers how to identify and mitigate security vulnerabilities in their AWS-hosted cloud applications.
https://application.security/free/kontra-aws-clould-top-10
#aws
🔶 Inside Figma: securing internal web apps
A deep-dive into how Figma built a system for securing internal web applications that lets them require SSO authentication, enforce fine-grained authorization (via Okta groups), and support CLI tools, all using ALBs, AWS Cognito, and Okta.
https://www.figma.com/blog/inside-figma-securing-internal-web-apps/
#aws
A deep-dive into how Figma built a system for securing internal web applications that lets them require SSO authentication, enforce fine-grained authorization (via Okta groups), and support CLI tools, all using ALBs, AWS Cognito, and Okta.
https://www.figma.com/blog/inside-figma-securing-internal-web-apps/
#aws
Figma
Inside Figma: securing internal web apps | Figma Blog
A deep-dive into how we provide access to internal applications
🔷 Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent
How anyone with a local administrator access to AD FS server (or proxy), can create arbitrary sign-ins events to Azure AD sign-ins log.
https://o365blog.com/post/hybridhealthagent/
#azure
How anyone with a local administrator access to AD FS server (or proxy), can create arbitrary sign-ins events to Azure AD sign-ins log.
https://o365blog.com/post/hybridhealthagent/
#azure
O365Blog
Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent
Azure AD Connect Health is a feature that allows viewing the health of on-prem hybrid infrastructure components, including Azure AD Connect and AD FS servers.
Health information is gathered by agents installed on each on-prem hybrid server. Since March 2021…
Health information is gathered by agents installed on each on-prem hybrid server. Since March 2021…
🔶 Spice up Your Kubernetes Environment with AWS Lambda
How to securely integrate AWS Lambda with an existing Kubernetes environment without codes changes.
https://liavyona09.medium.com/spice-up-your-kubernetes-environment-with-aws-lambda-a07d81347607
#aws
How to securely integrate AWS Lambda with an existing Kubernetes environment without codes changes.
https://liavyona09.medium.com/spice-up-your-kubernetes-environment-with-aws-lambda-a07d81347607
#aws
Medium
Spice up Your Kubernetes Environment with AWS Lambda
Kubernetes is a powerful container orchestration platform for automating applications’ deployment, scaling and management. Kubernetes…
🔶 The last S3 security document that we’ll ever need, and how to use it
163 page Threat Model of S3 by TrustOnCloud’s Jonathan Rault covering:
1️⃣ Best practices (best security/effort ratio)
2️⃣ Reviewing the service depending on your application(s), and implementing the controls based on your risk tolerance
3️⃣ Onboarding for large enterprises/agencies
4️⃣ Compliance mapping to demonstrate a risk-based approach, gap analysis and formulating an action plan
https://trustoncloud.com/the-last-s3-security-document-that-well-ever-need/
#aws
163 page Threat Model of S3 by TrustOnCloud’s Jonathan Rault covering:
1️⃣ Best practices (best security/effort ratio)
2️⃣ Reviewing the service depending on your application(s), and implementing the controls based on your risk tolerance
3️⃣ Onboarding for large enterprises/agencies
4️⃣ Compliance mapping to demonstrate a risk-based approach, gap analysis and formulating an action plan
https://trustoncloud.com/the-last-s3-security-document-that-well-ever-need/
#aws
Twitter
Jonathan Rault (@jo_n_go) | Twitter
The latest Tweets from Jonathan Rault (@jo_n_go). Head of Cloud Sec at @trustoncloud. Singapore
Yandex Cloud Security Checklist
Dear friends, we have prepared for you the first checklist on the secure configuration of Yandex.Cloud. It is based on an aggregation of everything that is in the YC documentation on the topic of security, plus some experience revealed in the framework of audits. Globally, the checklist is split into network security and access control domains.
The main problem is that almost all the security mechanisms (security groups, audit trails), which are already few, are either in the preview stage or are connected on-demand. The rest of the mechanisms are connected through the marketplace from several of third-party commercial solutions.
UPD. By the way, if you want to pass some of the checks by automated means, then we recommend Cloud Advisor. There, in particular, there is still the opportunity to conduct a free scan.
#yandex
Dear friends, we have prepared for you the first checklist on the secure configuration of Yandex.Cloud. It is based on an aggregation of everything that is in the YC documentation on the topic of security, plus some experience revealed in the framework of audits. Globally, the checklist is split into network security and access control domains.
The main problem is that almost all the security mechanisms (security groups, audit trails), which are already few, are either in the preview stage or are connected on-demand. The rest of the mechanisms are connected through the marketplace from several of third-party commercial solutions.
UPD. By the way, if you want to pass some of the checks by automated means, then we recommend Cloud Advisor. There, in particular, there is still the opportunity to conduct a free scan.
#yandex
GitHub
GitHub - Vinum-Security/yandex-cloud-security: ⛅️🔐 Security Requirements for Yandex.Cloud configuration: IAM, network access, key…
⛅️🔐 Security Requirements for Yandex.Cloud configuration: IAM, network access, key management, Kubernetes, audit logs. - Vinum-Security/yandex-cloud-security
🔴 Using the new Google Cloud Config Controller to provision and manage cloud services via the Kubernetes Resource Model
How to manually configure a GKE cluster, and how to use the new Config Controller to provision and configure services via automation.
https://seroter.com/2021/08/18/using-the-new-google-cloud-config-controller-to-provision-and-manage-cloud-services-via-the-kubernetes-resource-model/
#gcp
How to manually configure a GKE cluster, and how to use the new Config Controller to provision and configure services via automation.
https://seroter.com/2021/08/18/using-the-new-google-cloud-config-controller-to-provision-and-manage-cloud-services-via-the-kubernetes-resource-model/
#gcp
Richard Seroter's Architecture Musings
Using the new Google Cloud Config Controller to provision and manage cloud services via the Kubernetes Resource Model
When it comes to building and managing cloud resources—VMs, clusters, user roles, databases—most people seem to use a combination of tools. The recent JetBrains developer ecosystem survey highlight…
🔶 AWS OIDC Authentication with SPIFFE
How to authenticate data center applications to AWS using automated SPIFFE credentials.
https://developer.squareup.com/blog/aws-oidc-authentication-with-spiffe/
#aws
How to authenticate data center applications to AWS using automated SPIFFE credentials.
https://developer.squareup.com/blog/aws-oidc-authentication-with-spiffe/
#aws
Square Corner Blog
AWS OIDC Authentication with SPIFFE
Easy authentication with automated AWS credentials
🔷 Illogical Apps - Exploring and Exploiting Azure Logic Apps
How to obtain sensitive information as an user with the Reader role, and how to identify/abuse API Connection hijack scenarios as a Contributor in Azure Logic Apps.
https://www.netspi.com/blog/technical/cloud-penetration-testing/illogical-apps-exploring-exploiting-azure-logic-apps/
#azure
How to obtain sensitive information as an user with the Reader role, and how to identify/abuse API Connection hijack scenarios as a Contributor in Azure Logic Apps.
https://www.netspi.com/blog/technical/cloud-penetration-testing/illogical-apps-exploring-exploiting-azure-logic-apps/
#azure
NetSPI
Illogical Apps – Exploring and Exploiting Azure Logic Apps
A walk through enumerating and exploiting Azure Logic Apps with varying permissions.
🔶 Security Implication of Root principal in AWS
An interesting way of abusing the AWS KMS for data exfiltration in restricted VPCs.
https://niebardzo.github.io/2021-08-23-root-principal-in-aws/
#aws
An interesting way of abusing the AWS KMS for data exfiltration in restricted VPCs.
https://niebardzo.github.io/2021-08-23-root-principal-in-aws/
#aws
niebardzo.github.io
Security Implication of Root principal in AWS
How simple mistake can ruin your security
🔷 ChaosDB: How we hacked thousands of Azure customers’ databases
Researchers were able to gain complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers. Also refer to the companion blog post to learn how to protect your environment from ChaosDB.
https://www.wiz.io/blog/chaosdb-how-we-hacked-thousands-of-azure-customers-databases
#azure
Researchers were able to gain complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers. Also refer to the companion blog post to learn how to protect your environment from ChaosDB.
https://www.wiz.io/blog/chaosdb-how-we-hacked-thousands-of-azure-customers-databases
#azure
wiz.io
ChaosDB: How to discover your vulnerable Azure Cosmos DBs and protect them | Wiz Blog
Wiz Research found an unprecedented critical vulnerability in Azure Cosmos DB. The vulnerability gives any Azure user full admin access (read, write, delete) to another customers Cosmos DB instances without authorization.
Threat_Hunting_in_the_Cloud_Defending_AWS,_Azure_and_Other_Cloud.pdf
29.1 MB
🔶🔷🔴 Threat Hunting in the Cloud: Defending AWS, Azure and Other Cloud Platforms Against Cyberattacks
In Threat Hunting in the Cloud: Defending AWS, Azure and Other Cloud Platforms Against Cyberattacks, celebrated cybersecurity professionals and authors Chris Peiris, Binil Pillai, and Abbas Kudrati leverage their decades of experience building large scale cyber fusion centers to deliver the ideal threat hunting resource for both business and technical audiences. You'll find insightful analyses of cloud platform security tools and, using the industry leading MITRE ATT&CK framework, discussions of the most common threat vectors.
#aws #azure #gcp
In Threat Hunting in the Cloud: Defending AWS, Azure and Other Cloud Platforms Against Cyberattacks, celebrated cybersecurity professionals and authors Chris Peiris, Binil Pillai, and Abbas Kudrati leverage their decades of experience building large scale cyber fusion centers to deliver the ideal threat hunting resource for both business and technical audiences. You'll find insightful analyses of cloud platform security tools and, using the industry leading MITRE ATT&CK framework, discussions of the most common threat vectors.
#aws #azure #gcp