🔸How to use resource-based policies in the AWS Secrets Manager console to securely access secrets across AWS accounts
AWS Secrets Manager now allows to create and manage resource-based policies using the Secrets Manager console. At the same time, Secrets Manager is now able to identify and prevent creation of resource policies that grant overly broad access to secrets across AWS accounts.
https://aws.amazon.com/ru/blogs/security/how-to-use-resource-based-policies-aws-secrets-manager-console-to-securely-access-secrets-aws-accounts/
#aws
AWS Secrets Manager now allows to create and manage resource-based policies using the Secrets Manager console. At the same time, Secrets Manager is now able to identify and prevent creation of resource policies that grant overly broad access to secrets across AWS accounts.
https://aws.amazon.com/ru/blogs/security/how-to-use-resource-based-policies-aws-secrets-manager-console-to-securely-access-secrets-aws-accounts/
#aws
🔸aws-recon
Recon helps build a comprehensive inventory of the security-related metadata in an AWS account. The output is standard JSON, so it can be used in automation pipelines or feed into other tools for further analysis.
https://github.com/darkbitio/aws-recon
#aws
Recon helps build a comprehensive inventory of the security-related metadata in an AWS account. The output is standard JSON, so it can be used in automation pipelines or feed into other tools for further analysis.
https://github.com/darkbitio/aws-recon
#aws
GitHub
GitHub - joshlarsen/aws-recon: Multi-threaded AWS inventory collection tool with a focus on security-relevant resources and metadata.
Multi-threaded AWS inventory collection tool with a focus on security-relevant resources and metadata. - GitHub - joshlarsen/aws-recon: Multi-threaded AWS inventory collection tool with a focus on ...
🔸AWS Exposable Resources
Repo maintaining a list of all AWS resources that can be publicly exposed, and eventually, those that can be shared with untrusted accounts.
https://github.com/SummitRoute/aws_exposable_resources
#aws
Repo maintaining a list of all AWS resources that can be publicly exposed, and eventually, those that can be shared with untrusted accounts.
https://github.com/SummitRoute/aws_exposable_resources
#aws
GitHub
GitHub - SummitRoute/aws_exposable_resources: Resource types that can be publicly exposed on AWS
Resource types that can be publicly exposed on AWS - SummitRoute/aws_exposable_resources
🔹Moving Windows Server to Microsoft Azure to Enable Compliance
Free e-book discussing how to manage compliance, privacy, and security when migrating Windows Server workloads to Azure.
https://azure.microsoft.com/en-us/resources/moving-windows-server-to-microsoft-azure-to-enable-compliance/
#azure
Free e-book discussing how to manage compliance, privacy, and security when migrating Windows Server workloads to Azure.
https://azure.microsoft.com/en-us/resources/moving-windows-server-to-microsoft-azure-to-enable-compliance/
#azure
⚪️ Preventing lateral movement in Google Compute Engine
To implement a defense in depth approach for Compute Engine there are a few things you should do, like isolate your production resources from the internet, disable the use of default service accounts, limit access to service account credentials, use OS Login to manage access to VMs, apply the principle of least-privilege, and collect logs and monitor your system.
https://cloud.google.com/blog/products/identity-security/preventing-lateral-movement-in-google-compute-engine
#gcp
To implement a defense in depth approach for Compute Engine there are a few things you should do, like isolate your production resources from the internet, disable the use of default service accounts, limit access to service account credentials, use OS Login to manage access to VMs, apply the principle of least-privilege, and collect logs and monitor your system.
https://cloud.google.com/blog/products/identity-security/preventing-lateral-movement-in-google-compute-engine
#gcp
Google Cloud Blog
Compute Engine: Prevent compromises and better defend against lateral movement | Google Cloud Blog
Best practices, including concrete “dos and don’ts,” that can help you prevent security misconfigurations on Google Compute Engine.
🔸Secure your AWS ECS Microservices with Consul Service Mesh
Blog looking at a Consul service mesh pattern for applications in ECS. This example is running on EC2 instances under an ECS managed cluster, but could be easily modified to run Fargate workloads as well.
https://medium.com/hashicorp-engineering/secure-your-aws-ecs-microservices-with-consul-service-mesh-23df69949754
#aws
Blog looking at a Consul service mesh pattern for applications in ECS. This example is running on EC2 instances under an ECS managed cluster, but could be easily modified to run Fargate workloads as well.
https://medium.com/hashicorp-engineering/secure-your-aws-ecs-microservices-with-consul-service-mesh-23df69949754
#aws
Five Best Practices for Cloud Security.pdf
780.7 KB
🔹 Five Best Practices for Cloud Security
Overview providing a snapshot of five best practices for cloud security: identity and access control, security posture management, apps and data security, threat protection, and network security.
#azure
Overview providing a snapshot of five best practices for cloud security: identity and access control, security posture management, apps and data security, threat protection, and network security.
#azure
🔸Using Amazon GuardDuty to Protect Your S3 Buckets
This expands GuardDuty threat detection coverage beyond workloads and AWS accounts to also help you protect your data stored in S3.
https://aws.amazon.com/ru/blogs/aws/new-using-amazon-guardduty-to-protect-your-s3-buckets/?sc_channel=sm&sc_campaign=AWSSecurity_Services&sc_publisher=TWITTER&sc_country=Security&sc_geo=GLOBAL&sc_outcome=adoption&trk=AWSSecurity_Services_TWITTER&linkId=95689196
#aws
This expands GuardDuty threat detection coverage beyond workloads and AWS accounts to also help you protect your data stored in S3.
https://aws.amazon.com/ru/blogs/aws/new-using-amazon-guardduty-to-protect-your-s3-buckets/?sc_channel=sm&sc_campaign=AWSSecurity_Services&sc_publisher=TWITTER&sc_country=Security&sc_geo=GLOBAL&sc_outcome=adoption&trk=AWSSecurity_Services_TWITTER&linkId=95689196
#aws
This media is not supported in your browser
VIEW IN TELEGRAM
⚪️ Introducing CAS: Securing applications with private CAs and certificates
Google announced Certificate Authority Service (CAS), a highly scalable and available service that simplifies and automates the management and deployment of private CAs.
https://cloud.google.com/blog/products/identity-security/introducing-cas-a-cloud-based-managed-ca-for-the-devops-and-iot-world
#gcp
Google announced Certificate Authority Service (CAS), a highly scalable and available service that simplifies and automates the management and deployment of private CAs.
https://cloud.google.com/blog/products/identity-security/introducing-cas-a-cloud-based-managed-ca-for-the-devops-and-iot-world
#gcp
🔸Best Practices for Securing Amazon EMR
This post walks you through some of the principles of Amazon EMR (a managed Hadoop framework) security, including encryption, authentication, and network access.
https://aws.amazon.com/blogs/big-data/best-practices-for-securing-amazon-emr/
#aws
This post walks you through some of the principles of Amazon EMR (a managed Hadoop framework) security, including encryption, authentication, and network access.
https://aws.amazon.com/blogs/big-data/best-practices-for-securing-amazon-emr/
#aws
Amazon
Big Data Platform - Amazon EMR - AWS
Amazon EMR is a cloud big data platform for running large-scale distributed data processing jobs, interactive SQL queries, and machine learning applications using open-source analytics frameworks such as Apache Spark, Apache Hive, and Presto.
🔸Analyzing IAM Policies at Scale with Parliament
The most efficient and repeatable method for finding misconfigurations in IAM policies and roles is to automate the detection process using existing libraries. This blog explores how the Parliament library can be run to detect if a policy is malformed, identify unknown permissions that do not exist within the platform, and callout resource mismatches when resources and permissions do not apply to each other.
https://blog.scalesec.com/analyzing-iam-policies-at-scale-with-parliament-69ae50d335e
#aws
The most efficient and repeatable method for finding misconfigurations in IAM policies and roles is to automate the detection process using existing libraries. This blog explores how the Parliament library can be run to detect if a policy is malformed, identify unknown permissions that do not exist within the platform, and callout resource mismatches when resources and permissions do not apply to each other.
https://blog.scalesec.com/analyzing-iam-policies-at-scale-with-parliament-69ae50d335e
#aws
Medium
Analyzing IAM Policies at Scale with Parliament
Automate the IAM Policy review process with Python
🔸cr0hn/festin
A tool by Daniel García for discovering open S3 Buckets starting from domains. Collects info via DNS, web pages (crawler), and S3 buckets themselves (like S3 redirections). “Watch mode” can listen for new domains in real time, and supports downloading bucket objects and putting them in Redis Search to enable full-text search of discovered contents.
https://github.com/cr0hn/festin
#aws
A tool by Daniel García for discovering open S3 Buckets starting from domains. Collects info via DNS, web pages (crawler), and S3 buckets themselves (like S3 redirections). “Watch mode” can listen for new domains in real time, and supports downloading bucket objects and putting them in Redis Search to enable full-text search of discovered contents.
https://github.com/cr0hn/festin
#aws
GitHub
GitHub - cr0hn/festin: FestIn - Open S3 Bucket Scanner
FestIn - Open S3 Bucket Scanner. Contribute to cr0hn/festin development by creating an account on GitHub.
🔸SmogCloud: Expose Yourself Without Insecurity - Cloud Breach Patterns
BlackHat Arsenal presentation by Bishop Fox’s Rob Ragan and Oscar Salazar on a new tool: Smogcloud, that can be used to find exposed AWS cloud assets that you may not have known you had.
- For example: Internet-facing FQDNs and IPs across one or hundreds of AWS accounts, assets that are no longer in use, services not currently monitored, shadow IT, etc.
- Currently supports about 13 different AWS services.
https://github.com/BishopFox/smogcloud
#aws
BlackHat Arsenal presentation by Bishop Fox’s Rob Ragan and Oscar Salazar on a new tool: Smogcloud, that can be used to find exposed AWS cloud assets that you may not have known you had.
- For example: Internet-facing FQDNs and IPs across one or hundreds of AWS accounts, assets that are no longer in use, services not currently monitored, shadow IT, etc.
- Currently supports about 13 different AWS services.
https://github.com/BishopFox/smogcloud
#aws
GitHub
GitHub - BishopFox/smogcloud: Find cloud assets that no one wants exposed 🔎 ☁️
Find cloud assets that no one wants exposed 🔎 ☁️. Contribute to BishopFox/smogcloud development by creating an account on GitHub.
⚪️Compromise any GCP Org Via Cloud API Lateral Movement and Privilege Escalation
Great BlackHat USA / DEF CON Safe Mode talk by Allison Donovan and Dylan Ayrey and tool release, gcploit, a “BFS search tool meant for defensive threat models, a mock org simulator, as well as stack driver queries that profile the gcploit tool.”
https://www.youtube.com/watch?v=Ml09R38jpok
#gcp
Great BlackHat USA / DEF CON Safe Mode talk by Allison Donovan and Dylan Ayrey and tool release, gcploit, a “BFS search tool meant for defensive threat models, a mock org simulator, as well as stack driver queries that profile the gcploit tool.”
https://www.youtube.com/watch?v=Ml09R38jpok
#gcp
GitHub
GitHub - dxa4481/gcploit: These are tools we released with our 2020 defcon/blackhat talk https://www.youtube.com/watch?v=Ml09R38jpok
These are tools we released with our 2020 defcon/blackhat talk https://www.youtube.com/watch?v=Ml09R38jpok - GitHub - dxa4481/gcploit: These are tools we released with our 2020 defcon/blackhat talk...
🔸How to Create Unlimited Rotating IP Addresses with AWS
Devin Stokes describes how to use proxycannon-ng to distribute your traffic over an endless supply of cloud-based IP addresses.
https://medium.com/@devinjaystokes/using-proxycannon-ng-to-create-unlimited-rotating-proxies-fccffa70a728
#aws
Devin Stokes describes how to use proxycannon-ng to distribute your traffic over an endless supply of cloud-based IP addresses.
https://medium.com/@devinjaystokes/using-proxycannon-ng-to-create-unlimited-rotating-proxies-fccffa70a728
#aws
🔸Abusing AWS Connection Tracking
How to abuse Connection Tracking in AWS to persist connections on a host, even when a more restrictive security group is put in place as a result of incident response.
https://frichetten.com/blog/abusing-aws-connection-tracking/
#aws
How to abuse Connection Tracking in AWS to persist connections on a host, even when a more restrictive security group is put in place as a result of incident response.
https://frichetten.com/blog/abusing-aws-connection-tracking/
#aws
🔸Using Splunk to Detect Abuse of AWS Permanent and Temporary Credentials
How to detect if an attacker is abusing temporary credentials in your AWS accounts using Splunk.
https://www.splunk.com/en_us/blog/security/using-splunk-to-detect-abuse-of-aws-permanent-and-temporary-credentials.html
#aws
How to detect if an attacker is abusing temporary credentials in your AWS accounts using Splunk.
https://www.splunk.com/en_us/blog/security/using-splunk-to-detect-abuse-of-aws-permanent-and-temporary-credentials.html
#aws
⚪️ Google Cloud security best practices center
Best practices providing specific, informed guidance on helping secure Google Cloud deployments and describing recommended configurations, architectures, suggested settings, and other operational advice.
https://cloud.google.com/security/best-practices
#gcp
Best practices providing specific, informed guidance on helping secure Google Cloud deployments and describing recommended configurations, architectures, suggested settings, and other operational advice.
https://cloud.google.com/security/best-practices
#gcp
Google Cloud
Cloud Security Best Practices Center | Google Cloud
Learn the best practices for securely deploying your workloads on Google Cloud with our privacy & security blueprints, guides, whitepapers, and more.
🔸AWS Auto Remediate
Open source application to instantly remediate common security issues through the use of AWS Config.
https://github.com/servian/aws-auto-remediate
#aws
Open source application to instantly remediate common security issues through the use of AWS Config.
https://github.com/servian/aws-auto-remediate
#aws
🔹GitHub Action for Azure Policy Compliance Scan
It is now possible to trigger on-demand Azure policy compliance evaluations from GitHub workflows.
https://github.com/marketplace/actions/azure-policy-compliance-scan
#azure
It is now possible to trigger on-demand Azure policy compliance evaluations from GitHub workflows.
https://github.com/marketplace/actions/azure-policy-compliance-scan
#azure
GitHub
Azure Policy Compliance Scan - GitHub Marketplace
Triggers compliance scan on Azure resources and passes/fails based on the compliance state of the resources
🔸Anatomy of AWS Lambda
Article taking a closer look on the anatomy of the AWS Lambda functions and the processes that are happening below the surface. If you are not super-familiar with Lambda, I highly recommend this post which provides a very well-thought introduction.
https://dev.to/sosnowski/anatomy-of-aws-lambda-1i1e
#aws
Article taking a closer look on the anatomy of the AWS Lambda functions and the processes that are happening below the surface. If you are not super-familiar with Lambda, I highly recommend this post which provides a very well-thought introduction.
https://dev.to/sosnowski/anatomy-of-aws-lambda-1i1e
#aws