🔴 Introducing Advanced Vulnerability Insights for GKE
Artifact Analysis in partnership with Google Kubernetes Engine has introduced a new vulnerability scanning offering called Advanced Vulnerability Insights.
https://cloud.google.com/blog/products/identity-security/introducing-advanced-vulnerability-insights-for-gke
#gcp
Artifact Analysis in partnership with Google Kubernetes Engine has introduced a new vulnerability scanning offering called Advanced Vulnerability Insights.
https://cloud.google.com/blog/products/identity-security/introducing-advanced-vulnerability-insights-for-gke
#gcp
👍4🔥1😱1
🔷 Mistaken Identity: Extracting Managed Identity Credentials from Azure Function Apps
The article discusses a security vulnerability in Azure Function Apps, where Linux containers use an encrypted startup context file that can be decrypted to expose sensitive data, including Managed Identity certificates.
https://www.netspi.com/blog/technical/cloud-penetration-testing/mistaken-identity-azure-function-apps
#azure
The article discusses a security vulnerability in Azure Function Apps, where Linux containers use an encrypted startup context file that can be decrypted to expose sensitive data, including Managed Identity certificates.
https://www.netspi.com/blog/technical/cloud-penetration-testing/mistaken-identity-azure-function-apps
#azure
👍3🔥1😱1
🔶🔷🔴 State of Cloud Security
Datadog analyzed data from thousands of organizations to understand the latest trends in cloud security posture.
https://www.datadoghq.com/state-of-cloud-security/
#aws #azure #gcp
Datadog analyzed data from thousands of organizations to understand the latest trends in cloud security posture.
https://www.datadoghq.com/state-of-cloud-security/
#aws #azure #gcp
👍5🔥2❤1
🔶 Lambda Extensions: Exploring Misuse Scenarios and Stratus Red Team Module Development
Post analyzing a well-known attack vector and then showing how to build a module for Stratus Red Team, a self-contained binary we can use to detonate offensive attack techniques against a live cloud environment easily.
https://awstip.com/lambda-extensions-exploring-misuse-scenarios-and-stratus-red-team-module-development-b63c5a73491a
(Use VPN to open from Russia)
#aws
Post analyzing a well-known attack vector and then showing how to build a module for Stratus Red Team, a self-contained binary we can use to detonate offensive attack techniques against a live cloud environment easily.
https://awstip.com/lambda-extensions-exploring-misuse-scenarios-and-stratus-red-team-module-development-b63c5a73491a
(Use VPN to open from Russia)
#aws
👍3❤1🔥1
🔷 Public preview: Confidential containers on Azure Kubernetes Service (AKS)
AKS now lets you run individual pods in their own trusted execution environment (TEE).
https://techcommunity.microsoft.com/t5/apps-on-azure-blog/public-preview-confidential-containers-on-aks/ba-p/3980871
#azure
AKS now lets you run individual pods in their own trusted execution environment (TEE).
https://techcommunity.microsoft.com/t5/apps-on-azure-blog/public-preview-confidential-containers-on-aks/ba-p/3980871
#azure
❤2👍2🔥2
🔶 Building sensitive data remediation workflows in multi-account AWS environments
A solution that provides you with visibility into sensitive data residing across a fleet of AWS accounts through a ChatOps-style notification mechanism using Microsoft Teams, which also provides contextual information needed to conduct security investigations.
https://aws.amazon.com/ru/blogs/security/building-sensitive-data-remediation-workflows-in-multi-account-aws-environments/
#aws
A solution that provides you with visibility into sensitive data residing across a fleet of AWS accounts through a ChatOps-style notification mechanism using Microsoft Teams, which also provides contextual information needed to conduct security investigations.
https://aws.amazon.com/ru/blogs/security/building-sensitive-data-remediation-workflows-in-multi-account-aws-environments/
#aws
👍3❤2🔥1
🔷 (Ab)using the Microsoft Identity Platform: Exploring Azure AD Token Caching
Presentation examining how JSON Web Token (JWT) caching works in corporate settings with Azure Active Directory (Azure AD) integration, including Azure AD Joined and Hybrid environments.
https://github.com/FuzzySecurity/SANS-HackFest-2023/blob/main/SANS_HackFest23-Abusing_The-Microsoft-Identity-Platform.pdf
#azure
Presentation examining how JSON Web Token (JWT) caching works in corporate settings with Azure Active Directory (Azure AD) integration, including Azure AD Joined and Hybrid environments.
https://github.com/FuzzySecurity/SANS-HackFest-2023/blob/main/SANS_HackFest23-Abusing_The-Microsoft-Identity-Platform.pdf
#azure
👍5❤1🔥1
🔶 Reversing AWS IAM unique IDs
How to identify the ARN of a user/role from AWS IAM unique IDs, often seen in CloudTrail logs.
https://awsteele.com/blog/2023/11/19/reversing-aws-iam-unique-ids.html
#aws
How to identify the ARN of a user/role from AWS IAM unique IDs, often seen in CloudTrail logs.
https://awsteele.com/blog/2023/11/19/reversing-aws-iam-unique-ids.html
#aws
👍5❤1🔥1
🔶 Establishing a data perimeter on AWS: Require services to be created only within expected networks
How to use preventative controls to help ensure that your resources are deployed within your VPC, so that you can effectively enforce the network perimeter controls.
https://aws.amazon.com/ru/blogs/security/establishing-a-data-perimeter-on-aws-require-services-to-be-created-only-within-expected-networks/
#aws
How to use preventative controls to help ensure that your resources are deployed within your VPC, so that you can effectively enforce the network perimeter controls.
https://aws.amazon.com/ru/blogs/security/establishing-a-data-perimeter-on-aws-require-services-to-be-created-only-within-expected-networks/
#aws
👍4🔥2❤1
🔴 Enhancing Cybersecurity with Security Command Center's Attack Path Simulations and Attack Exposure Scoring
Security Command Center (SCC) recently introduced two new features: Attack Path Simulation (APS) and Attack Exposure Scoring (AES).
https://medium.com/google-cloud/enhancing-cybersecurity-with-security-command-centers-attack-path-simulation-and-attack-path-46c527cd4927
(Use VPN to open from Russia)
#gcp
Security Command Center (SCC) recently introduced two new features: Attack Path Simulation (APS) and Attack Exposure Scoring (AES).
https://medium.com/google-cloud/enhancing-cybersecurity-with-security-command-centers-attack-path-simulation-and-attack-path-46c527cd4927
(Use VPN to open from Russia)
#gcp
👍5❤1🔥1
🔶 How to use multiple instances of AWS IAM Identity Center
You can now have two types of IAM Identity Center instances: organization instances and account instances.
https://aws.amazon.com/ru/blogs/security/how-to-use-multiple-instances-of-aws-iam-identity-center/
#aws
You can now have two types of IAM Identity Center instances: organization instances and account instances.
https://aws.amazon.com/ru/blogs/security/how-to-use-multiple-instances-of-aws-iam-identity-center/
#aws
👍4🔥2❤1
🔷 All the Small Things: Azure CLI Leakage and Problematic Usage Patterns
Post discussing the unintentional leakage of Azure Application Variables in GitHub build logs due to Azure CLI's default behavior.
https://www.paloaltonetworks.com/blog/prisma-cloud/secrets-leakage-user-error-azure-cli/
#azure
Post discussing the unintentional leakage of Azure Application Variables in GitHub build logs due to Azure CLI's default behavior.
https://www.paloaltonetworks.com/blog/prisma-cloud/secrets-leakage-user-error-azure-cli/
#azure
👍2🔥1😱1
🔶 Preventing Accidental Internet-Exposure of AWS Resources
Many AWS customers have suffered breaches due to exposing resources to the Internet by accident. This three-part series walks through different ways to mitigate that risk.
https://kevinhock.github.io/2023/11/26/preventing-accidental-internet-exposure-of-aws-resources-part-1-vpc.html
#aws
Many AWS customers have suffered breaches due to exposing resources to the Internet by accident. This three-part series walks through different ways to mitigate that risk.
https://kevinhock.github.io/2023/11/26/preventing-accidental-internet-exposure-of-aws-resources-part-1-vpc.html
#aws
👍4❤1🔥1
🔴 Pwning Cloud Contexts, The Endgame
Slides from a Black Hat MEA 2023 talk discussing how a GitHub token led to the compromise of an entire GCP organization.
https://docs.google.com/presentation/d/1sVZohEgGKDkgwgVNzquNzSzKdLDMOFgAiiR78kcgBAw/edit#slide=id.g29a3b4d3924_0_137
#gcp
Slides from a Black Hat MEA 2023 talk discussing how a GitHub token led to the compromise of an entire GCP organization.
https://docs.google.com/presentation/d/1sVZohEgGKDkgwgVNzquNzSzKdLDMOFgAiiR78kcgBAw/edit#slide=id.g29a3b4d3924_0_137
#gcp
👍2🔥2❤1
🔶 Deep dive into the new Amazon EKS Pod Identity feature
Earlier this week, AWS released a new feature, EKS Pod Identity, that aims to simplify granting AWS access to pods running in an EKS cluster. This post deep-dives into how this feature works, some elements that make it unique, and why you might consider using it.
https://securitylabs.datadoghq.com/articles/eks-pod-identity-deep-dive/
#aws
Earlier this week, AWS released a new feature, EKS Pod Identity, that aims to simplify granting AWS access to pods running in an EKS cluster. This post deep-dives into how this feature works, some elements that make it unique, and why you might consider using it.
https://securitylabs.datadoghq.com/articles/eks-pod-identity-deep-dive/
#aws
👍7🔥2😱1
🔶 How fast is CloudTrail today? Investigating CloudTrail delays using Athena
Investigating how long CloudTrail takes to deliver events in 2023.
https://tracebit.com/blog/2023/11/how-fast-is-cloudtrail-today-investigating-cloudtrail-delays-using-athena/
#aws
Investigating how long CloudTrail takes to deliver events in 2023.
https://tracebit.com/blog/2023/11/how-fast-is-cloudtrail-today-investigating-cloudtrail-delays-using-athena/
#aws
👍3🔥1😱1
🔶 Avoid accidental exposure of authenticated Amazon API Gateway resources
The article advises securing Amazon API Gateway by setting default authorizers and applying resource policies for IAM authentication, to prevent accidental exposure and enhance security through defense in depth.
https://www.wolfe.id.au/2023/11/12/avoid-accidental-exposure-of-authenticated-amazon-api-gateway-resources/
#aws
The article advises securing Amazon API Gateway by setting default authorizers and applying resource policies for IAM authentication, to prevent accidental exposure and enhance security through defense in depth.
https://www.wolfe.id.au/2023/11/12/avoid-accidental-exposure-of-authenticated-amazon-api-gateway-resources/
#aws
👍3❤1🔥1
🔴 Exploring a Critical Risk in Google Workspace's Domain-Wide Delegation Feature
A security risk discovered in the Google Cloud Platform domain-wide delegation feature allows a user to generate an access token to Google Workspace, granting unauthorized access to data and other key tools.
https://unit42.paloaltonetworks.com/critical-risk-in-google-workspace-delegation-feature/
#gcp
A security risk discovered in the Google Cloud Platform domain-wide delegation feature allows a user to generate an access token to Google Workspace, granting unauthorized access to data and other key tools.
https://unit42.paloaltonetworks.com/critical-risk-in-google-workspace-delegation-feature/
#gcp
👍3🔥1😱1
🔷 Microsoft Incident Response lessons on preventing cloud identity compromise
Different scenarios involving misconfigured hybrid identity setups that could lead to compromise of Microsoft Entra ID.
https://www.microsoft.com/en-us/security/blog/2023/12/05/microsoft-incident-response-lessons-on-preventing-cloud-identity-compromise/
#azure
Different scenarios involving misconfigured hybrid identity setups that could lead to compromise of Microsoft Entra ID.
https://www.microsoft.com/en-us/security/blog/2023/12/05/microsoft-incident-response-lessons-on-preventing-cloud-identity-compromise/
#azure
👍3❤1🔥1
🔴 DevSecOps and CI/CD using Google Cloud Built-in Services
How to build a secure CI/CD pipeline using Google Cloud's built-in services using Cloud Build, Cloud Deploy, Artifact Registry, Binary Authorization and GKE.
https://cloud.google.com/blog/products/devops-sre/devsecops-and-cicd-using-google-cloud-built-in-services
#gcp
How to build a secure CI/CD pipeline using Google Cloud's built-in services using Cloud Build, Cloud Deploy, Artifact Registry, Binary Authorization and GKE.
https://cloud.google.com/blog/products/devops-sre/devsecops-and-cicd-using-google-cloud-built-in-services
#gcp
🔥4❤2👍1
🔶 Zonal autoshift - Automatically shift your traffic away from Availability Zones when we detect potential issues
A new capability of Route 53 Application Recovery Controller that you can enable to automatically and safely shift your workload's traffic away from an Availability Zone when AWS identifies a potential failure affecting that Availability Zone and shift it back once the failure is resolved.
https://aws.amazon.com/ru/blogs/aws/zonal-autoshift-automatically-shift-your-traffic-away-from-availability-zones-when-we-detect-potential-issues/
#aws
A new capability of Route 53 Application Recovery Controller that you can enable to automatically and safely shift your workload's traffic away from an Availability Zone when AWS identifies a potential failure affecting that Availability Zone and shift it back once the failure is resolved.
https://aws.amazon.com/ru/blogs/aws/zonal-autoshift-automatically-shift-your-traffic-away-from-availability-zones-when-we-detect-potential-issues/
#aws
👍3❤1🔥1