🔶 Ultimate guide to secrets in Lambda
This post compares Systems Manager, Secrets Manager, Key Management Service, and environment variables for handling your secrets in Lambda.
https://aaronstuyvenberg.com/posts/ultimate-lambda-secrets-guide
#aws
This post compares Systems Manager, Secrets Manager, Key Management Service, and environment variables for handling your secrets in Lambda.
https://aaronstuyvenberg.com/posts/ultimate-lambda-secrets-guide
#aws
👍2❤1🔥1
🔶 Use Amazon Verified Permissions for fine-grained authorization at scale
How you can apply 2 techniques (bulk authorization and response caching) when listing authorized resources and actions and loading multiple components on webpages.
https://aws.amazon.com/ru/blogs/security/use-amazon-verified-permissions-for-fine-grained-authorization-at-scale/
#aws
How you can apply 2 techniques (bulk authorization and response caching) when listing authorized resources and actions and loading multiple components on webpages.
https://aws.amazon.com/ru/blogs/security/use-amazon-verified-permissions-for-fine-grained-authorization-at-scale/
#aws
👍3❤1🔥1
🔶 Set IMDSv2 as default for all new instance launches in your account
You can now set all new Amazon EC2 instance launches in your account to use Instance Metadata Service Version 2 (IMDSv2) by default.
https://aws.amazon.com/ru/about-aws/whats-new/2024/03/set-imdsv2-default-new-instance-launches/
#aws
You can now set all new Amazon EC2 instance launches in your account to use Instance Metadata Service Version 2 (IMDSv2) by default.
https://aws.amazon.com/ru/about-aws/whats-new/2024/03/set-imdsv2-default-new-instance-launches/
#aws
👍3❤1🔥1
Azure Container Apps now provides a free managed certificate for your custom domain.
https://azure.microsoft.com/en-us/updates/generally-available-free-managed-certificates-on-azure-container-apps/
#azure
Please open Telegram to view this post
VIEW IN TELEGRAM
❤1👍1🔥1
🔶🔴 Leveraging AWS SSO (aka Identity Center) with Google Workspaces
How to configure AWS Identity Center to use Google Workspace/Cloud Identity with SCIM Support.
https://www.primeharbor.com/blog/aws-identity-center-google/
#aws #gcp
How to configure AWS Identity Center to use Google Workspace/Cloud Identity with SCIM Support.
https://www.primeharbor.com/blog/aws-identity-center-google/
#aws #gcp
👍2❤1🔥1
🔶 When AWS invariants aren't [invariant]
Search CloudTrail for instances of AssumeRole with additionalEventData.explicitTrustGrant == false. These will yield results for role assumptions that aren't permitted by the trust policy and violate your invariants like role session names will always be an employee's email address.
https://awsteele.com/blog/2024/02/20/when-aws-invariants-are-not.html
#aws
Search CloudTrail for instances of AssumeRole with additionalEventData.explicitTrustGrant == false. These will yield results for role assumptions that aren't permitted by the trust policy and violate your invariants like role session names will always be an employee's email address.
https://awsteele.com/blog/2024/02/20/when-aws-invariants-are-not.html
#aws
👍3❤1🔥1
🔶 How to generate security findings to help your security team with incident response simulations
How to deploy a solution that provisions resources to generate simulated security findings for actual provisioned resources within your AWS account.
https://aws.amazon.com/ru/blogs/security/how-to-generate-security-findings-to-help-your-security-team-with-incident-response-simulations/
#aws
How to deploy a solution that provisions resources to generate simulated security findings for actual provisioned resources within your AWS account.
https://aws.amazon.com/ru/blogs/security/how-to-generate-security-findings-to-help-your-security-team-with-incident-response-simulations/
#aws
👍4❤1🔥1
🔶 Amazon GuardDuty EC2 Runtime Monitoring is now generally available
Amazon announced the general availability of Amazon GuardDuty EC2 Runtime Monitoring to expand threat detection coverage for EC2 instances at runtime and complement the anomaly detection that GuardDuty already provides by continuously monitoring VPC Flow Logs, DNS query logs, and AWS CloudTrail management events.
https://aws.amazon.com/ru/blogs/aws/amazon-guardduty-ec2-runtime-monitoring-is-now-generally-available/
#aws
Amazon announced the general availability of Amazon GuardDuty EC2 Runtime Monitoring to expand threat detection coverage for EC2 instances at runtime and complement the anomaly detection that GuardDuty already provides by continuously monitoring VPC Flow Logs, DNS query logs, and AWS CloudTrail management events.
https://aws.amazon.com/ru/blogs/aws/amazon-guardduty-ec2-runtime-monitoring-is-now-generally-available/
#aws
👍2❤1🔥1
🔶 Terraform CI/CD and testing on AWS with the new Terraform Test Framework
How to validate Terraform modules and how to automate the process using a CI/CD pipeline.
https://aws.amazon.com/ru/blogs/devops/terraform-ci-cd-and-testing-on-aws-with-the-new-terraform-test-framework/
#aws
How to validate Terraform modules and how to automate the process using a CI/CD pipeline.
https://aws.amazon.com/ru/blogs/devops/terraform-ci-cd-and-testing-on-aws-with-the-new-terraform-test-framework/
#aws
👍3🔥2❤1
🔶🔴 IAM Is The Worst
IAM started out as an easy idea that as more and more services were launched, started to become nightmarish to organize. It's too hard to do the right thing now and it's even harder to do the right thing in GCP compared to AWS.
https://matduggan.com/iam-is-the-worst/
#aws #gcp
IAM started out as an easy idea that as more and more services were launched, started to become nightmarish to organize. It's too hard to do the right thing now and it's even harder to do the right thing in GCP compared to AWS.
https://matduggan.com/iam-is-the-worst/
#aws #gcp
👍3❤1🔥1
🔴 Who Touched My GCP Project? Understanding the Principal Part in Cloud Audit Logs
Post which explains how to identify principles and understand the identities present in GCP logs, including impersonation and third-party identities.
https://www.mitiga.io/blog/who-touched-my-gcp-project-understanding-the-principal-part-in-cloud-audit-logs-part-1
#gcp
Post which explains how to identify principles and understand the identities present in GCP logs, including impersonation and third-party identities.
https://www.mitiga.io/blog/who-touched-my-gcp-project-understanding-the-principal-part-in-cloud-audit-logs-part-1
#gcp
👍3🔥1😱1
🔶 Muddled Libra's Evolution to the Cloud
Unit 42 researchers have discovered that the Muddled Libra group now actively targets software-as-a-service (SaaS) applications and cloud service provider (CSP) environments.
https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/
#aws
Unit 42 researchers have discovered that the Muddled Libra group now actively targets software-as-a-service (SaaS) applications and cloud service provider (CSP) environments.
https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/
#aws
👍5❤1🔥1
🔶 We discovered an AWS access vulnerability
The Stedi team discovered a vulnerability in STS that caused role trust policy statements to be evaluated incorrectly.
https://www.stedi.com/blog/stedi-discovered-an-aws-access-vulnerability
#aws
The Stedi team discovered a vulnerability in STS that caused role trust policy statements to be evaluated incorrectly.
https://www.stedi.com/blog/stedi-discovered-an-aws-access-vulnerability
#aws
👍3🔥1😱1
🔶 Detecting and remediating inactive user accounts with Amazon Cognito
A solution that uses serverless technologies to track and disable inactive user accounts.
https://aws.amazon.com/ru/blogs/security/detecting-and-remediating-inactive-user-accounts-with-amazon-cognito/
#aws
A solution that uses serverless technologies to track and disable inactive user accounts.
https://aws.amazon.com/ru/blogs/security/detecting-and-remediating-inactive-user-accounts-with-amazon-cognito/
#aws
👍5❤1🔥1
Permiso started a series of blog posts that will walk through some of MITRE's ATT&CK Matrix, diving deep into cloud-based techniques. The first post of this series covers Cloud Administration Command.
https://permiso.io/blog/an-adversary-adventure-with-cloud-administration-command
#azure
Please open Telegram to view this post
VIEW IN TELEGRAM
👍3🔥2❤1
🔶 Amazon AppFlow vulnerabilities: Undocumented API allowed reading partial secrets, SSRF in WooCommerce connector
This vulnerability allowed anyone to steal secrets managed by AppFlow in any AWS account.
https://ronin.ae/news/amazon-appflow-vulnerabilities/
#aws
This vulnerability allowed anyone to steal secrets managed by AppFlow in any AWS account.
https://ronin.ae/news/amazon-appflow-vulnerabilities/
#aws
👍3❤1🔥1
🔶 S3 Bucket Encryption Doesn't Work The Way You Think It Works
Let's try all the different S3 encryption options, see why it's more like access control than encryption, and why that matters.
https://blog.plerion.com/s3-bucket-encryption-doesnt-work-the-way-you-think-it-works/
#aws
Let's try all the different S3 encryption options, see why it's more like access control than encryption, and why that matters.
https://blog.plerion.com/s3-bucket-encryption-doesnt-work-the-way-you-think-it-works/
#aws
👍2🔥1😱1
A Zero Trust activity-level guidance for DoD Components and DIB partners implementing the DoD Zero Trust Strategy.
https://www.microsoft.com/en-us/security/blog/2024/04/16/new-microsoft-guidance-for-the-dod-zero-trust-strategy/
#azure
Please open Telegram to view this post
VIEW IN TELEGRAM
👍2❤1🔥1
🔶 Integrate Kubernetes policy-as-code solutions into Security Hub
A solution to send policy violations from PaC solutions using Kubernetes policy report format (for example, using Kyverno) or from Gatekeeper's constraints status directly to AWS Security Hub.
https://aws.amazon.com/ru/blogs/security/integrate-kubernetes-policy-as-code-solutions-into-security-hub/
(Use VPN to open from Russia)
#aws
A solution to send policy violations from PaC solutions using Kubernetes policy report format (for example, using Kyverno) or from Gatekeeper's constraints status directly to AWS Security Hub.
https://aws.amazon.com/ru/blogs/security/integrate-kubernetes-policy-as-code-solutions-into-security-hub/
(Use VPN to open from Russia)
#aws
👍3❤1🔥1
🔶 Our Journey Migrating to AWS IMDSv2
Slack moved their entire fleet and tools to IMDSv2. In this article, they discuss the pitfalls of using IMDSv1 and their journey towards fully migrating to IMDSv2.
https://slack.engineering/our-journey-migrating-to-aws-imdsv2/
#aws
Slack moved their entire fleet and tools to IMDSv2. In this article, they discuss the pitfalls of using IMDSv1 and their journey towards fully migrating to IMDSv2.
https://slack.engineering/our-journey-migrating-to-aws-imdsv2/
#aws
👍4❤1🔥1