🔶 Publicly Exposed AWS Document DB Snapshots

Post detailing the research around DocumentDB, and a deep dive on a public exposure impacting millions of customers of a publicly traded company.

https://ramimac.me/exposed-docdb

#aws

🔴 What's new for the Google Cloud global front end for web delivery and protection

A deeper look at how the global front end solution improves the performance, protection, and scalability of their internet-facing web services.

https://cloud.google.com/blog/products/networking/recent-enhancements-to-the-global-front-end-solution/

#gcp

🔶 How Parametric Built Audit Surveillance using AWS Data Lake Architecture

How Parametric implemented their Audit Surveillance Data Lake on AWS with purpose-built fully managed analytics services. With this solution, Parametric was able to respond to various audit requests within hours rather than days or weeks.

https://aws.amazon.com/ru/blogs/architecture/how-parametric-built-audit-surveillance-using-aws-data-lake-architecture/

#aws

🔶 Accelerate incident response with Amazon Security Lake

The first of a two-part series that will demonstrate the value of Amazon Security Lake and how you can use it and other resources to accelerate your incident response (IR) capabilities.

https://aws.amazon.com/ru/blogs/security/accelerate-incident-response-with-amazon-security-lake/

#aws

🔶 Things you wish you didn't need to know about S3

S3 is weirder than you think. Make sure you know all the quirks before they turn into vulnerabilities in your AWS infrastructure.

https://blog.plerion.com/things-you-wish-you-didnt-need-to-know-about-s3/

#aws

🔶 Amazon CloudWatch Logs announces Live Tail streaming CLI support

You can now view your logs interactively in real-time as they're ingested via AWS CLI or programmatically within your own custom dashboards inside or outside of AWS.

https://aws.amazon.com/ru/about-aws/whats-new/2024/06/amazon-cloudwatch-logs-announces-live-tail-streaming-cli-support/

#aws

🔶 sustainability-scanner

Validate AWS CloudFormation templates against AWS Well-Architected Sustainability Pillar best practices.

https://github.com/awslabs/sustainability-scanner

#aws

🔴 prel

An application that temporarily assigns Google Cloud IAM Roles and includes an approval process.

https://github.com/lirlia/prel

#gcp

🔶 How to securely transfer files with presigned URLs

Best practices for generating and distributing presigned URLs, security considerations, and recommendations for monitoring usage and access patterns.

https://aws.amazon.com/ru/blogs/security/how-to-securely-transfer-files-with-presigned-urls/

#aws

🔴 How you can build a FedRAMP High-compliant network with Assured Workloads

Several best practices for securely deploying a network architecture that aligns with FedRAMP High.

https://cloud.google.com/blog/products/identity-security/how-you-can-build-a-fedramp-high-compliant-network-with-assured-workloads/

#gcp

🔶 Simplify risk and compliance assessments with the new common control library in AWS Audit Manager

Audit Manager introduces a common control library that provides common controls with predefined and pre-mapped AWS data sources.

https://aws.amazon.com/ru/blogs/aws/simplify-risk-and-compliance-assessments-with-the-new-common-control-library-in-aws-audit-manager/

#aws

🔴 Introducing GKE Compliance: Maintain clusters and workloads against industry standards

Google announced built-In, fully managed GKE Compliance within GKE posture management.

https://cloud.google.com/blog/products/containers-kubernetes/gke-compliance-reports-on-cluster-and-workload-posture/

#gcp

🔶 Simplify AWS CloudTrail log analysis with natural language query generation in CloudTrail Lake

Streamline compliance and security analysis using natural language query generation. Ask questions like "What errors occurred last month?" and get ready-to-run SQL queries tailored to your needs - no technical expertise required.

https://aws.amazon.com/ru/blogs/aws/simplify-aws-cloudtrail-log-analysis-with-natural-language-query-generation-in-cloudtrail-lake-preview/

(Use VPN to open from Russia)

#aws

🔶 Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets

Post exploring a campaign targeting AWS Secrets Manager, AWS S3 and AWS S3 Glacier.

https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/

#aws

🔴 The Unauditable, Unmanageable HMAC Keys in Google Cloud

This blog outlines three vulnerabilities surfaced from how Google Cloud handles user-associated HMAC keys.

https://www.vectra.ai/blog/working-as-intended-the-unauditable-unmanageable-keys-in-google-cloud

#gcp

🔶 How to create a pipeline for hardening Amazon EKS nodes and automate updates

How to enhance the security of managed node groups using a CIS Amazon Linux benchmark for Amazon Linux 2 and Amazon Linux 2023.

https://aws.amazon.com/ru/blogs/security/how-to-create-a-pipeline-for-hardening-amazon-eks-nodes-and-automate-updates/

(Use VPN to open from Russia)

#aws

🔶 SaaS tenant isolation with ABAC using AWS STS support for tags in JWT

An alternative approach to implement tenant isolation with ABAC by using the AWS STS AssumeRoleWithWebIdentity API operation and https://aws.amazon.com/tags claim in a JSON Web Token (JWT).

https://aws.amazon.com/ru/blogs/security/saas-tenant-isolation-with-abac-using-aws-sts-support-for-tags-in-jwt/

(Use VPN to open from Russia)

#aws

🔶 AWS OIDC Provider Enumeration

A post expanding on Nick Frichette's discovery of enumerable OIDC providers in AWS using the known_aws_accounts dataset.

https://ramimac.me/oidc-provider-enum

#aws

🔶 Publicly Exposed AWS SSM Command Documents

An analysis of the thousands of public SSM Command documents, including identification of secret leakage.

https://ramimac.me/ssm-command-docs

#aws