🔴 How you can build a FedRAMP High-compliant network with Assured Workloads

Several best practices for securely deploying a network architecture that aligns with FedRAMP High.

https://cloud.google.com/blog/products/identity-security/how-you-can-build-a-fedramp-high-compliant-network-with-assured-workloads/

#gcp

🔶 Simplify risk and compliance assessments with the new common control library in AWS Audit Manager

Audit Manager introduces a common control library that provides common controls with predefined and pre-mapped AWS data sources.

https://aws.amazon.com/ru/blogs/aws/simplify-risk-and-compliance-assessments-with-the-new-common-control-library-in-aws-audit-manager/

#aws

🔴 Introducing GKE Compliance: Maintain clusters and workloads against industry standards

Google announced built-In, fully managed GKE Compliance within GKE posture management.

https://cloud.google.com/blog/products/containers-kubernetes/gke-compliance-reports-on-cluster-and-workload-posture/

#gcp

🔶 Simplify AWS CloudTrail log analysis with natural language query generation in CloudTrail Lake

Streamline compliance and security analysis using natural language query generation. Ask questions like "What errors occurred last month?" and get ready-to-run SQL queries tailored to your needs - no technical expertise required.

https://aws.amazon.com/ru/blogs/aws/simplify-aws-cloudtrail-log-analysis-with-natural-language-query-generation-in-cloudtrail-lake-preview/

(Use VPN to open from Russia)

#aws

🔶 Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets

Post exploring a campaign targeting AWS Secrets Manager, AWS S3 and AWS S3 Glacier.

https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/

#aws

🔴 The Unauditable, Unmanageable HMAC Keys in Google Cloud

This blog outlines three vulnerabilities surfaced from how Google Cloud handles user-associated HMAC keys.

https://www.vectra.ai/blog/working-as-intended-the-unauditable-unmanageable-keys-in-google-cloud

#gcp

🔶 How to create a pipeline for hardening Amazon EKS nodes and automate updates

How to enhance the security of managed node groups using a CIS Amazon Linux benchmark for Amazon Linux 2 and Amazon Linux 2023.

https://aws.amazon.com/ru/blogs/security/how-to-create-a-pipeline-for-hardening-amazon-eks-nodes-and-automate-updates/

(Use VPN to open from Russia)

#aws

🔶 SaaS tenant isolation with ABAC using AWS STS support for tags in JWT

An alternative approach to implement tenant isolation with ABAC by using the AWS STS AssumeRoleWithWebIdentity API operation and https://aws.amazon.com/tags claim in a JSON Web Token (JWT).

https://aws.amazon.com/ru/blogs/security/saas-tenant-isolation-with-abac-using-aws-sts-support-for-tags-in-jwt/

(Use VPN to open from Russia)

#aws

🔶 AWS OIDC Provider Enumeration

A post expanding on Nick Frichette's discovery of enumerable OIDC providers in AWS using the known_aws_accounts dataset.

https://ramimac.me/oidc-provider-enum

#aws

🔶 Publicly Exposed AWS SSM Command Documents

An analysis of the thousands of public SSM Command documents, including identification of secret leakage.

https://ramimac.me/ssm-command-docs

#aws

🔴 New Cloud KMS Autokey can help encrypt your resources quickly and efficiently

Cloud KMS Autokey incorporates recommended practices that can significantly reduce the toil associated with managing your own encryption keys.

https://cloud.google.com/blog/products/identity-security/cloud-kms-autokey-can-help-you-encrypt-resources-quickly-and-efficiently/

#gcp

🔶 Use private key JWT authentication between Amazon Cognito user pools and an OIDC IdP

By redirecting the IdP token endpoint in the Cognito user pool's external OIDC IdP configuration to a route in an API Gateway, you can use Lambda functions to customize the request flow between Cognito and the IdP.

https://aws.amazon.com/ru/blogs/security/use-private-key-jwt-authentication-between-amazon-cognito-user-pools-and-an-oidc-idp/

(Use VPN to open from Russia)

#aws

🔶 History of Amazon Web Services

A page collecting the history of AWS service announcements and releases.

https://www.awsgeek.com/AWS-History/

#aws

🔴 Announcing expanded Sensitive Data Protection for Cloud Storage

GCP's Sensitive Data Protection (SDP) discovery service now supports Cloud Storage, joining BigQuery, BigLake, and Cloud SQL.

https://cloud.google.com/blog/products/identity-security/announcing-expanded-sensitive-data-protection-for-cloud-storage

#gcp

🔶 Implement an early feedback loop with AWS developer tools to shift security left

How to use AWS CodeCommit to securely host Git repositories, AWS CodePipeline to automate continuous delivery pipelines, AWS CodeBuild to build and test code, and Amazon CodeGuru Reviewer to detect potential code defects.

https://aws.amazon.com/ru/blogs/security/implement-an-early-feedback-loop-with-aws-developer-tools-to-shift-security-left/

(Use VPN to open from Russia)

#aws

🔶 Access AWS services programmatically using trusted identity propagation

With the introduction of trusted identity propagation, applications can now propagate a user's workforce identity from their identity provider (IdP) to applications running in AWS and to storage services backing those applications, such as S3 or Glue.

https://aws.amazon.com/ru/blogs/security/access-aws-services-programmatically-using-trusted-identity-propagation/

(Use VPN to open from Russia)

#aws

🔶 Moving AWS Accounts and OUs Within An Organization - Not So Simple!

This post explores the potential implications of moving an AWS account or OU to another OU within the same Organization, including impacts to SCP policy inheritance, CloudFormation StackSet deployments, IAM policy conditions, RAM shares, and Control Tower enrollments.

https://blog.wut.dev/2024/07/05/moving-aws-accounts-within-organization.html

#aws

🔶 Delete unused AMIs using the new 'LastLaunchedTime' attribute

Reduce your AWS costs by (more) safely deleting unused AMIs.

https://st-g.de/2024/05/delete-unused-amis

#aws