🔶 Tales from the cloud trenches: Raiding for AWS vaults, buckets and secrets
Post exploring a campaign targeting AWS Secrets Manager, AWS S3 and AWS S3 Glacier.
https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/
#aws
Post exploring a campaign targeting AWS Secrets Manager, AWS S3 and AWS S3 Glacier.
https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-raiding-for-vaults-buckets-secrets/
#aws
👍3❤1🔥1
🔴 The Unauditable, Unmanageable HMAC Keys in Google Cloud
This blog outlines three vulnerabilities surfaced from how Google Cloud handles user-associated HMAC keys.
https://www.vectra.ai/blog/working-as-intended-the-unauditable-unmanageable-keys-in-google-cloud
#gcp
This blog outlines three vulnerabilities surfaced from how Google Cloud handles user-associated HMAC keys.
https://www.vectra.ai/blog/working-as-intended-the-unauditable-unmanageable-keys-in-google-cloud
#gcp
👍2❤1🔥1
🔶 How to create a pipeline for hardening Amazon EKS nodes and automate updates
How to enhance the security of managed node groups using a CIS Amazon Linux benchmark for Amazon Linux 2 and Amazon Linux 2023.
https://aws.amazon.com/ru/blogs/security/how-to-create-a-pipeline-for-hardening-amazon-eks-nodes-and-automate-updates/
(Use VPN to open from Russia)
#aws
How to enhance the security of managed node groups using a CIS Amazon Linux benchmark for Amazon Linux 2 and Amazon Linux 2023.
https://aws.amazon.com/ru/blogs/security/how-to-create-a-pipeline-for-hardening-amazon-eks-nodes-and-automate-updates/
(Use VPN to open from Russia)
#aws
👍2❤1🔥1
How to prioritize riskiest misconfigurations across your multicloud environment, all inside of a single dashboard by using Defender CSPM.
https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/cloud-security-posture-and-contextualization-across-cloud/ba-p/4161703
#azure
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥3❤1👍1
🔶 SaaS tenant isolation with ABAC using AWS STS support for tags in JWT
An alternative approach to implement tenant isolation with ABAC by using the AWS STS AssumeRoleWithWebIdentity API operation and https://aws.amazon.com/tags claim in a JSON Web Token (JWT).
https://aws.amazon.com/ru/blogs/security/saas-tenant-isolation-with-abac-using-aws-sts-support-for-tags-in-jwt/
(Use VPN to open from Russia)
#aws
An alternative approach to implement tenant isolation with ABAC by using the AWS STS AssumeRoleWithWebIdentity API operation and https://aws.amazon.com/tags claim in a JSON Web Token (JWT).
https://aws.amazon.com/ru/blogs/security/saas-tenant-isolation-with-abac-using-aws-sts-support-for-tags-in-jwt/
(Use VPN to open from Russia)
#aws
👍3🔥2❤1
🔶 AWS OIDC Provider Enumeration
A post expanding on Nick Frichette's discovery of enumerable OIDC providers in AWS using the known_aws_accounts dataset.
https://ramimac.me/oidc-provider-enum
#aws
A post expanding on Nick Frichette's discovery of enumerable OIDC providers in AWS using the known_aws_accounts dataset.
https://ramimac.me/oidc-provider-enum
#aws
❤4👍1🔥1
🔶 Publicly Exposed AWS SSM Command Documents
An analysis of the thousands of public SSM Command documents, including identification of secret leakage.
https://ramimac.me/ssm-command-docs
#aws
An analysis of the thousands of public SSM Command documents, including identification of secret leakage.
https://ramimac.me/ssm-command-docs
#aws
👍3❤1🔥1
🔶👩💻 🔴 Attack Paths Into VMs in the Cloud
Virtual machines (VMs) are a significant attack target. Focusing on three major CSPs, this research summarizes the conditions for possible VM attack paths.
https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/
#aws #azure #gcp
Virtual machines (VMs) are a significant attack target. Focusing on three major CSPs, this research summarizes the conditions for possible VM attack paths.
https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/
#aws #azure #gcp
Please open Telegram to view this post
VIEW IN TELEGRAM
👍4🔥2❤1
This media is not supported in your browser
VIEW IN TELEGRAM
🔴 New Cloud KMS Autokey can help encrypt your resources quickly and efficiently
Cloud KMS Autokey incorporates recommended practices that can significantly reduce the toil associated with managing your own encryption keys.
https://cloud.google.com/blog/products/identity-security/cloud-kms-autokey-can-help-you-encrypt-resources-quickly-and-efficiently/
#gcp
Cloud KMS Autokey incorporates recommended practices that can significantly reduce the toil associated with managing your own encryption keys.
https://cloud.google.com/blog/products/identity-security/cloud-kms-autokey-can-help-you-encrypt-resources-quickly-and-efficiently/
#gcp
👍3❤2🔥1
🔶 Use private key JWT authentication between Amazon Cognito user pools and an OIDC IdP
By redirecting the IdP token endpoint in the Cognito user pool's external OIDC IdP configuration to a route in an API Gateway, you can use Lambda functions to customize the request flow between Cognito and the IdP.
https://aws.amazon.com/ru/blogs/security/use-private-key-jwt-authentication-between-amazon-cognito-user-pools-and-an-oidc-idp/
(Use VPN to open from Russia)
#aws
By redirecting the IdP token endpoint in the Cognito user pool's external OIDC IdP configuration to a route in an API Gateway, you can use Lambda functions to customize the request flow between Cognito and the IdP.
https://aws.amazon.com/ru/blogs/security/use-private-key-jwt-authentication-between-amazon-cognito-user-pools-and-an-oidc-idp/
(Use VPN to open from Russia)
#aws
👍4❤1🔥1
Azure Policy is a popular service to ensure compliance. But did you know attackers can also leverage it to backdoor cloud resources?
https://securitylabs.datadoghq.com/articles/azure-policy-privilege-escalation/
#azure
Please open Telegram to view this post
VIEW IN TELEGRAM
👍3🔥2❤1
🔶 History of Amazon Web Services
A page collecting the history of AWS service announcements and releases.
https://www.awsgeek.com/AWS-History/
#aws
A page collecting the history of AWS service announcements and releases.
https://www.awsgeek.com/AWS-History/
#aws
🔥5❤1👍1
🔴 Announcing expanded Sensitive Data Protection for Cloud Storage
GCP's Sensitive Data Protection (SDP) discovery service now supports Cloud Storage, joining BigQuery, BigLake, and Cloud SQL.
https://cloud.google.com/blog/products/identity-security/announcing-expanded-sensitive-data-protection-for-cloud-storage
#gcp
GCP's Sensitive Data Protection (SDP) discovery service now supports Cloud Storage, joining BigQuery, BigLake, and Cloud SQL.
https://cloud.google.com/blog/products/identity-security/announcing-expanded-sensitive-data-protection-for-cloud-storage
#gcp
👍3❤1🔥1
🔶 Implement an early feedback loop with AWS developer tools to shift security left
How to use AWS CodeCommit to securely host Git repositories, AWS CodePipeline to automate continuous delivery pipelines, AWS CodeBuild to build and test code, and Amazon CodeGuru Reviewer to detect potential code defects.
https://aws.amazon.com/ru/blogs/security/implement-an-early-feedback-loop-with-aws-developer-tools-to-shift-security-left/
(Use VPN to open from Russia)
#aws
How to use AWS CodeCommit to securely host Git repositories, AWS CodePipeline to automate continuous delivery pipelines, AWS CodeBuild to build and test code, and Amazon CodeGuru Reviewer to detect potential code defects.
https://aws.amazon.com/ru/blogs/security/implement-an-early-feedback-loop-with-aws-developer-tools-to-shift-security-left/
(Use VPN to open from Russia)
#aws
👍4❤1🔥1
🔶 Access AWS services programmatically using trusted identity propagation
With the introduction of trusted identity propagation, applications can now propagate a user's workforce identity from their identity provider (IdP) to applications running in AWS and to storage services backing those applications, such as S3 or Glue.
https://aws.amazon.com/ru/blogs/security/access-aws-services-programmatically-using-trusted-identity-propagation/
(Use VPN to open from Russia)
#aws
With the introduction of trusted identity propagation, applications can now propagate a user's workforce identity from their identity provider (IdP) to applications running in AWS and to storage services backing those applications, such as S3 or Glue.
https://aws.amazon.com/ru/blogs/security/access-aws-services-programmatically-using-trusted-identity-propagation/
(Use VPN to open from Russia)
#aws
❤4👍2🔥1
🔶 Moving AWS Accounts and OUs Within An Organization - Not So Simple!
This post explores the potential implications of moving an AWS account or OU to another OU within the same Organization, including impacts to SCP policy inheritance, CloudFormation StackSet deployments, IAM policy conditions, RAM shares, and Control Tower enrollments.
https://blog.wut.dev/2024/07/05/moving-aws-accounts-within-organization.html
#aws
This post explores the potential implications of moving an AWS account or OU to another OU within the same Organization, including impacts to SCP policy inheritance, CloudFormation StackSet deployments, IAM policy conditions, RAM shares, and Control Tower enrollments.
https://blog.wut.dev/2024/07/05/moving-aws-accounts-within-organization.html
#aws
👍3❤2🔥1
🔶 Delete unused AMIs using the new 'LastLaunchedTime' attribute
Reduce your AWS costs by (more) safely deleting unused AMIs.
https://st-g.de/2024/05/delete-unused-amis
#aws
Reduce your AWS costs by (more) safely deleting unused AMIs.
https://st-g.de/2024/05/delete-unused-amis
#aws
🔥3👍2❤1
🔴 IAM so lost: A guide to identity in Google Cloud
An entry-level post demystifying two foundational IAM access control principles: the concepts of least privilege and separation of duties.
https://cloud.google.com/blog/products/identity-security/scaling-the-iam-mountain-an-in-depth-guide-to-identity-in-google-cloud/
#gcp
An entry-level post demystifying two foundational IAM access control principles: the concepts of least privilege and separation of duties.
https://cloud.google.com/blog/products/identity-security/scaling-the-iam-mountain-an-in-depth-guide-to-identity-in-google-cloud/
#gcp
👍4❤2🔥1
🔶 Strategies for achieving least privilege at scale - Part 1
This blog post walked through the first five (of nine) strategies for achieving least privilege at scale.
https://aws.amazon.com/ru/blogs/security/strategies-for-achieving-least-privilege-at-scale-part-1/
(Use VPN to open from Russia)
#aws
This blog post walked through the first five (of nine) strategies for achieving least privilege at scale.
https://aws.amazon.com/ru/blogs/security/strategies-for-achieving-least-privilege-at-scale-part-1/
(Use VPN to open from Russia)
#aws
❤4👍1🔥1
🔶 Strategies for achieving least privilege at scale - Part 2
This second post continues to look at the remaining four strategies and related mental models for scaling least privilege across your organization.
https://aws.amazon.com/ru/blogs/security/strategies-for-achieving-least-privilege-at-scale-part-2/
(Use VPN to open from Russia)
#aws
This second post continues to look at the remaining four strategies and related mental models for scaling least privilege across your organization.
https://aws.amazon.com/ru/blogs/security/strategies-for-achieving-least-privilege-at-scale-part-2/
(Use VPN to open from Russia)
#aws
❤4👍3🔥1
🔶 Building the foundations: A defender's guide to AWS Bedrock
This blog focuses on AWS Bedrock and its relevant telemetry streams: CloudTrail management and data events, model invocation telemetry and endpoint telemetry.
https://www.sumologic.com/blog/defenders-guide-to-aws-bedrock/
#aws
This blog focuses on AWS Bedrock and its relevant telemetry streams: CloudTrail management and data events, model invocation telemetry and endpoint telemetry.
https://www.sumologic.com/blog/defenders-guide-to-aws-bedrock/
#aws
👍3🔥3❤1