🔶 History of Amazon Web Services

A page collecting the history of AWS service announcements and releases.

https://www.awsgeek.com/AWS-History/

#aws

🔴 Announcing expanded Sensitive Data Protection for Cloud Storage

GCP's Sensitive Data Protection (SDP) discovery service now supports Cloud Storage, joining BigQuery, BigLake, and Cloud SQL.

https://cloud.google.com/blog/products/identity-security/announcing-expanded-sensitive-data-protection-for-cloud-storage

#gcp

🔶 Implement an early feedback loop with AWS developer tools to shift security left

How to use AWS CodeCommit to securely host Git repositories, AWS CodePipeline to automate continuous delivery pipelines, AWS CodeBuild to build and test code, and Amazon CodeGuru Reviewer to detect potential code defects.

https://aws.amazon.com/ru/blogs/security/implement-an-early-feedback-loop-with-aws-developer-tools-to-shift-security-left/

(Use VPN to open from Russia)

#aws

🔶 Access AWS services programmatically using trusted identity propagation

With the introduction of trusted identity propagation, applications can now propagate a user's workforce identity from their identity provider (IdP) to applications running in AWS and to storage services backing those applications, such as S3 or Glue.

https://aws.amazon.com/ru/blogs/security/access-aws-services-programmatically-using-trusted-identity-propagation/

(Use VPN to open from Russia)

#aws

🔶 Moving AWS Accounts and OUs Within An Organization - Not So Simple!

This post explores the potential implications of moving an AWS account or OU to another OU within the same Organization, including impacts to SCP policy inheritance, CloudFormation StackSet deployments, IAM policy conditions, RAM shares, and Control Tower enrollments.

https://blog.wut.dev/2024/07/05/moving-aws-accounts-within-organization.html

#aws

🔶 Delete unused AMIs using the new 'LastLaunchedTime' attribute

Reduce your AWS costs by (more) safely deleting unused AMIs.

https://st-g.de/2024/05/delete-unused-amis

#aws

🔴 IAM so lost: A guide to identity in Google Cloud

An entry-level post demystifying two foundational IAM access control principles: the concepts of least privilege and separation of duties.

https://cloud.google.com/blog/products/identity-security/scaling-the-iam-mountain-an-in-depth-guide-to-identity-in-google-cloud/

#gcp

🔶 Strategies for achieving least privilege at scale - Part 1

This blog post walked through the first five (of nine) strategies for achieving least privilege at scale.

https://aws.amazon.com/ru/blogs/security/strategies-for-achieving-least-privilege-at-scale-part-1/

(Use VPN to open from Russia)

#aws

🔶 Strategies for achieving least privilege at scale - Part 2

This second post continues to look at the remaining four strategies and related mental models for scaling least privilege across your organization.

https://aws.amazon.com/ru/blogs/security/strategies-for-achieving-least-privilege-at-scale-part-2/

(Use VPN to open from Russia)

#aws

🔶 Building the foundations: A defender's guide to AWS Bedrock

This blog focuses on AWS Bedrock and its relevant telemetry streams: CloudTrail management and data events, model invocation telemetry and endpoint telemetry.

https://www.sumologic.com/blog/defenders-guide-to-aws-bedrock/

#aws

🔶 Thwacking DDOS with AWS WAF

AWS WAF is definitely not the best DDOS prevention tech on the market. But if you're ever in the seat and it's the tool you have, here's your guide.

https://ramimac.me/waf-ddos

#aws

🔶 Poor mans MFA for AWS Client VPN

The AWS Client VPN service is a common way to seamlessly connect users into internal networks. This post describes a low-tech, low-cost solution to better authenticate users using a second factor.

https://onecloudplease.com/blog/poor-mans-mfa-for-aws-client-vpn

#aws

🔶 A hard look at GuardDuty shortcomings

Is GuardDuty all you need for AWS threat detection? This post offers some results of adversarial simulation, a review of detection latency, and an analysis of projected S3 ransomware timing.

https://tracebit.com/blog/a-hard-look-at-guardduty-shortcomings

#aws

🔶 Using S3 as a container registry

You can use S3 as a container registry. All it takes is to expose an S3 bucket through HTTP and to upload the image's files to specific paths.

https://ochagavia.nl/blog/using-s3-as-a-container-registry/

#aws

🔴 ConfusedFunction: A Privilege Escalation Vulnerability Impacting GCP Cloud Functions

Organizations that have used GCP's Cloud Functions could be impacted by a privilege escalation vulnerability discovered by Tenable and dubbed as ConfusedFunction.

https://www.tenable.com/blog/confusedfunction-a-privilege-escalation-vulnerability-impacting-gcp-cloud-functions

(Use VPN to open from Russia)

#gcp

🔴 Zero Trust and BeyondCorp Google Cloud

Some sketchnotes on Zero Trust and BeyondCorp Google Cloud.

https://cloud.google.com/blog/topics/developers-practitioners/zero-trust-and-beyondcorp-google-cloud

#gcp

🔴 Announcing VPC Service Controls with private IPs to extend data exfiltration protection

VPC Service Controls (VPC-SC) creates isolation perimeters around cloud resources and networks in Google Cloud, helping you limit access to your sensitive data.

https://cloud.google.com/blog/products/identity-security/announcing-vpc-service-controls-with-private-ips-to-extend-data-exfiltration-protection

#gcp

🔶 How to use the AWS Secrets Manager Agent

The Secrets Manager Agent is a client-side agent that allows you to standardize consumption of secrets from Secrets Manager across your AWS compute environments.

https://aws.amazon.com/ru/blogs/security/how-to-use-the-aws-secrets-manager-agent/

(Use VPN to open from Russia)

#aws

🔶 Poisoning the SSM Command Document Well

A post disclosing risks in using SSM Command Docs for software distribution.

https://ramimac.me/poisoning-ssm-command-docs

#aws