🔶 Moving AWS Accounts and OUs Within An Organization - Not So Simple!

This post explores the potential implications of moving an AWS account or OU to another OU within the same Organization, including impacts to SCP policy inheritance, CloudFormation StackSet deployments, IAM policy conditions, RAM shares, and Control Tower enrollments.

https://blog.wut.dev/2024/07/05/moving-aws-accounts-within-organization.html

#aws

🔶 Delete unused AMIs using the new 'LastLaunchedTime' attribute

Reduce your AWS costs by (more) safely deleting unused AMIs.

https://st-g.de/2024/05/delete-unused-amis

#aws

🔴 IAM so lost: A guide to identity in Google Cloud

An entry-level post demystifying two foundational IAM access control principles: the concepts of least privilege and separation of duties.

https://cloud.google.com/blog/products/identity-security/scaling-the-iam-mountain-an-in-depth-guide-to-identity-in-google-cloud/

#gcp

🔶 Strategies for achieving least privilege at scale - Part 1

This blog post walked through the first five (of nine) strategies for achieving least privilege at scale.

https://aws.amazon.com/ru/blogs/security/strategies-for-achieving-least-privilege-at-scale-part-1/

(Use VPN to open from Russia)

#aws

🔶 Strategies for achieving least privilege at scale - Part 2

This second post continues to look at the remaining four strategies and related mental models for scaling least privilege across your organization.

https://aws.amazon.com/ru/blogs/security/strategies-for-achieving-least-privilege-at-scale-part-2/

(Use VPN to open from Russia)

#aws

🔶 Building the foundations: A defender's guide to AWS Bedrock

This blog focuses on AWS Bedrock and its relevant telemetry streams: CloudTrail management and data events, model invocation telemetry and endpoint telemetry.

https://www.sumologic.com/blog/defenders-guide-to-aws-bedrock/

#aws

🔶 Thwacking DDOS with AWS WAF

AWS WAF is definitely not the best DDOS prevention tech on the market. But if you're ever in the seat and it's the tool you have, here's your guide.

https://ramimac.me/waf-ddos

#aws

🔶 Poor mans MFA for AWS Client VPN

The AWS Client VPN service is a common way to seamlessly connect users into internal networks. This post describes a low-tech, low-cost solution to better authenticate users using a second factor.

https://onecloudplease.com/blog/poor-mans-mfa-for-aws-client-vpn

#aws

🔶 A hard look at GuardDuty shortcomings

Is GuardDuty all you need for AWS threat detection? This post offers some results of adversarial simulation, a review of detection latency, and an analysis of projected S3 ransomware timing.

https://tracebit.com/blog/a-hard-look-at-guardduty-shortcomings

#aws

🔶 Using S3 as a container registry

You can use S3 as a container registry. All it takes is to expose an S3 bucket through HTTP and to upload the image's files to specific paths.

https://ochagavia.nl/blog/using-s3-as-a-container-registry/

#aws

🔴 ConfusedFunction: A Privilege Escalation Vulnerability Impacting GCP Cloud Functions

Organizations that have used GCP's Cloud Functions could be impacted by a privilege escalation vulnerability discovered by Tenable and dubbed as ConfusedFunction.

https://www.tenable.com/blog/confusedfunction-a-privilege-escalation-vulnerability-impacting-gcp-cloud-functions

(Use VPN to open from Russia)

#gcp

🔴 Zero Trust and BeyondCorp Google Cloud

Some sketchnotes on Zero Trust and BeyondCorp Google Cloud.

https://cloud.google.com/blog/topics/developers-practitioners/zero-trust-and-beyondcorp-google-cloud

#gcp

🔴 Announcing VPC Service Controls with private IPs to extend data exfiltration protection

VPC Service Controls (VPC-SC) creates isolation perimeters around cloud resources and networks in Google Cloud, helping you limit access to your sensitive data.

https://cloud.google.com/blog/products/identity-security/announcing-vpc-service-controls-with-private-ips-to-extend-data-exfiltration-protection

#gcp

🔶 How to use the AWS Secrets Manager Agent

The Secrets Manager Agent is a client-side agent that allows you to standardize consumption of secrets from Secrets Manager across your AWS compute environments.

https://aws.amazon.com/ru/blogs/security/how-to-use-the-aws-secrets-manager-agent/

(Use VPN to open from Russia)

#aws

🔶 Poisoning the SSM Command Document Well

A post disclosing risks in using SSM Command Docs for software distribution.

https://ramimac.me/poisoning-ssm-command-docs

#aws

🔴 Escalating Privileges in Google Cloud via Open Groups

How an attacker can escalate their privileges in Google Cloud by leveraging weak group join settings for groups that have been granted roles in GCP.

https://www.netspi.com/blog/technical-blog/cloud-pentesting/escalating-privileges-in-google-cloud-via-open-groups/

#gcp

🔶 Revealing the Inner Structure of AWS Session Tokens

A post sharing code and tools to programmatically analyze and modify AWS Session Tokens.

https://medium.com/@TalBeerySec/revealing-the-inner-structure-of-aws-session-tokens-a6c76469cba7

(Use VPN to open from Russia)

#aws

🔶 Automate monitoring for your Amazon EKS cluster using CloudWatch Container Insights

How to implement Amazon EKS monitoring and alerting using a custom solution that automates EKS observability capabilities for dynamic performance metrics.

https://aws.amazon.com/ru/blogs/infrastructure-and-automation/automate-monitoring-for-your-amazon-eks-cluster-using-cloudwatch-container-insights/

(Use VPN to open from Russia)

#aws