1510
All about cloud security Contacts: @AMark0f @dvyakimov About DevSecOps: @sec_devops
AWS Security Reference Architecture (AWS SRA) — документ по комплексной настройке сервисов безопасности в мульти-аккаунтной среде:
https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/welcome.htmlAlthough we rely on a one-page diagram as our foundation, an architecture goes deeper than a single block diagram and must be built on a well-structured foundation of fundamentals and security principles. You can use this document in two ways: as a narrative or as a reference.
#security
🔸AWS Accounts as Security Boundaries - 97+Ways Data Can be Shared Across Accounts
Security teams cannot simply rely on the AWS account boundary to limit access between environments. Instead, they must carefully audit IAM policies, resource policies, Organization membership, RAM shares, service-level integrations, and sometimes combinations of one of more of these options, in order to properly evaluate how data from one account is being sent to others.
https://matthewdf10.medium.com/aws-accounts-as-security-boundaries-97-ways-data-can-be-shared-across-accounts-b933ce9c837e
#aws
🔸🔴Access Service: Temporary Access to the Cloud
How the Segment Security Engineering Team approaches access to AWS/GCP roles and SaaS apps, and how they implemented a time-based, peer-reviewed access.
https://segment.com/blog/access-service/
#aws #gcp
🔸AWS Visibility & Enforcement
A cheatsheet of a number of useful tools for getting visibility into your cloud environment and continuously enforcing security policies, by Marco Lancini.
https://cloudsecdocs.com/aws/devops/tooling/visibility/
#aws
🔸Top ten AWS identity health checks to improve security in the cloud
Ten recommended AWS identity health checks which can help you understand your IAM health, prioritize improvements to your IAM implementation, and operationalize effective access management processes.
https://k9security.io/docs/aws-identity-health-checks/
#aws
🔹The 10 Most Common Azure Configuration Challenge
#azure
CISO’s Guide to Cloud Security Transformation
New whitepaper by GCP covering: “prepare your company culture for cloud security, evolve how your company works, evolve key security roles and responsibilities, and design your security operating model.”
https://cloud.google.com/blog/products/identity-security/cisos-guide-to-cloud-security-transformation
🔸Building a secure CI/CD pipeline for Terraform Infrastructure as Code
How the OVO team created a model for delivering infrastructure changes with robust security practices, and used to it build a secure Terraform CI/CD solution for AWS.
https://tech.ovoenergy.com/building-a-secure-ci-cd-pipeline-for-terraform-infrastructure-as-code/
#aws
🔴New whitepaper: Designing and deploying a data security strategy with Google Cloud
New 23 page whitepaper from the GCP team: “we wanted to explore both the question of starting a data security program in a cloud-native way, as well as adjusting your existing daily security program when you start utilizing cloud computing.” It covers the 3 pillars of effective cloud security (Identity, Boundary and Access, Visibility), controls that enable the pillars, rethinking your data security strategy, and more.
https://cloud.google.com/blog/products/identity-security/start-a-data-security-program-in-a-cloud-native-way-on-google-cloud
#gcp
🔹How We Escaped Docker in Azure Functions
Vulnerability in Azure Functions which would allow an attacker to escalate privileges and escape the Azure Functions Docker container to the Docker host. Microsoft has determined that the vulnerability has no security impact on Function users as the Docker host itself is protected by a Hyper-V boundary.
https://www.intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
#azure
🔴GCP OAuth Token Hijacking in Google Cloud
If an attacker compromises an engineer's workstation, they can easily steal and abuse cached credentials, even if MFA is enabled (Part 1, Part 2).
https://www.netskope.com/blog/gcp-oauth-token-hijacking-in-google-cloud-part-1
🔴Google Kubernetes Engine IAM Roles
What separates the GKE IAM Roles "Kubernetes Engine Developer" from "Kubernetes Engine Admin"? In most cases, not that much.
https://darkbit.io/blog/kubernetes-engine-iam-roles
🔴Google Cloud IAM Custom Role and Permissions Debugging Tricks
An approach for creating and verifying least-privilege custom IAM Roles using the gcloud sdk Docker image, Data Access Logging, and the IAM Policy Troubleshooter.
https://darkbit.io/blog/google-cloud-custom-iam-role-debugging-tricks
#gcp
82% of companies unknowingly give 3rd parties access to all their cloud data
The Wiz team conducted a research of permissions provided to 3rd party vendors in cloud environments and the results should be a wake-up call. In the majority of cases these permissions are there for no reason: the vendor doesn't actually need them, and the customers aren't even aware that they gave them to the vendor.
https://wiz.io/blog/82-of-companies-unknowingly-give-3rd-parties-access-to-all-their-cloud-data/
#aws #gcp #azure
🔹🔴Abusing cloud services to fly under the radar
NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through to data from the airline industry. In their intrusions they regularly abuse cloud services from Google and Microsoft to achieve their goals.
https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
#gcp #azure
🔸Auditing PassRole: A Problematic Privilege Escalation Permissioniam:PassRole is an AWS permission that enables critical privilege escalation; many supposedly low-privilege identities tend to have it. The PassRole permission requirement is ubiquitous. It extends to more than 300 actions in more than 90 services and, in some cases, is obscured by parameters that indirectly contain the role being passed. Comprehensively auditing it can be a handful but is absolutely worth it as not doing so means leaving relatively easy avenues for privilege escalation wide open.
https://ermetic.com/whats-new/blog/auditing-passrole-a-problematic-privilege-escalation-permission/
#aws
The Essential Guide to Cloud Security Posture Management
How CSPM automates security configuration across clouds
"Cloud Security Posture Management, or CSPM, is a relatively new cloud security
category designed to address configuration and compliance risks in your cloud infrastructure. The concept of CSPM is to enable organizations to automatically discover, assess, and remediate security configuration issues and gaps across multiple cloud providers and accounts. This approach ensures that at any given moment you have a consistent, secure, and compliant cloud infrastructure."
https://info.aquasec.com/cspm-essential-guide
#aws #gcp #azure
🔸Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion
Tenchi Security’s Alexandre Sieira and Leonardo Viveiros describe how wildcard expansion when specifying HTTP verbs and paths that are allowed can potentially expose things you did not intend. Man, sometimes AWS feels like Complexity/Footguns-as-a-Service. Like Intuit lobbying against making taxes easier because it’s not in their financial interests.
https://www.tenchisecurity.com/blog/thefaultinourstars
#aws
🔸Protecting Amazon S3 Data from Ransomware
Ransomware targeting S3 is more than likely to simply delete your data and claim that it's being held ransom than actually encrypting it
https://securingthe.cloud/aws/protecting-amazon-s3-data-from-ransomware/
#aws
🔸iam-service-account-controller
Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts.
https://github.com/ovotech/iam-service-account-controller
#aws
🔸Retrieving AWS security credentials from the AWS console
How to retrieve AWS security credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN) when authenticated in the AWS Console.
https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/
#aws
🔴Lateral Movement & Privilege Escalation in GCP; Compromise Organizations without Dropping an Implant
"In this talk, we'll demonstrate several techniques to perform identity compromise via the ActAs permission, privilege escalation, lateral movement, and widespread project compromise in Google Cloud. We will also release tools for exploitation."
https://youtu.be/kyqeBGNSEIc
#gcp
🔸Security Logging in Cloud Environments - AWS
Post by Marco Lancini describing how to design a multi-account security-related logging platform in AWS. He discusses various services (CloudTrail, CloudWatch, GuardDuty, Config), access logs, collecting logs, long-term storage and audit trail, and monitoring and alerting.
https://www.marcolancini.it/2021/blog-security-logging-cloud-environments-aws/
#aws
🔸AWS Service Control Policies (SCPs)
Nice overview page of SCPs by Marco Lancini covering what they are, what they can’t do, and example policies like denying API calls from root users, denying the ability to disrupt CloudTrail or GuardDuty, and more.
https://cloudsecdocs.com/aws/devops/resources/scps/
#aws
🔸Cloud Security Table Top Exercises
A great list of scenarios to think through by Matt Fuller, including:
- Malicious VPC peering request
- Compromised Lambda Layers
- Injected CloudFormation Templates
- Broken CloudTrail Logs
- and a bunch more
https://matthewdf10.medium.com/cloud-security-table-top-exercises-629d353c268e?
#aws
The CSA Cloud Controls Matrix (CCM) V4: Raising the cloud security bar to the next level
The Cloud Security Alliance released version 4 of the Cloud Controls Matrix (CCM). The upgrade from CCM v3.0.1 to v4 has been imperative considering the evolution of the cloud security landscape, both from the technical and legal and regulatory standpoint. There was also a need for organizations to make the implementation of security and privacy controls more efficient and streamline compliance.
https://cloudsecurityalliance.org/blog/2021/01/21/the-csa-cloud-controls-matrix-ccm-v4-raising-the-cloud-security-bar-to-the-next-level/
🔸Security Overview of AWS
Lambda
An In-Depth Look at AWS Lambda Security, February 2021
This whitepaper presents a deep dive into the AWS Lambda service through a security lens. It provides a well-rounded picture of the service, which is useful for new adopters, and deepens understanding of Lambda for current users. The intended audience for this whitepaper is Chief Information Security Officers (CISOs), information security groups, security engineers, enterprise architects, compliance teams, and any others interested in understanding the underpinnings of AWS Lambda.
#aws
🔸Compliance-as-code and auto-remediation with Cloud Custodian
AWS blog post about using Cloud Custodian + Lambdas to enforce compliance-as-code and auto-remediation. Cloud Custodian is an open source, stateless rules engine that offers policy-level execution against multiple kinds of event streams, including CloudWatch Events, CloudTrail events, and more.
https://aws.amazon.com/blogs/opensource/compliance-as-code-and-auto-remediation-with-cloud-custodian/
#aws
🔸Top Ten Security Updates from AWS re:Invent 2020
AWS re:Invent ran for three weeks last year. It is more important than ever to help everyone by summarizing AWS' biggest security announcements.
https://www.linkedin.com/pulse/top-ten-security-updates-from-aws-reinvent-2020-phil-rodrigues/
#aws
🔸AWS Security Maturity Roadmap 2021
The third annual release of Scott Piper’s excellent guide for securely running on AWS. Probably one of the best, concise, actionable guides on this I know of.
https://summitroute.com/blog/2021/01/12/2021_aws_security_maturity_roadmap_2021/
#aws
🔸AWS Lambda $LATEST is dangerous
You should always use function versioning. You should almost always use function aliases, which have a handful of benefits involving metrics in CloudWatch, IAM permissions, traffic-shifting, etc.
https://awsteele.com/blog/2020/12/24/aws-lambda-latest-is-dangerous.html
#aws
