1510
All about cloud security Contacts: @AMark0f @dvyakimov About DevSecOps: @sec_devops
🔴 Security Log Scoping Tool
Security Log Scoping Tool is an interactive form to help customers discover, evaluate and enable their security-relevant logs across Google Cloud.
https://cloud.google.com/architecture/exporting-stackdriver-logging-for-security-and-access-analytics#evaluate_which_logs_to_export
#gcp
🔶 Top things to do when setting up a new Org
What you should do when setting up a new AWS Organization from scratch.
https://www.chrisfarris.com/post/aws-organizations-in-2021/
#aws
🔶 S3 backups and other strategies for ensuring data durability through ransomware attacks
This post will discuss options for ensuring the durability of data stored on S3, through protections in place and backup strategies. The AWS backup service on AWS unfortunately does not backup S3 buckets and a lot of discussions of backups and data durability on AWS do not describe the implementation in sufficient detail, which allows a number of potential dangers. This post will show you the two best options (s3 object locks and replication policies), explains how to use these, and what to watch out for.
https://summitroute.com/blog/2021/08/03/S3_backups_and_other_strategies_for_ensuring_data_durability_through_ransomware_attacks/
#aws
🔷 Cloud Guardrails
Tool by Lead Security Engineer of Salesforce, Kinnaird McQuade, that allows you to rapidly cherry-pick cloud security guardrails by generating Terraform files that create Azure Policy Initiatives (basically AWS SCPs but for Azure). Cherry-pick and bulk-select the security policies you want, enforce low-friction policies within minutes, and easily roll back policies that you don’t want. See Kinnaird’s great thread about it here.
https://github.com/salesforce/cloud-guardrails
#azure
🔶 Improving database security with AWS IAM database authentication and ConsoleMe
How to use Netflix's ConsoleMe to provide secure access to databases via IAM roles.
https://medium.com/followanalytics/improving-database-security-at-followanalytics-with-aws-iam-database-authentication-and-consoleme-d00ea8a6edef
#aws
🔶 Bye bye bastion hosts...Hello AWS IAM!
How Segment got rid of SSH bastion hosts, reducing cost, complexity, and maintenance of their infrastructure, as well as eliminating the need to distribute SSH Keys. Last but not least, they reduced their attack surface by not having any SSH port open to the world.
https://segment.com/blog/infrastructure-access/
#aws
🔹 Azure Flow Log Analysis
Azure flow logs don't have the same instance ID that AWS flow logs do. So how we can figure out which VM the logs came from?
https://catscrdl.io/blog/azureflowloganalysis/
#azure
🔹 What author have learned from doing a year of Cloud Forensics in Azure AD?
Post sharing experience, challenges, and a methodology on doing Cloud forensics in Azure AD.
https://m365internals.com/2021/07/13/what-ive-learned-from-doing-a-year-of-cloud-forensics-in-azure-ad/
#azure
🔹 MITRE ATT&CK mappings released for built-in Azure security controls
The Security Stack Mappings for Azure research project was recently published, introducing a library of mappings that link built-in Azure security controls to the MITRE ATT&CK techniques they mitigate against.
https://www.microsoft.com/security/blog/2021/06/29/mitre-attck-mappings-released-for-built-in-azure-security-controls/
#azure
🔶 Build an end-to-end attribute-based access control strategy with AWS SSO and Okta
"This blog post discusses the benefits of using an attribute-based access control (ABAC) strategy and how to use ABAC with AWS SSO when you’re using Okta as an identity provider. With ABAC, you can simplify your access control strategy by granting access to groups of resources, which are specified by tags, instead of managing long lists of individual resources."
https://aws.amazon.com/blogs/security/build-an-end-to-end-attribute-based-access-control-strategy-with-aws-sso-and-okta/
#aws
🔶 AWS Service Control Policy (SCP) Repository
A repository of AWS Service Control Policy templates and examples that can be deployed using CloudFormation custom resource or AWS CLI scripts.
Some great examples like: preventing users from disabling or altering the configuration of CloudTrail, AWS Config, and CloudWatch, preventing any VPC that doesn’t already have Internet access from getting it, and more.
https://asecure.cloud/l/scp/
#aws
🔶 The Gamer Guide to Playing Amazon Web Services (AWS)
In this article, the author shares a getting started guide for AWS, in a similar style to the getting started guides that many experienced MMORPG players write for new players. It is a lot easier to get into a game, understand what to do, where to go, and how to play optimally when you have tips from other players who have gone before you.
https://nathanpeck.com/gamers-guide-to-playing-aws/
#aws
🔸Automated Github Backups with ECS and S3
Architecture and implications of an automated process aiming to backup a Github account, relying on ECS Fargate and S3 Glacier. The author, Marco Lancini, explains in his blog the architecture and implications of the final setup he decided to go with.
https://www.marcolancini.it/2021/blog-github-backups-with-ecs/
#aws
🔶 Why AWS SSO is vulnerable by design to device code authentication phishing?
"In this post, we demonstrate that AWS SSO is vulnerable by design to device code authentication phishing – just like any identity provider implementing OpenID Connect device code authentication. This technique was first demonstrated by Dr. Nestori Syynimaa for Azure AD. The feature provides a powerful phishing vector for attackers, rendering ineffective controls such as MFA (including Yubikeys) or IP allow-listing at the IdP level."
https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/
#aws
🔸AWS Security 2021
https://www.mindmeister.com/ru/1925015344/aws-security-2021?fullscreen=1
#aws
🔶 How to implement the principle of least privilege with CloudFormation StackSets
How to conform to the principle of least privilege while still allowing users to use CloudFormation to create the resources they need.
https://aws.amazon.com/ru/blogs/security/how-to-implement-the-principle-of-least-privilege-with-cloudformation-stacksets/
#aws
🔶 Cloud Malware: Resource Injection in CloudFormation Templates
Blog focusing on a new Pacu module on cloud malware using resource injection in CloudFormation templates.
https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/
#aws
🔶 So You Inherited an AWS Account. A 30-day security guide for engineers…
A guide to help you filter through the mess, isolate the changes you need to make, and start to tame your environment by Matt Fuller, founder of CloudSploit. He proposes: get stable access, stop using the root user, update billing info, enable CloudTrail logging and monitoring, clean up IAM entities, locate exposed services, lock down your domains, find expiring certificates, untangle the web of services, and monitor and migrate.
https://medium.com/swlh/so-you-inherited-an-aws-account-e5fe6550607d
#aws
🔷 Network Isolated AKS - Part 1: Controlling network traffic
First part of a series on AKS (Azure Kubernetes Service) network isolation, elaborating how to protect AKS from a networking perspective. You can also reference the companion repository.
https://itnext.io/network-isolated-aks-part-1-controlling-network-traffic-2cd0e045352d
#azure
🔶 Ansible over AWS Systems Manager Sessions – a perfect solution for high security environments
Ansible requires an SSH connection to the target host, which is not great for hosts where SSH is not allowed or when the host is on a VPC without external connectivity. Łukasz Tomaszkiewicz describes how to execute Ansible playbooks with AWS SSM Sessions.
https://luktom.net/en/e1693-ansible-over-aws-systems-manager-sessions-a-perfect-solution-for-high-security-environments
#aws
🔶🔷🔴 Mapping of On-Premises Security Controls Versus Services Offered by Major Cloud Providers
By the link below you can find the fifth version of a diagram that started in March 2017, with just AWS and Azure versus On-Premises. The diagram began as an effort to make a translation between the typical on-premises security controls that everybody, more or less, knows what they do and the various services advertised by major public cloud providers. As the cloud providers tend to assign catchy names to products that quite often transcend the initial functionality of the on-prem control, it becomes harder and harder to stay up-to-date on what service does what.
https://www.managedsentinel.com/mapping-of-on-premises-security-controls-versus-services-offered-by-major-cloud-providers/
#aws #azure #gcp
🔶 S3 Bucket Namesquatting - Abusing predictable S3 bucket names
Abuse of permissions in S3 buckets is one of the more common security issues companies face but this post addresses a different issue, S3 Bucket Namesquatting.
https://onecloudplease.com/blog/s3-bucket-namesquatting
#aws
🔶 AWS Incident Response Playbook Samples
A collection of playbooks covering several common scenarios faced by AWS customers. They outline steps based on the NIST Computer Security Incident Handling Guide, that can be used to gather evidence, contain and then eradicate the incident, recover from the incident, and conduct post-incident activities.
https://github.com/aws-samples/aws-incident-response-playbooks
#aws
🔶 How to defend against DNS exfiltration in AWS?
Key facts from the post:
1️⃣ VPCs by default use the Amazon-provided DNS which can be used to bypass some network-level protection mechanisms (e.g. NACLs or SGs) or monitoring (e.g. VPC Flow Logs).
2️⃣ Recently a new service has been released: the Route 53 Resolver DNS Firewall which allows for blocking and monitoring DNS queries to Amazon DNS.
3️⃣ GuardDuty can also detect malicious DNS traffic, but only in a limited manner.
https://towardsaws.com/how-to-defend-against-dns-exfiltration-in-aws-a65b9214d4e1
#aws
🔶Hardening AWS EKS security with RBAC, secure IMDS, and audit logging
First in a series of blog posts looking into the default settings used in AWS Elastic Kubernetes Service (EKS) deployments, and demonstrating how small misconfigurations or unwanted side-effects may put our clusters at risk.
https://snyk.io/blog/hardening-aws-eks-security-rbac-secure-imds-audit-logging/
#aws
🔶 Uncomplicate Security for developers using Reference Architectures
In this blog, Anunay Bhatt,
Cloud Security Architect, will walk through some of the salient features of a meaningful security reference architecture and the process required to develop one. The author will also look at the challenges that one might expect to face while launching a successful security reference architecture program.
https://ab-lumos.medium.com/embedding-security-into-sdlc-using-reference-architectures-for-developers-29403c00fb3d
#aws
🔶 Best practices for securing Identity and Access Management on Amazon Web Services
Post looking at different approaches to help keep IAM configuration tidy, auditable and right-sized.
https://bridgecrew.io/blog/best-practices-for-securing-identity-and-access-management-on-amazon-web-services/
#aws
🔸Building an end-to-end Kubernetes-based DevSecOps software factory on AWS
"DevSecOps software factory implementation can significantly vary depending on the application, infrastructure, architecture, and the services and tools used. In a previous post, I provided an end-to-end DevSecOps pipeline for a three-tier web application deployed with AWS Elastic Beanstalk. The pipeline used cloud-native services along with a few open-source security tools. This solution is similar, but instead uses a containers-based approach with additional security analysis stages. It defines a software factory using Kubernetes along with necessary AWS Cloud-native services and open-source third-party tools. Code is provided in the GitHub repo to build this DevSecOps software factory, including the integration code for third-party scanning tools."
https://aws.amazon.com/ru/blogs/devops/building-an-end-to-end-kubernetes-based-devsecops-software-factory-on-aws/
#aws
🔸CSO's Guide to AWS
https://www.mindmeister.com/ru/1678499467/cso-s-guide-to-aws?fullscreen=1
#aws
🔸How we prevented subdomain takeovers and saved $000s
Blog post describing new open source tool for protecting cloud infrastructure from subdomain takeover, using AWS Lambda functions integrated with Amazon Route53.
https://tech.ovoenergy.com/how-we-prevented-subdomain-takeovers-and-saved-000s/
#aws