1510
All about cloud security Contacts: @AMark0f @dvyakimov About DevSecOps: @sec_devops
🔶 AWS federation comes to GitHub Actions
GitHub Actions has a new functionality that can vend OpenID Connect credentials to jobs running on the platform. This is very exciting for AWS account administrators as it means that CI/CD jobs no longer need any long-term secrets to be stored in GitHub.
https://awsteele.com/blog/2021/09/15/aws-federation-comes-to-github-actions.html
#aws
🔷 Agent Exposes Azure Customers To Unauthorized Code Execution
Azure customers on Linux machines - which account for over half of all Azure instances according to Microsoft - are at risk if they use any of the services relying on OMI (Open Management Infrastructure), a Windows Management Infrastructure (WMI) for UNIX/Linux systems. The RCE is the simplest RCE you can ever imagine: simply remove the auth header and you are root. This Twitter thread is also useful to understand the impact of this flaw.
https://www.wiz.io/blog/secret-agent-exposes-azure-customers-to-unauthorized-code-execution
#azure
🔴 Bypassing GCP Org Policy with Custom Metadata
Google makes use of custom metadata to authorize access to AI Notebooks and their web UIs. Individuals granted access via custom metadata need not have any IAM permissions on the compute instance, on the service account running the Notebook or even be a member of the Organization. This kind of authorization bypasses a specific Organization Policy Constraint which restricts cross-domain resource sharing.
https://kattraxler.github.io/gcp/hacking/2021/09/10/gcp-org-policy-bypass-ai-notebooks.html
#gcp
🔴 Automate Your Security in GCP with Serverless Computing
Talk exploring serverless open source tools and other cloud-native options that allow you to automate your cloud security without the need for human interaction.
https://youtu.be/jCQTeglIfeI
#gcp
🔶 Inside Figma: getting out of the (secure) shell
Tips from the Figma security team to help other teams secure Systems Manager and protect their most sensitive data.
https://www.figma.com/blog/inside-figma-getting-out-of-the-secure-shell/
#aws
🔷 ChaosDB: How we hacked thousands of Azure customers’ databases
Researchers were able to gain complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers. Also refer to the companion blog post to learn how to protect your environment from ChaosDB.
https://www.wiz.io/blog/chaosdb-how-we-hacked-thousands-of-azure-customers-databases
#azure
🔷 Illogical Apps - Exploring and Exploiting Azure Logic Apps
How to obtain sensitive information as an user with the Reader role, and how to identify/abuse API Connection hijack scenarios as a Contributor in Azure Logic Apps.
https://www.netspi.com/blog/technical/cloud-penetration-testing/illogical-apps-exploring-exploiting-azure-logic-apps/
#azure
🔴 Using the new Google Cloud Config Controller to provision and manage cloud services via the Kubernetes Resource Model
How to manually configure a GKE cluster, and how to use the new Config Controller to provision and configure services via automation.
https://seroter.com/2021/08/18/using-the-new-google-cloud-config-controller-to-provision-and-manage-cloud-services-via-the-kubernetes-resource-model/
#gcp
🔶 The last S3 security document that we’ll ever need, and how to use it
163 page Threat Model of S3 by TrustOnCloud’s Jonathan Rault covering:
1️⃣ Best practices (best security/effort ratio)
2️⃣ Reviewing the service depending on your application(s), and implementing the controls based on your risk tolerance
3️⃣ Onboarding for large enterprises/agencies
4️⃣ Compliance mapping to demonstrate a risk-based approach, gap analysis and formulating an action plan
https://trustoncloud.com/the-last-s3-security-document-that-well-ever-need/
#aws
🔷 Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent
How anyone with a local administrator access to AD FS server (or proxy), can create arbitrary sign-ins events to Azure AD sign-ins log.
https://o365blog.com/post/hybridhealthagent/
#azure
🔶 KONTRA's AWS Top 10
A series of free interactive security training modules that teach developers how to identify and mitigate security vulnerabilities in their AWS-hosted cloud applications.
https://application.security/free/kontra-aws-clould-top-10
#aws
🔴 Leaving Bastion Hosts Behind
Post examining GCP services like OS Login and Identity-Aware Proxy (IAP), and showing how they can be used as an alternative to bastion hosts.
https://www.netskope.com/blog/leaving-bastion-hosts-behind-part-1-gcp
#gcp
🔶 How to create IAM roles for deploying your AWS Serverless app
An in-depth guide to creating production-ready, least privilege IAM roles for deploying your serverless application across multiple AWS accounts.
https://serverlessfirst.com/create-iam-deployer-roles-serverless-app/
#aws
🔶 Lightsail object storage concerns
Part one of a two part series that will discuss AWS’s new Lightsail object storage. The first part looks at the new Lightsail access key capability and its security issues.
https://summitroute.com/blog/2021/08/05/lightsail_object_storage_concerns-part_1/
#aws
🔶 Expanding Secrets Infrastructure to AWS Lambda
How Square extended their datacenter-based secrets infrastructure to enable a cloud migration supporting Lambda. They added SPIFFE compatibility to their secrets infrastructure and developed a Lambda secrets syncer that Square engineers can deploy via a Terraform module.
https://developer.squareup.com/blog/expanding-secrets-infrastructure-to-aws-lambda/
#aws
🔶 IAM Vulnerable - An AWS IAM Privilege Escalation Playground
The IAM Vulnerable tool helps you learn how to identify and then exploit intentionally vulnerable IAM configurations that allow for privilege escalation.
https://labs.bishopfox.com/tech-blog/iam-vulnerable-an-aws-iam-privilege-escalation-playground
#aws
🔶 AWS Authentication: Principals in AWS IAM
Newcomers to AWS can sometimes get confused by what it means to have AWS credentials. This article aims to explain the basics of AWS authentication, that is, the way you gain an identity that you can use to access AWS services.
https://ben11kehoe.medium.com/principals-in-aws-iam-38c4a3dc322a
#aws
🔷 Coordinated disclosure of vulnerability in Azure Container Instances Service
Microsoft recently mitigated a vulnerability reported by a security researcher in the Azure Container Instances (ACI) that could potentially allow a user to access other customers information in the ACI service. Microsoft's investigation surfaced no unauthorized access to customer data. You can also check the original post disclosing the vulnerability and another that explains What to do? to address it.
https://msrc-blog.microsoft.com/2021/09/08/coordinated-disclosure-of-vulnerability-in-azure-container-instances-service/
#azure
🔷 Azure-Pentest
A collection of resources and notes useful for pentest and red team engagements against Azure.
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md
#azure
🔶🔷🔴 Threat Hunting in the Cloud: Defending AWS, Azure and Other Cloud Platforms Against Cyberattacks
In Threat Hunting in the Cloud: Defending AWS, Azure and Other Cloud Platforms Against Cyberattacks, celebrated cybersecurity professionals and authors Chris Peiris, Binil Pillai, and Abbas Kudrati leverage their decades of experience building large scale cyber fusion centers to deliver the ideal threat hunting resource for both business and technical audiences. You'll find insightful analyses of cloud platform security tools and, using the industry leading MITRE ATT&CK framework, discussions of the most common threat vectors.
#aws #azure #gcp
🔶 Security Implication of Root principal in AWS
An interesting way of abusing the AWS KMS for data exfiltration in restricted VPCs.
https://niebardzo.github.io/2021-08-23-root-principal-in-aws/
#aws
🔶 AWS OIDC Authentication with SPIFFE
How to authenticate data center applications to AWS using automated SPIFFE credentials.
https://developer.squareup.com/blog/aws-oidc-authentication-with-spiffe/
#aws
Yandex Cloud Security Checklist
Dear friends, we have prepared for you the first checklist on the secure configuration of Yandex.Cloud. It is based on an aggregation of everything that is in the YC documentation on the topic of security, plus some experience revealed in the framework of audits. Globally, the checklist is split into network security and access control domains.
The main problem is that almost all the security mechanisms (security groups, audit trails), which are already few, are either in the preview stage or are connected on-demand. The rest of the mechanisms are connected through the marketplace from several of third-party commercial solutions.
UPD. By the way, if you want to pass some of the checks by automated means, then we recommend Cloud Advisor. There, in particular, there is still the opportunity to conduct a free scan.
#yandex
🔶 Spice up Your Kubernetes Environment with AWS Lambda
How to securely integrate AWS Lambda with an existing Kubernetes environment without codes changes.
https://liavyona09.medium.com/spice-up-your-kubernetes-environment-with-aws-lambda-a07d81347607
#aws
🔶 Inside Figma: securing internal web apps
A deep-dive into how Figma built a system for securing internal web applications that lets them require SSO authentication, enforce fine-grained authorization (via Okta groups), and support CLI tools, all using ALBs, AWS Cognito, and Okta.
https://www.figma.com/blog/inside-figma-securing-internal-web-apps/
#aws
🔶 AWS Condition Context Keys for Reducing Risk
Post taking a closer look at the "aws:CalledVia*" and "aws:ViaAWSService" keys, and how you can use them to achieve least privilege.
https://ermetic.com/whats-new/blog/aws/aws-condition-context-keys-for-reducing-risk
#aws
🔶 An Introduction to AWS Firewall Manager
What is AWS Firewall Manger and how can it help you secure your organization?
https://scalesec.com/blog/an-introduction-to-aws-firewall-manager/
#aws
🔶 Remediating AWS IMDSv1
An article on remediating IMDSv1 in AWS, a common server-side request forgery vector targeting lateral movement and persistence.
https://docs.google.com/document/d/1X737xoQviufdxZk_l33bnpp6noOmNIYvMilQCdhtwoY/edit?usp=drivesdk
#aws
🔶🔷🔴 Cloud Security Orienteering
A cloud and environment agnostic methodology for getting your bearings if tasked with securing a novel cloud environment.
https://engagement.cloudseclist.com/CL0/https:%2F%2Fspeakerdeck.com%2Framimac%2Fcloud-security-orienteering/1/0102017b49d91665-a615638b-8c75-4354-8b9e-7506b2f22c63-000000/rSHPkoLqfgzw0mml10F-sffbOTmikixij_N4osfUoN0=210
#aws #azure #gcp
🔶 Building an AWS Perimeter
Whitepaper by AWS covering perimeter objectives, identity, resource, and network boundaries, preventing access to internal credentials, and cross-region requests.
https://d1.awsstatic.com/whitepapers/building_an_aws_perimeter.pdf
#aws