CloudSec Wine

🔶 staticwebsite-cli This CLI tool makes it easy to deploy a static website to AWS. It builds and hosts the website, sets up a CDN and DNS, and provisions an SSL certificate. https://github.com/awslabs/staticwebsite-cli #aws

🔶 AWS EC2 IMDS - What You Need to Know A technical review of IMDSv2. https://ermetic.com/blog/aws/aws-ec2-imds-what-you-need-to-know #aws

🔶🔴 Five Things You Need to Know About Malware on Storage Buckets An overview of malware in cloud storage buckets and mitigation best practices. https://orca.security/resources/blog/the-risks-of-malware-in-storage-buckets #aws #gcp

🔴 How Attackers Can Exploit GCP's Multicloud Workload Solution A deep dive into the inner workings of GCP Workload Identity Federation, taking a look at risks and how to avoid misconfigurations. https://ermetic.com/blog/gcp/how-attackers-can-exploit-gcps-multicloud-workload-solution #gcp

🔶 automated-ci-pipeline-creation Creation of Continuous Integration pipelines dynamically using an AWS Step Function based approach to create standardised pipelines for an organisation. https://github.com/aws-samples/automated-ci-pipeline-creation #aws

🔴 Securing Cloud Run Deployments with Least Privilege Access How to protect your Cloud Run deployments by implementing least privilege access for Cloud Run services and service consumers. https://cloud.google.com/blog/products/identity-security/securing-cloud-run-deployments-with-least-privilege-access #gcp

🔶 My CI/CD pipeline is my release captain How Amazon continuously release changes to production by practicing trunk-based development, by using CI/CD pipelines to manage deployment artifacts and coordinate releases across multiple production environments, and by practicing proactive and automatic rollbacks. https://aws.amazon.com/ru/builders-library/cicd-pipeline #aws

🔶 A role for all your EC2 instances You can now pass an IAM role to every EC2 instance in your account + region. https://awsteele.com/blog/2023/02/20/a-role-for-all-your-ec2-instances.html #aws

🔷 Canarytokens welcomes Azure Login Certificate Token Canarytokens.org introduced the Azure Login Certificate Token (aka the Azure Token). You can sprinkle Azure tokens throughout your environment and receive high fidelity notifications whenever they're used. https://blog.thinkst.com/2023/02/canarytokens-org-welcomes-azure-login-certificate-token.html #azure

🔶 6 Keys to Securing User Uploads to Amazon S3 How to architect AWS applications to securely enable user uploaded content, using pre-signed post URLs. https://scalesec.com/blog/6-keys-to-securing-user-uploads-to-amazon-s3 #aws

🔷 Azure AD Kerberos Tickets: Pivoting to the Cloud If you've ever been doing an Internal Penetration test where you've reached Domain Admin status and you have a cloud presence, your entire Azure cloud can still be compromised. https://www.trustedsec.com/blog/azure-ad-kerberos-tickets-pivoting-to-the-cloud #azure

🔶 How Using Deprecated Policies Creates Overprivileged Permissions AmazonEC2RoleforSSM, a deprecated version of the now recommended AmazonSSMManagedInstaceCore. This post breaks down why AWS likely deprecated the original policy and how organizations leave themselves vulnerable by continuing to use these deprecated policies. https://permiso.io/blog/s/deprecated-aws-policy-amazonec2roleforSSM #aws

🔷 Azure B2C: Crypto Misuse and Account Compromise Microsoft's Azure Active Directory B2C service contained a cryptographic flaw which allowed an attacker to craft an OAuth refresh token with the contents for any user account. An attacker could redeem this refresh token for a session token, thereby gaining access to a victim account as if the attacker had logged in through a legitimate login flow. https://www.praetorian.com/blog/azure-b2c-crypto-misuse-and-account-compromise #azure

🔶 Updated ebook: Protecting your AWS environment from ransomware By AWS’s Megan O’Neil and Merritt Baer: The new ebook includes the top 10 best practices for ransomware protection and covers new services and features that have been released since the original published date in April 2020. https://aws.amazon.com/ru/blogs/security/updated-ebook-protecting-your-aws-environment-from-ransomware #aws

🔷 threatmodel-for-azure-storage A library of all the attack scenarios on Azure Storage, and how to mitigate them following a risk-based approach. https://github.com/trustoncloud/threatmodel-for-azure-storage #azure

🔷 Know Your App Services Before Your Enemy Does A look at Azure App Services, security advice, and how to use Azure Resource Graph Explorer and other tools to implement these recommendations. https://miraisecurity.com/blog/know-your-app-services-before-your-enemy-does #azure

🔶 Discovering a weakness leading to a partial bypass of the login rate limiting in the AWS Console Post discussing a weakness in the AWS Console authentication flow that allowed an attacker to partially bypass the login rate limit. https://securitylabs.datadoghq.com/articles/aws-console-rate-limit-bypass #aws

🔷 Privilege Escalation via storage accounts Post explaining the risk of storage accounts and how to abuse them for lateral movement. https://rogierdijkman.medium.com/privilege-escalation-via-storage-accounts-bca24373cc2e #azure

🔴 Sigstore’s cosign and policy-controller with GKE, Artifact Registry and KMS Use Sigstore to sign container images and then enforce that only signed containers can run in GKE. https://medium.com/google-cloud/sigstores-cosign-and-policy-controller-with-gke-and-kms-7bd5b12672ea #gcp

🔶 How Adversaries Can Persist with AWS User Federation CrowdStrike has identified a novel technique that can use the sts:GetFederationToken API to escape typical containment practices and persist in AWS environments. https://www.crowdstrike.com/blog/how-adversaries-persist-with-aws-user-federation (open with VPN from Russia) #aws