CloudSec Wine

🔶 Spice up Your Kubernetes Environment with AWS Lambda How to securely integrate AWS Lambda with an existing Kubernetes environment without codes changes. https://liavyona09.medium.com/spice-up-your-kubernetes-environment-with-aws-lambda-a07d81347607 #aws

🔷 Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent How anyone with a local administrator access to AD FS server (or proxy), can create arbitrary sign-ins events to Azure AD sign-ins log. https://o365blog.com/post/hybridhealthagent/ #azure

🔶 Inside Figma: securing internal web apps A deep-dive into how Figma built a system for securing internal web applications that lets them require SSO authentication, enforce fine-grained authorization (via Okta groups), and support CLI tools, all using ALBs, AWS Cognito, and Okta. https://www.figma.com/blog/inside-figma-securing-internal-web-apps/ #aws

🔶 KONTRA's AWS Top 10 A series of free interactive security training modules that teach developers how to identify and mitigate security vulnerabilities in their AWS-hosted cloud applications. https://application.security/free/kontra-aws-clould-top-10 #aws

🔶 AWS Condition Context Keys for Reducing Risk Post taking a closer look at the "aws:CalledVia*" and "aws:ViaAWSService" keys, and how you can use them to achieve least privilege. https://ermetic.com/whats-new/blog/aws/aws-condition-context-keys-for-reducing-risk #aws

🔴 Leaving Bastion Hosts Behind Post examining GCP services like OS Login and Identity-Aware Proxy (IAP), and showing how they can be used as an alternative to bastion hosts. https://www.netskope.com/blog/leaving-bastion-hosts-behind-part-1-gcp #gcp

🔶 An Introduction to AWS Firewall Manager What is AWS Firewall Manger and how can it help you secure your organization? https://scalesec.com/blog/an-introduction-to-aws-firewall-manager/ #aws

🔶 How to create IAM roles for deploying your AWS Serverless app An in-depth guide to creating production-ready, least privilege IAM roles for deploying your serverless application across multiple AWS accounts. https://serverlessfirst.com/create-iam-deployer-roles-serverless-app/ #aws

🔶 Remediating AWS IMDSv1 An article on remediating IMDSv1 in AWS, a common server-side request forgery vector targeting lateral movement and persistence. https://docs.google.com/document/d/1X737xoQviufdxZk_l33bnpp6noOmNIYvMilQCdhtwoY/edit?usp=drivesdk #aws

🔶 Lightsail object storage concerns Part one of a two part series that will discuss AWS’s new Lightsail object storage. The first part looks at the new Lightsail access key capability and its security issues. https://summitroute.com/blog/2021/08/05/lightsail_object_storage_concerns-part_1/ #aws

🔶🔷🔴 Cloud Security Orienteering A cloud and environment agnostic methodology for getting your bearings if tasked with securing a novel cloud environment. https://engagement.cloudseclist.com/CL0/https:%2F%2Fspeakerdeck.com%2Framimac%2Fcloud-security-orienteering/1/0102017b49d91665-a615638b-8c75-4354-8b9e-7506b2f22c63-000000/rSHPkoLqfgzw0mml10F-sffbOTmikixij_N4osfUoN0=210 #aws #azure #gcp

🔶 Expanding Secrets Infrastructure to AWS Lambda How Square extended their datacenter-based secrets infrastructure to enable a cloud migration supporting Lambda. They added SPIFFE compatibility to their secrets infrastructure and developed a Lambda secrets syncer that Square engineers can deploy via a Terraform module. https://developer.squareup.com/blog/expanding-secrets-infrastructure-to-aws-lambda/ #aws

🔶 Building an AWS Perimeter Whitepaper by AWS covering perimeter objectives, identity, resource, and network boundaries, preventing access to internal credentials, and cross-region requests. https://d1.awsstatic.com/whitepapers/building_an_aws_perimeter.pdf #aws

🔴 Security Log Scoping Tool Security Log Scoping Tool is an interactive form to help customers discover, evaluate and enable their security-relevant logs across Google Cloud. https://cloud.google.com/architecture/exporting-stackdriver-logging-for-security-and-access-analytics#evaluate_which_logs_to_export #gcp

🔶 How to implement the principle of least privilege with CloudFormation StackSets How to conform to the principle of least privilege while still allowing users to use CloudFormation to create the resources they need. https://aws.amazon.com/ru/blogs/security/how-to-implement-the-principle-of-least-privilege-with-cloudformation-stacksets/ #aws

🔶 Top things to do when setting up a new Org What you should do when setting up a new AWS Organization from scratch. https://www.chrisfarris.com/post/aws-organizations-in-2021/ #aws

🔶 Cloud Malware: Resource Injection in CloudFormation Templates Blog focusing on a new Pacu module on cloud malware using resource injection in CloudFormation templates. https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/ #aws

🔶 S3 backups and other strategies for ensuring data durability through ransomware attacks This post will discuss options for ensuring the durability of data stored on S3, through protections in place and backup strategies. The AWS backup service on AWS unfortunately does not backup S3 buckets and a lot of discussions of backups and data durability on AWS do not describe the implementation in sufficient detail, which allows a number of potential dangers. This post will show you the two best options (s3 object locks and replication policies), explains how to use these, and what to watch out for. https://summitroute.com/blog/2021/08/03/S3_backups_and_other_strategies_for_ensuring_data_durability_through_ransomware_attacks/ #aws

🔶 So You Inherited an AWS Account. A 30-day security guide for engineers… A guide to help you filter through the mess, isolate the changes you need to make, and start to tame your environment by Matt Fuller, founder of CloudSploit. He proposes: get stable access, stop using the root user, update billing info, enable CloudTrail logging and monitoring, clean up IAM entities, locate exposed services, lock down your domains, find expiring certificates, untangle the web of services, and monitor and migrate. https://medium.com/swlh/so-you-inherited-an-aws-account-e5fe6550607d #aws

🔷 Cloud Guardrails Tool by Lead Security Engineer of Salesforce, Kinnaird McQuade, that allows you to rapidly cherry-pick cloud security guardrails by generating Terraform files that create Azure Policy Initiatives (basically AWS SCPs but for Azure). Cherry-pick and bulk-select the security policies you want, enforce low-friction policies within minutes, and easily roll back policies that you don’t want. See Kinnaird’s great thread about it here. https://github.com/salesforce/cloud-guardrails #azure