CloudSec Wine

🔶 Poor mans MFA for AWS Client VPN The AWS Client VPN service is a common way to seamlessly connect users into internal networks. This post describes a low-tech, low-cost solution to better authenticate users using a second factor. https://onecloudplease.com/blog/poor-mans-mfa-for-aws-client-vpn #aws

🔶 Thwacking DDOS with AWS WAF AWS WAF is definitely not the best DDOS prevention tech on the market. But if you're ever in the seat and it's the tool you have, here's your guide. https://ramimac.me/waf-ddos #aws

🔶 Building the foundations: A defender's guide to AWS Bedrock This blog focuses on AWS Bedrock and its relevant telemetry streams: CloudTrail management and data events, model invocation telemetry and endpoint telemetry. https://www.sumologic.com/blog/defenders-guide-to-aws-bedrock/ #aws

🔶 Strategies for achieving least privilege at scale - Part 2 This second post continues to look at the remaining four strategies and related mental models for scaling least privilege across your organization. https://aws.amazon.com/ru/blogs/security/strategies-for-achieving-least-privilege-at-scale-part-2/ (Use VPN to open from Russia) #aws

🔶 Strategies for achieving least privilege at scale - Part 1 This blog post walked through the first five (of nine) strategies for achieving least privilege at scale. https://aws.amazon.com/ru/blogs/security/strategies-for-achieving-least-privilege-at-scale-part-1/ (Use VPN to open from Russia) #aws

🔴 IAM so lost: A guide to identity in Google Cloud An entry-level post demystifying two foundational IAM access control principles: the concepts of least privilege and separation of duties. https://cloud.google.com/blog/products/identity-security/scaling-the-iam-mountain-an-in-depth-guide-to-identity-in-google-cloud/ #gcp

🔶 Delete unused AMIs using the new 'LastLaunchedTime' attribute Reduce your AWS costs by (more) safely deleting unused AMIs. https://st-g.de/2024/05/delete-unused-amis #aws

🔶 Moving AWS Accounts and OUs Within An Organization - Not So Simple! This post explores the potential implications of moving an AWS account or OU to another OU within the same Organization, including impacts to SCP policy inheritance, CloudFormation StackSet deployments, IAM policy conditions, RAM shares, and Control Tower enrollments. https://blog.wut.dev/2024/07/05/moving-aws-accounts-within-organization.html #aws

🔶 Access AWS services programmatically using trusted identity propagation With the introduction of trusted identity propagation, applications can now propagate a user's workforce identity from their identity provider (IdP) to applications running in AWS and to storage services backing those applications, such as S3 or Glue. https://aws.amazon.com/ru/blogs/security/access-aws-services-programmatically-using-trusted-identity-propagation/ (Use VPN to open from Russia) #aws

🔶 Implement an early feedback loop with AWS developer tools to shift security left How to use AWS CodeCommit to securely host Git repositories, AWS CodePipeline to automate continuous delivery pipelines, AWS CodeBuild to build and test code, and Amazon CodeGuru Reviewer to detect potential code defects. https://aws.amazon.com/ru/blogs/security/implement-an-early-feedback-loop-with-aws-developer-tools-to-shift-security-left/ (Use VPN to open from Russia) #aws

🔴 Announcing expanded Sensitive Data Protection for Cloud Storage GCP's Sensitive Data Protection (SDP) discovery service now supports Cloud Storage, joining BigQuery, BigLake, and Cloud SQL. https://cloud.google.com/blog/products/identity-security/announcing-expanded-sensitive-data-protection-for-cloud-storage #gcp

🔶 History of Amazon Web Services A page collecting the history of AWS service announcements and releases. https://www.awsgeek.com/AWS-History/ #aws

👩‍💻 Who polices your policies? Azure policy abuse for privileges escalation and persistence Azure Policy is a popular service to ensure compliance. But did you know attackers can also leverage it to backdoor cloud resources? https://securitylabs.datadoghq.com/articles/azure-policy-privilege-escalation/ #azure

🔶 Use private key JWT authentication between Amazon Cognito user pools and an OIDC IdP By redirecting the IdP token endpoint in the Cognito user pool's external OIDC IdP configuration to a route in an API Gateway, you can use Lambda functions to customize the request flow between Cognito and the IdP. https://aws.amazon.com/ru/blogs/security/use-private-key-jwt-authentication-between-amazon-cognito-user-pools-and-an-oidc-idp/ #aws

🔴 New Cloud KMS Autokey can help encrypt your resources quickly and efficiently Cloud KMS Autokey incorporates recommended practices that can significantly reduce the toil associated with managing your own encryption keys. https://cloud.google.com/blog/products/identity-security/cloud-kms-autokey-can-help-you-encrypt-resources-quickly-and-efficiently/ #gcp

🔶👩‍💻🔴 Attack Paths Into VMs in the Cloud Virtual machines (VMs) are a significant attack target. Focusing on three major CSPs, this research summarizes the conditions for possible VM attack paths. https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/ #aws #azure #gcp

🔶 Publicly Exposed AWS SSM Command Documents An analysis of the thousands of public SSM Command documents, including identification of secret leakage. https://ramimac.me/ssm-command-docs #aws

🔶 AWS OIDC Provider Enumeration A post expanding on Nick Frichette's discovery of enumerable OIDC providers in AWS using the known_aws_accounts dataset. https://ramimac.me/oidc-provider-enum #aws

🔶 SaaS tenant isolation with ABAC using AWS STS support for tags in JWT An alternative approach to implement tenant isolation with ABAC by using the AWS STS AssumeRoleWithWebIdentity API operation and https://aws.amazon.com/tags claim in a JSON Web Token (JWT). https://aws.amazon.com/ru/blogs/security/saas-tenant-isolation-with-abac-using-aws-sts-support-for-tags-in-jwt/ (Use VPN to open from Russia) #aws

👩‍💻 Cloud security posture and contextualization across cloud boundaries from a single dashboard How to prioritize riskiest misconfigurations across your multicloud environment, all inside of a single dashboard by using Defender CSPM. https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/cloud-security-posture-and-contextualization-across-cloud/ba-p/4161703 #azure