CloudSec Wine

🔶 Secure root user access for member accounts in AWS Organizations How you can centrally manage root credentials and perform tasks that previously required root credentials across member accounts in your organization. https://aws.amazon.com/ru/blogs/security/secure-root-user-access-for-member-accounts-in-aws-organizations/ #aws

🔶 Hands-On Security Tips For Centralize Root Access In AWS AWS has recently introduced a centralized root access management feature for AWS Organizations. This blog covers why this is important, how it changes root access management, and tips for how to handle this new feature. https://medium.com/@oraspir/hands-on-security-tips-for-centralize-root-access-in-aws-assumeroot-5d315de423cd #aws

🔶 How to use AWS Resource Control Policies Another article, this time from Wiz, looking at the newly introduced RCPs. https://www.wiz.io/blog/how-to-use-aws-resource-control-policies #aws

🔶 Creating a Data Perimeter with Resource Control Policies (RCPs) and AWS KMS Post which analyses Resource Control Policies, explains the benefits of RCPs vs SCPs, and gives 5 examples of how to use RCPs to build a multi-layered data perimeter to protect data. https://www.fogsecurity.io/blog/data-perimeters-with-resource-control-policies-and-aws-kms #aws

🔶 Stop Using Predictable Bucket Names: A Failed Attempt at Hacking Satellites This blog discusses the security risks of S3 bucket namesquatting in AWS, where attackers could potentially exploit predictable bucket naming patterns. https://www.securityrunners.io/post/stop-using-predictable-bucket-names-a-failed-attempt-at-hacking-satellites #aws

🔴 Shift-left your cloud compliance auditing with Audit Manager Google announced that their Audit Manager service, which can digitize and help streamline the compliance auditing process, is now generally available. https://cloud.google.com/blog/products/identity-security/shift-left-your-cloud-compliance-auditing-with-audit-manager/ #gcp

🔶 Resource Control Policies: Closing the data perimeter gap This post explores this new feature, how it helps, what its limits are, and what we might see in the future. https://onecloudplease.com/blog/resource-control-policies-closing-the-data-perimeter-gap #aws

👩‍💻 Azure Detection Engineering: Log idiosyncrasies you should know about Post sharing a few inconsistencies found in Azure logs which make detection engineering more challenging. https://tracebit.com/blog/azure-detection-engineering-log-idiosyncrasies-you-should-know-about #azure

🔴 Sketchy Cheat Sheet - Story of a Cloud Architecture Diagramming Tool gone wrong A series of vulnerabilities found in Google's Architecture Diagramming Tool, leading to its eventual decommissioning due to security concerns. https://jdomeracki.github.io/2024/11/09/sketchy_cheat_sheet/ #gcp

🔶 Securing AWS Lambda - How Misconfigurations Can Lead to Lateral Movement How several misconfigurations and user-defined code issues in AWS Lambda could lead to potential credential theft and lateral movement. https://www.sentinelone.com/blog/lateral-movement-in-aws-lambda-environments/ #aws

🔴 A new flexible DNS-based approach for accessing the GKE control plane A new DNS-based endpoint for GKE clusters provides enhanced flexibility when accessing the control plane and configuring security. https://cloud.google.com/blog/products/containers-kubernetes/new-dns-based-endpoint-for-the-gke-control-plane/ (Use VPN to open from Russia) #gcp

🔶 Peek inside your AWS CloudFormation Deployments with timeline view The new CloudFormation deployment timeline view provides visibility into the orchestration flow and dependencies involved when CloudFormation provisions resources defined in your infrastructure-as-code templates. https://aws.amazon.com/ru/blogs/devops/peek-inside-your-aws-cloudformation-deployments-with-timeline-view/ (Use VPN to open from Russia) #aws

👩‍💻 Unlocking the future: Azure networking updates on security, reliability, and high availability | Microsoft Azure Blog The general availability of the Bastion Developer SKU, virtual network encryption, and the public preview of DNSSEC support in Azure. https://azure.microsoft.com/en-us/blog/unlocking-the-future-azure-networking-updates-on-security-reliability-and-high-availability/ #azure

👩‍💻 Abusing FIDO2 passkeys to take over Global Administrators in Entra ID Microsoft has recently published a Graph API that allows administrators to pre-provision passkeys for users. From an offensive security point of view this raises the question whether this functionality can be abused to take over accounts. https://www.secura.com/services/information-technology/vapt/what-can-be-pentested/cloud-pentesting/abusing-fido2-passkeys #azure

🔶 How AWS enforcement code logic evaluates requests to allow or deny access AWS updated the IAM policy evaluation chart. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic_policy-eval-denyallow.html (Use VPN to open from Russia) #aws

🔶 Unauthorized tactic spotlight: Initial access through a third-party identity provider Some of the recent techniques used by threat actors that leverage specific customer configurations or design to make unauthorized use of resources within an AWS account. https://aws.amazon.com/ru/blogs/security/unauthorized-tactic-spotlight-initial-access-through-a-third-party-identity-provider/ (Use VPN to open from Russia) #aws

🔶 Implement effective data authorization mechanisms to secure your data used in generative AI applications Post walking through the risks associated with using sensitive data as part of fine-tuning for FMs, retrieval augmented generation (RAG), AI agents, and tooling with generative AI workloads. https://aws.amazon.com/ru/blogs/security/implement-effective-data-authorization-mechanisms-to-secure-your-data-used-in-generative-ai-applications/ (Use VPN to open from Russia) #aws

🔴 Filling up the DagBag: Privilege Escalation in Google Cloud Composer An attacker that has write access to the Cloud Composer environment's dedicated bucket can gain command execution in the Composer environment. https://www.netspi.com/blog/technical-blog/cloud-pentesting/privilege-escalation-google-cloud-composer/ #gcp

🔶 How Attackers Can Abuse IAM Roles Anywhere for Persistent AWS Access The process involves using API actions like CreateTrustAnchor and CreateProfile to facilitate the exploitation. https://medium.com/@adan.alvarez/how-attackers-can-abuse-iam-roles-anywhere-for-persistent-aws-access-b3ced6935dca (Use VPN to open from Russia) #aws

🔶 Building an AppRunner on EC2 with Cloudflare Zero Trust Access How to automate the deployment of a private AppRunner instance on AWS that hosts multiple internal apps securely behind Cloudflare's zero-trust access controls. https://blog.marcolancini.it/2024/blog-building-apprunner-ec2-cloudflare-zero-trust-access/ #aws