CloudSec Wine

🔶 Identity Federation for GitHub Actions on AWS An useful step-by-step example on how to configure your GitHub Actions build jobs to securely and seamlessly use IAM Roles in AWS. https://scalesec.com/blog/identity-federation-for-github-actions-on-aws/ #aws

🔷 CVE-2021-42306 CredManifest: App Registration Certificates Stored in Azure Active Directory Another security issue discovered in Azure: due to a misconfiguration, Automation Account "Run as" credentials (PFX certificates) were being stored in cleartext in Azure Active Directory (AAD). https://www.netspi.com/blog/technical/cloud-penetration-testing/azure-cloud-vulnerability-credmanifest/ #azure

🔶 Well, That Escalated Quickly AfterPay’s Dorien Koelemeijer describes Cloud Cover, a tool they built to enable developers to move quickly but also with least IAM privilege, using Okta, permissions defined in a git repo, and more. Neat approach. https://www.afterpaytechblog.com/well-that-escalated-quickly/ #aws

🔶 Do not use AWS CloudFormation Greg Swallow argues that CloudFormation is strictly worse than Terraform: it has extra indirection and is harder to debug, Terraform has a rich set of data sources and makes transforming data is a breeze, Terraform is much faster, CloudFormation’s async nature requires polling logic, Terraform is portable across providers, and more. https://gswallow.medium.com/do-not-use-aws-cloudformation-7cf61f58bd5f #aws

🔶 tenchi-security/camp A tool that automatically downloads and keeps a local copy of all AWS IAM Managed Policies, and runs Cloudsplaining on them. By Victor Grenu and Tenchi Security’s Alexandre Sieira. https://github.com/tenchi-security/camp #aws

🔷 Exploiting and defending anonymous access in Azure Most of Azure services require some form of authentication for access. However, there are a few exceptions that allows the configuration of unauthenticated and unauthorized access. The most common ones are the Azure Blob Container and the Azure Container registry. https://davidokeyode.medium.com/exploiting-and-defending-anonymous-access-in-azure-dcb00e032258 #azure

🔴 Everything you always wanted to know about VPC Peering (but were afraid to ask) An overview of Google Cloud VPC network peerings, their anatomy, major misconceptions, and some watchpoints, so that users can learn how to use them wisely, while designing their infrastructures. https://medium.com/google-cloud/everything-you-always-wanted-to-know-about-vpc-peering-but-were-afraid-to-ask-2b26267ba7d9 #gcp

🔷 ChaosDB Explained: Azure’s Cosmos DB Vulnerability Walkthrough Great walkthrough example of exploring attack surface, escalating privileges, and lateral movement by Wiz’s Nir Ohfeld and Sagi Tzadik. https://www.wiz.io/blog/chaosdb-explained-azures-cosmos-db-vulnerability-walkthrough #azure

🔶 Using New S3 Features to Give CloudTrail Logs Service-Side Enrichment Use the recent S3 Object Lambda functionality in AWS to enrich S3-based logs with valuable intelligence. https://www.paloaltonetworks.com/blog/security-operations/enrich-aws-cloudtrail-s3-object-lambda/ #aws

🔶 Automating cloud governance at scale Blog post from SkyScanner, introducing some recent improvements to CFRipper that have enabled them to detect issues more accurately, allow for increasing levels of customization, and facilitate dynamic stack exemptions for engineering squads. https://medium.com/@SkyscannerEng/automating-cloud-governance-at-scale-895695fe4a1f #aws

🔴 The 2 limits of Google Cloud IAM 2 use cases where the GCP IAM model is limited, requiring some trickery to get right. https://www.iampulse.com/t/the-2-limits-of-google-cloud-iam #gcp

🔶 Streamline Fifteen SOC 2 Controls with AWS Config and AWS Security Hub There are two services on AWS that can make SOC 2 easier for you and your company, AWS Config and AWS Security Hub. These two services have built-in rules (Config) and controls (Security Hub) that directly address SOC 2 criteria and controls. https://www.sans.org/blog/streamline-fifteen-soc-2-controls/ #aws

🔴 Accessing GKE private clusters through IAP How to connect to the control plane of a GKE private cluster, leveraging a proxy and an IAP tunnel. https://medium.com/google-cloud/accessing-gke-private-clusters-through-iap-14fedad694f8 #gcp

🔶 AWS temporary creds with SSO and a CDK workaround Step-by-step guide including helpful recommendations for replacing hard-coded credentials with temporary credentials using SSO. https://www.iampulse.com/t/aws-temporary-creds-with-sso-and-a-cdk-workaround #aws

🔴 Stop Downloading Google Cloud Service Account Keys! Generating and distributing service account keys poses severe security risks to your organization. You don't actually have to download these long-lived keys. There's a better way! https://jryancanty.medium.com/stop-downloading-google-cloud-service-account-keys-1811d44a97d9 #gcp

🔶 Continuous compliance on AWS A list of services and patterns that can be especially helpful in adopting a continuous compliance posture on AWS. https://8thlight.com/blog/connor-mendenhall/2021/04/27/continuous-compliance-on-AWS.html #aws

🔷 Enterprise-scale seamless onboarding and deployment of Azure Sentinel using Lighthouse for multi-tenant environments Behind the scenes view of some of the automated processes involved in setting up new environments and managing custom analytics for each customer, including details about our scripting and automated build and release pipelines, which are are deployed as infrastructure-as-code. https://research.nccgroup.com/2021/10/19/enterprise-scale-seamless-onboarding-and-deployment-of-azure-sentinel-using-lighthouse-for-multi-tenant-environments/amp/ #azure

🔶 te-papa/aws-key-disabler A small lambda script that will disable access keys older than a given amount of days. https://github.com/te-papa/aws-key-disabler #aws

🔶 Achieving least-privilege at FollowAnalytics with Repokid, Aardvark and ConsoleMe FollowAnalytics’s Guilherme Sena Zuza describes how they used these open source Netflix tools to remove static keys and overall get closer to least privilege IAM policies in AWS. https://medium.com/followanalytics/granting-least-privileges-at-followanalytics-with-repokid-aardvark-and-consoleme-895d8daf604a #aws

Do you want to know the best way to defend against cyberattacks? We are already waiting for you from November 16 to 18 at one of the most important events of this year in information security - the global online conference CLOUDSEC 2021 by Trend Micro. 72 hours of total immersion in the world experience of world security awaits you. We will discuss trends, development prospects, challenges, urgent problems and their solutions. And what else? 📍Thematic content; 📍Live performances; 📍Useful insights; 📍Networking; 📍Exhibition of solutions; 📍Place of resources; 📍Gaming environment. Registration has already started. Follow the link: https://bit.ly/3EgVxka #advertising