CloudSec Wine

🔶 How fast is CloudTrail today? Investigating CloudTrail delays using Athena Investigating how long CloudTrail takes to deliver events in 2023. https://tracebit.com/blog/2023/11/how-fast-is-cloudtrail-today-investigating-cloudtrail-delays-using-athena/ #aws

🔶 Deep dive into the new Amazon EKS Pod Identity feature Earlier this week, AWS released a new feature, EKS Pod Identity, that aims to simplify granting AWS access to pods running in an EKS cluster. This post deep-dives into how this feature works, some elements that make it unique, and why you might consider using it. https://securitylabs.datadoghq.com/articles/eks-pod-identity-deep-dive/ #aws

🔴 Pwning Cloud Contexts, The Endgame Slides from a Black Hat MEA 2023 talk discussing how a GitHub token led to the compromise of an entire GCP organization. https://docs.google.com/presentation/d/1sVZohEgGKDkgwgVNzquNzSzKdLDMOFgAiiR78kcgBAw/edit#slide=id.g29a3b4d3924_0_137 #gcp

🔶 Preventing Accidental Internet-Exposure of AWS Resources Many AWS customers have suffered breaches due to exposing resources to the Internet by accident. This three-part series walks through different ways to mitigate that risk. https://kevinhock.github.io/2023/11/26/preventing-accidental-internet-exposure-of-aws-resources-part-1-vpc.html #aws

🔷 All the Small Things: Azure CLI Leakage and Problematic Usage Patterns Post discussing the unintentional leakage of Azure Application Variables in GitHub build logs due to Azure CLI's default behavior. https://www.paloaltonetworks.com/blog/prisma-cloud/secrets-leakage-user-error-azure-cli/ #azure

🔶 How to use multiple instances of AWS IAM Identity Center You can now have two types of IAM Identity Center instances: organization instances and account instances. https://aws.amazon.com/ru/blogs/security/how-to-use-multiple-instances-of-aws-iam-identity-center/ #aws

🔴 Enhancing Cybersecurity with Security Command Center's Attack Path Simulations and Attack Exposure Scoring Security Command Center (SCC) recently introduced two new features: Attack Path Simulation (APS) and Attack Exposure Scoring (AES). https://medium.com/google-cloud/enhancing-cybersecurity-with-security-command-centers-attack-path-simulation-and-attack-path-46c527cd4927 (Use VPN to open from Russia) #gcp

🔶 Establishing a data perimeter on AWS: Require services to be created only within expected networks How to use preventative controls to help ensure that your resources are deployed within your VPC, so that you can effectively enforce the network perimeter controls. https://aws.amazon.com/ru/blogs/security/establishing-a-data-perimeter-on-aws-require-services-to-be-created-only-within-expected-networks/ #aws

🔶 Reversing AWS IAM unique IDs How to identify the ARN of a user/role from AWS IAM unique IDs, often seen in CloudTrail logs. https://awsteele.com/blog/2023/11/19/reversing-aws-iam-unique-ids.html #aws

🔷 (Ab)using the Microsoft Identity Platform: Exploring Azure AD Token Caching Presentation examining how JSON Web Token (JWT) caching works in corporate settings with Azure Active Directory (Azure AD) integration, including Azure AD Joined and Hybrid environments. https://github.com/FuzzySecurity/SANS-HackFest-2023/blob/main/SANS_HackFest23-Abusing_The-Microsoft-Identity-Platform.pdf #azure

🔶 Building sensitive data remediation workflows in multi-account AWS environments A solution that provides you with visibility into sensitive data residing across a fleet of AWS accounts through a ChatOps-style notification mechanism using Microsoft Teams, which also provides contextual information needed to conduct security investigations. https://aws.amazon.com/ru/blogs/security/building-sensitive-data-remediation-workflows-in-multi-account-aws-environments/?utm_source=cloudseclist.com&utm_medium=referral&utm_campaign=CloudSecList-issue-214 #aws

🔷 Public preview: Confidential containers on Azure Kubernetes Service (AKS) AKS now lets you run individual pods in their own trusted execution environment (TEE). https://techcommunity.microsoft.com/t5/apps-on-azure-blog/public-preview-confidential-containers-on-aks/ba-p/3980871 #azure

🔶 Lambda Extensions: Exploring Misuse Scenarios and Stratus Red Team Module Development Post analyzing a well-known attack vector and then showing how to build a module for Stratus Red Team, a self-contained binary we can use to detonate offensive attack techniques against a live cloud environment easily. https://awstip.com/lambda-extensions-exploring-misuse-scenarios-and-stratus-red-team-module-development-b63c5a73491a (Use VPN to open from Russia) #aws

🔶🔷🔴 State of Cloud Security Datadog analyzed data from thousands of organizations to understand the latest trends in cloud security posture. https://www.datadoghq.com/state-of-cloud-security/ #aws #azure #gcp

🔷 Mistaken Identity: Extracting Managed Identity Credentials from Azure Function Apps The article discusses a security vulnerability in Azure Function Apps, where Linux containers use an encrypted startup context file that can be decrypted to expose sensitive data, including Managed Identity certificates. https://www.netspi.com/blog/technical/cloud-penetration-testing/mistaken-identity-azure-function-apps #azure

🔴 Introducing Advanced Vulnerability Insights for GKE Artifact Analysis in partnership with Google Kubernetes Engine has introduced a new vulnerability scanning offering called Advanced Vulnerability Insights. https://cloud.google.com/blog/products/identity-security/introducing-advanced-vulnerability-insights-for-gke #gcp

🔶 How to create an AMI hardening pipeline and automate updates to your ECS instance fleet How to create a workflow to enhance Amazon ECS-optimized AMIs by using the CIS Docker Benchmark and automatically updating your EC2 instances in your ECS cluster with the newly created AMIs. https://aws.amazon.com/ru/blogs/security/how-to-create-an-ami-hardening-pipeline-and-automate-updates-to-your-ecs-instance-fleet/ #aws

🔷 The Triforce of Initial Access The article emphasizes that the success of Red Teaming often hinges on the quality of information (loot) gathered and the effectiveness of the tools used, such as Evilginx, ROADtools, and TeamFiltration, complemented by the Bobber script. https://trustedsec.com/blog/the-triforce-of-initial-access #azure

🔷 Spoofing Microsoft Entra ID Verified Publisher Status It was possible to manipulate the consenting process of a legitimate verified publisher application to implant malicious unverified applications within a Microsoft Entra ID tenant. https://www.secureworks.com/research/spoofing-microsoft-entra-id-verified-publisher-status #azure

🔷 Weather Forecast: Money Is Going to Rain from the Cloud SafeBreach researchers discovered and exploited a billing flaw in Azure Automation Service, enabling free, hidden, and unstoppable cryptocurrency mining using Python scripts and Runbooks. https://www.safebreach.com/blog/cryptocurrency-miner-microsoft-azure #azure