CloudSec Wine

На связи команда рекрутинга Yandex Cloud и Инфраструктуры Яндекса. Мы на две недели включаем турбо-режим и готовы нанимать backend-разработчиков и SRE за 2-3 дня. Собрали всю информацию в telegram-канал: https://t.me/cloud_track Решайте задания Яндекс Контеста до 23 октября 2022 и присоединяйтесь к нам! Будем вместе строить и развивать мощное облако. #advertising

🔴 Security Logging in Cloud Environments - GCP Another update to my "Security Logging in Cloud Environments - GCP" post, this time adding the new Sensitive Actions Service to the SCC section. https://blog.marcolancini.it/2021/blog-security-logging-cloud-environments-gcp #gcp

🔷 Public Network Access to Azure Resources Is Too Easy to Configure For some types of Azure resources and subnets, it's extremely easy to configure what is essentially public network access. This post describes some examples and how to reduce such risks. https://ermetic.com/blog/azure/public-network-access-to-azure-resources-is-too-easy-to-configure #azure

🔶 pop3ret/AWSome-Pentesting A guide to help pentesters learning more about AWS misconfigurations and ways to abuse them. Cheatsheet of useful commands for a variety of AWS services, covering enumeration, data exfiltration, privilege escalation, and more. https://github.com/pop3ret/AWSome-Pentesting/blob/main/AWSome-Pentesting-Cheatsheet.md #aws

🔶 AWS Permission Boundaries for Dummies Tl;dr: if you want someone to admin some IAM in an account but not all the IAM, then you might need one. https://www.firemon.com/aws-permission-boundaries-for-dummies #aws

🔶 Diving Deeply into IAM Policy Evaluation A post going through confounding conditions, double and triple negatives, and principals matched and unmatched to explain a more accurate model of how IAM evaluates permissions internally. https://ermetic.com/blog/aws/diving-deeply-into-iam-policy-evaluation-highlights-from-aws-reinforce-session-iam433 #aws

🔶 Unofficial list of free resources to learn AWS for absolute beginners An unofficial list of free resources to learn AWS for absolute beginners. This will be a living document. https://docs.google.com/document/d/1fDTumqm5oc_nLAQBUnW8c6hAGmGx95a8-BZ92GqlbUs/edit #aws

🔶 State of AWS Security in 2022: A Look Into Real-World AWS Environments Datadog analyzed trends in the implementation of security best practices and took a closer look at various types of misconfigurations that contribute to the most common causes of security breaches. https://www.datadoghq.com/state-of-aws-security #aws

🔶🔷🔴 Cloud Architecture Diagrams as Code Create diagrams for AWS, GCP, Azure, a data ETL pipeline and more. https://docs.tryeraser.com/docs/examples #aws #azure #gcp

🔶🔷🔴 Cloud Architecture Diagrams as Code Create diagrams for AWS, GCP, Azure, a data ETL pipeline and more. https://docs.tryeraser.com/docs/examples #aws #azure #gcp

🔶 AWS services, explained in Victorian English By GPT-3 and @thesephist. How all companies should describe their products. 1️⃣ S3 is a glorious bastion of uptime in the otherwise storm-tossed sea of the World Wide Web, a shining beacon of safety to which one may entrust one’s most valuable data, whether files, or precious objects, or even blobs of the most unique and ephemeral content. 2️⃣ Route 53, the fleet-footed messenger of the gods, delivers your DNS traffic across the Internet with the speed of a Thracian chariot, and at a fraction of the cost. https://victorianaws.com #aws

🔶 The Many Ways to Manage Access to an EC2 Instance By Sym’s Mathew Pregasen. Options: EC2 key pairs, SSH access via 3rd-party tools, SSH access via IAM policies, eliminate direct access via GitOps (SSM’s Run Command), and temporary or JIT access. https://blog.symops.com/2022/09/22/ec2-access #aws

🔶 Run a Tailscale VPN relay on ECS/Fargate A step by step tutorial on how to run Tailscale in ECS. https://platformers.dev/log/2022/tailscale-ecs #aws

🔶 Using Kyverno To Enforce AWS Load Balancer Annotations For Centralized Logging To S3 Post covering the steps to take in order to use Kyverno to automatically configure the annotations that enable access logs for an AWS Network Load Balancer (NLB) to be forwarded to an S3 bucket. https://silvr.medium.com/using-kyverno-to-enforce-aws-load-balancer-annotations-for-centralized-logging-to-s3-af5dc1f1f3e0 #aws

🔶 zoph-io/aws-security-survival-kit Victor Grenu helps you set up minimal alerting on typical suspicious activities on your AWS Account. Using this kit, you will deploy CloudWatch EventRules and CW alarms on: 1️⃣ Root User activities 2️⃣ CloudTrail changes 3️⃣ AWS Personal Health Events 4️⃣ IAM Users changes 5️⃣ MFA updates 6️⃣ Unauthorized Operations 7️⃣ Failed AWS Console login authentication https://github.com/zoph-io/aws-security-survival-kit #aws

🔶 How DoorDash Ensures Velocity and Reliability through Policy Automation How DoorDash leverages OPA to build policy-based guardrails with codified rules that ensure velocity and reliability for cloud infrastructure automated deployments. https://doordash.engineering/2022/09/20/how-doordash-ensures-velocity-and-reliability-through-policy-automation #aws

🔶 AWS IAM Identity Center Access Tokens are Stored in Clear Text and No, That's Not a Critical Vulnerability Assuming constant full compromise of all machines is probably going to lead to controls where users can't reasonably do work. https://itnext.io/aws-iam-identity-center-access-tokens-are-stored-in-clear-text-and-no-thats-not-a-critical-68a48c1e398 #aws

🔷 Azure Attack Paths Post shedding some light on known attack paths in an Azure environment. https://cloudbrothers.info/azure-attack-paths #azure

🔷 Azure Cloud Shell Command Injection: Stealing User's Access Tokens This post describes how a researcher took over an Azure Cloud Shell trusted domain and leveraged it to inject and execute commands in other users' terminals. https://blog.lightspin.io/azure-cloud-shell-command-injection-stealing-users-access-tokens #azure

🔶 thundra-io/merloc By Thundra: A live AWS Lambda function development and debugging tool. MerLoc allows you to run AWS Lambda functions on your local while they are still part of a flow in the AWS cloud remote. https://github.com/thundra-io/merloc #aws