ru
Feedback
CloudSec Wine

CloudSec Wine

Открыть в Telegram

All about cloud security Contacts: @AMark0f @dvyakimov About DevSecOps: @sec_devops

Больше
2 228
Подписчики
Нет данных24 часа
+27 дней
+430 день
Архив постов
Yandex Cloud Security Checklist Друзья, подготовили для Вас первый чеклист по безопасной конфигурации Яндекс.Облака. В основе лежит агрегация всего, что есть в документации YC на тему безопасности, плюс некоторый собственный опыт, выявленный в рамках аудитов. Глобально чеклист разбит на домены сетевой безопасности и контроля доступа. Основная проблема в том, что почти все механизмы безопасности (Security Groups, Audit Trails), которых и так немного, находятся либо на стадии Preview, либо подключаются по запросу. Остальные механизмы подключаются через маркетплейс из числа сторонних коммерческих решений. UPD. Кстати, если хотите часть проверок пройти автоматизированными средствами, то рекомендуем Cloud Advisor. Там, в частности, пока еще есть возможность провести бесплатное сканирование. #yandex

🔶 The last S3 security document that we’ll ever need, and how to use it 163 page Threat Model of S3 by TrustOnCloud’s Jonathan Rault covering: 1️⃣ Best practices (best security/effort ratio) 2️⃣ Reviewing the service depending on your application(s), and implementing the controls based on your risk tolerance 3️⃣ Onboarding for large enterprises/agencies 4️⃣ Compliance mapping to demonstrate a risk-based approach, gap analysis and formulating an action plan https://trustoncloud.com/the-last-s3-security-document-that-well-ever-need/ #aws

🔶 Spice up Your Kubernetes Environment with AWS Lambda How to securely integrate AWS Lambda with an existing Kubernetes environment without codes changes. https://liavyona09.medium.com/spice-up-your-kubernetes-environment-with-aws-lambda-a07d81347607 #aws

🔷 Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent How anyone with a local administrator access to AD FS server (or proxy), can create arbitrary sign-ins events to Azure AD sign-ins log. https://o365blog.com/post/hybridhealthagent/ #azure

🔶 Inside Figma: securing internal web apps A deep-dive into how Figma built a system for securing internal web applications that lets them require SSO authentication, enforce fine-grained authorization (via Okta groups), and support CLI tools, all using ALBs, AWS Cognito, and Okta. https://www.figma.com/blog/inside-figma-securing-internal-web-apps/ #aws

🔶 KONTRA's AWS Top 10 A series of free interactive security training modules that teach developers how to identify and mitigate security vulnerabilities in their AWS-hosted cloud applications. https://application.security/free/kontra-aws-clould-top-10 #aws

🔶 AWS Condition Context Keys for Reducing Risk Post taking a closer look at the "aws:CalledVia*" and "aws:ViaAWSService" keys, and how you can use them to achieve least privilege. https://ermetic.com/whats-new/blog/aws/aws-condition-context-keys-for-reducing-risk #aws

🔴 Leaving Bastion Hosts Behind Post examining GCP services like OS Login and Identity-Aware Proxy (IAP), and showing how they can be used as an alternative to bastion hosts. https://www.netskope.com/blog/leaving-bastion-hosts-behind-part-1-gcp #gcp

🔶 An Introduction to AWS Firewall Manager What is AWS Firewall Manger and how can it help you secure your organization? https://scalesec.com/blog/an-introduction-to-aws-firewall-manager/ #aws

🔶 How to create IAM roles for deploying your AWS Serverless app An in-depth guide to creating production-ready, least privilege IAM roles for deploying your serverless application across multiple AWS accounts. https://serverlessfirst.com/create-iam-deployer-roles-serverless-app/ #aws

🔶 Remediating AWS IMDSv1 An article on remediating IMDSv1 in AWS, a common server-side request forgery vector targeting lateral movement and persistence. https://docs.google.com/document/d/1X737xoQviufdxZk_l33bnpp6noOmNIYvMilQCdhtwoY/edit?usp=drivesdk #aws

🔶 Lightsail object storage concerns Part one of a two part series that will discuss AWS’s new Lightsail object storage. The first part looks at the new Lightsail access key capability and its security issues. https://summitroute.com/blog/2021/08/05/lightsail_object_storage_concerns-part_1/ #aws

🔶🔷🔴 Cloud Security Orienteering A cloud and environment agnostic methodology for getting your bearings if tasked with securing a novel cloud environment. https://engagement.cloudseclist.com/CL0/https:%2F%2Fspeakerdeck.com%2Framimac%2Fcloud-security-orienteering/1/0102017b49d91665-a615638b-8c75-4354-8b9e-7506b2f22c63-000000/rSHPkoLqfgzw0mml10F-sffbOTmikixij_N4osfUoN0=210 #aws #azure #gcp

🔶 Expanding Secrets Infrastructure to AWS Lambda How Square extended their datacenter-based secrets infrastructure to enable a cloud migration supporting Lambda. They added SPIFFE compatibility to their secrets infrastructure and developed a Lambda secrets syncer that Square engineers can deploy via a Terraform module. https://developer.squareup.com/blog/expanding-secrets-infrastructure-to-aws-lambda/ #aws

🔶 Building an AWS Perimeter Whitepaper by AWS covering perimeter objectives, identity, resource, and network boundaries, preventing access to internal credentials, and cross-region requests. https://d1.awsstatic.com/whitepapers/building_an_aws_perimeter.pdf #aws

🔴 Security Log Scoping Tool Security Log Scoping Tool is an interactive form to help customers discover, evaluate and enable their security-relevant logs across Google Cloud. https://cloud.google.com/architecture/exporting-stackdriver-logging-for-security-and-access-analytics#evaluate_which_logs_to_export #gcp

🔶 How to implement the principle of least privilege with CloudFormation StackSets How to conform to the principle of least privilege while still allowing users to use CloudFormation to create the resources they need. https://aws.amazon.com/ru/blogs/security/how-to-implement-the-principle-of-least-privilege-with-cloudformation-stacksets/ #aws

🔶 Top things to do when setting up a new Org What you should do when setting up a new AWS Organization from scratch. https://www.chrisfarris.com/post/aws-organizations-in-2021/ #aws

🔶 Cloud Malware: Resource Injection in CloudFormation Templates Blog focusing on a new Pacu module on cloud malware using resource injection in CloudFormation templates. https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/ #aws

🔶 S3 backups and other strategies for ensuring data durability through ransomware attacks This post will discuss options for ensuring the durability of data stored on S3, through protections in place and backup strategies. The AWS backup service on AWS unfortunately does not backup S3 buckets and a lot of discussions of backups and data durability on AWS do not describe the implementation in sufficient detail, which allows a number of potential dangers. This post will show you the two best options (s3 object locks and replication policies), explains how to use these, and what to watch out for. https://summitroute.com/blog/2021/08/03/S3_backups_and_other_strategies_for_ensuring_data_durability_through_ransomware_attacks/ #aws