uk
Feedback
CloudSec Wine

CloudSec Wine

Відкрити в Telegram

All about cloud security Contacts: @AMark0f @dvyakimov About DevSecOps: @sec_devops

Показати більше
2 235
Підписники
-124 години
Немає даних7 днів
+1030 день
Архів дописів
🔶 Build an end-to-end attribute-based access control strategy with AWS SSO and Okta "This blog post discusses the benefits of using an attribute-based access control (ABAC) strategy and how to use ABAC with AWS SSO when you’re using Okta as an identity provider. With ABAC, you can simplify your access control strategy by granting access to groups of resources, which are specified by tags, instead of managing long lists of individual resources." https://aws.amazon.com/blogs/security/build-an-end-to-end-attribute-based-access-control-strategy-with-aws-sso-and-okta/ #aws

🔶Hardening AWS EKS security with RBAC, secure IMDS, and audit logging First in a series of blog posts looking into the default settings used in AWS Elastic Kubernetes Service (EKS) deployments, and demonstrating how small misconfigurations or unwanted side-effects may put our clusters at risk. https://snyk.io/blog/hardening-aws-eks-security-rbac-secure-imds-audit-logging/ #aws

🔶 AWS Service Control Policy (SCP) Repository A repository of AWS Service Control Policy templates and examples that can be deployed using CloudFormation custom resource or AWS CLI scripts. Some great examples like: preventing users from disabling or altering the configuration of CloudTrail, AWS Config, and CloudWatch, preventing any VPC that doesn’t already have Internet access from getting it, and more. https://asecure.cloud/l/scp/ #aws

🔶 Uncomplicate Security for developers using Reference Architectures In this blog, Anunay Bhatt, Cloud Security Architect, w
🔶 Uncomplicate Security for developers using Reference Architectures In this blog, Anunay Bhatt, Cloud Security Architect, will walk through some of the salient features of a meaningful security reference architecture and the process required to develop one. The author will also look at the challenges that one might expect to face while launching a successful security reference architecture program. https://ab-lumos.medium.com/embedding-security-into-sdlc-using-reference-architectures-for-developers-29403c00fb3d #aws

🔶 The Gamer Guide to Playing Amazon Web Services (AWS) In this article, the author shares a getting started guide for AWS, in a similar style to the getting started guides that many experienced MMORPG players write for new players. It is a lot easier to get into a game, understand what to do, where to go, and how to play optimally when you have tips from other players who have gone before you. https://nathanpeck.com/gamers-guide-to-playing-aws/ #aws

🔶 Best practices for securing Identity and Access Management on Amazon Web Services Post looking at different approaches to help keep IAM configuration tidy, auditable and right-sized. https://bridgecrew.io/blog/best-practices-for-securing-identity-and-access-management-on-amazon-web-services/ #aws

🔸Automated Github Backups with ECS and S3 Architecture and implications of an automated process aiming to backup a Github ac
🔸Automated Github Backups with ECS and S3 Architecture and implications of an automated process aiming to backup a Github account, relying on ECS Fargate and S3 Glacier. The author, Marco Lancini, explains in his blog the architecture and implications of the final setup he decided to go with. https://www.marcolancini.it/2021/blog-github-backups-with-ecs/ #aws

🔸Building an end-to-end Kubernetes-based DevSecOps software factory on AWS "DevSecOps software factory implementation can si
🔸Building an end-to-end Kubernetes-based DevSecOps software factory on AWS "DevSecOps software factory implementation can significantly vary depending on the application, infrastructure, architecture, and the services and tools used. In a previous post, I provided an end-to-end DevSecOps pipeline for a three-tier web application deployed with AWS Elastic Beanstalk. The pipeline used cloud-native services along with a few open-source security tools. This solution is similar, but instead uses a containers-based approach with additional security analysis stages. It defines a software factory using Kubernetes along with necessary AWS Cloud-native services and open-source third-party tools. Code is provided in the GitHub repo to build this DevSecOps software factory, including the integration code for third-party scanning tools." https://aws.amazon.com/ru/blogs/devops/building-an-end-to-end-kubernetes-based-devsecops-software-factory-on-aws/ #aws

🔶 Why AWS SSO is vulnerable by design to device code authentication phishing? "In this post, we demonstrate that AWS SSO is vulnerable by design to device code authentication phishing – just like any identity provider implementing OpenID Connect device code authentication. This technique was first demonstrated by Dr. Nestori Syynimaa for Azure AD. The feature provides a powerful phishing vector for attackers, rendering ineffective controls such as MFA (including Yubikeys) or IP allow-listing at the IdP level." https://blog.christophetd.fr/phishing-for-aws-credentials-via-aws-sso-device-code-authentication/ #aws

🔸How we prevented subdomain takeovers and saved $000s Blog post describing new open source tool for protecting cloud infrastructure from subdomain takeover, using AWS Lambda functions integrated with Amazon Route53. https://tech.ovoenergy.com/how-we-prevented-subdomain-takeovers-and-saved-000s/ #aws

​​AWS Security Reference Architecture (AWS SRA) — документ по комплексной настройке сервисов безопасности в мульти-аккаунтной среде: https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/welcome.html Although we rely on a one-page diagram as our foundation, an architecture goes deeper than a single block diagram and must be built on a well-structured foundation of fundamentals and security principles. You can use this document in two ways: as a narrative or as a reference. #security

🔸Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion Tenchi Security’s Alexandre Sieira a
🔸Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion Tenchi Security’s Alexandre Sieira and Leonardo Viveiros describe how wildcard expansion when specifying HTTP verbs and paths that are allowed can potentially expose things you did not intend. Man, sometimes AWS feels like Complexity/Footguns-as-a-Service. Like Intuit lobbying against making taxes easier because it’s not in their financial interests. https://www.tenchisecurity.com/blog/thefaultinourstars #aws

🔸AWS Accounts as Security Boundaries - 97+Ways Data Can be Shared Across Accounts Security teams cannot simply rely on the AWS account boundary to limit access between environments. Instead, they must carefully audit IAM policies, resource policies, Organization membership, RAM shares, service-level integrations, and sometimes combinations of one of more of these options, in order to properly evaluate how data from one account is being sent to others. https://matthewdf10.medium.com/aws-accounts-as-security-boundaries-97-ways-data-can-be-shared-across-accounts-b933ce9c837e #aws

🔸Protecting Amazon S3 Data from Ransomware Ransomware targeting S3 is more than likely to simply delete your data and claim that it's being held ransom than actually encrypting it https://securingthe.cloud/aws/protecting-amazon-s3-data-from-ransomware/ #aws

🔸🔴Access Service: Temporary Access to the Cloud How the Segment Security Engineering Team approaches access to AWS/GCP roles and SaaS apps, and how they implemented a time-based, peer-reviewed access. https://segment.com/blog/access-service/ #aws #gcp

🔸iam-service-account-controller Kubernetes controller that automatically manages AWS IAM roles for ServiceAccounts. https://github.com/ovotech/iam-service-account-controller #aws

🔸AWS Visibility & Enforcement A cheatsheet of a number of useful tools for getting visibility into your cloud environment and continuously enforcing security policies, by Marco Lancini. https://cloudsecdocs.com/aws/devops/tooling/visibility/ #aws

🔸Retrieving AWS security credentials from the AWS console How to retrieve AWS security credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN) when authenticated in the AWS Console. https://blog.christophetd.fr/retrieving-aws-security-credentials-from-the-aws-console/ #aws