CloudSec Wine

🔶 Hacking AWS end-to-end - remastered A remastering of one of greatest cloud security talk ever given, Daniel Grzelak's Kiwicon 2016 presentation where he shows IAM principal enumeration using resource policies, abusing vendor trust relationship confused deputies, and more. Slides and code: https://github.com/dagrz/aws_pwn https://youtu.be/8ZXRw4Ry3mQ #aws

🔶🔷🔴 Multicloud failover is almost always a terrible idea Multicloud failover is complex and costly to the point of nearly almost always being impractical, and it's not an especially effective way to address cloud resilience risks. https://cloudpundit.com/2021/10/14/multicloud-failover-is-almost-always-a-terrible-idea/ #aws #azure #gcp

🔷 Understanding Azure Logs from a security perspective - Part 2 - NSG Flow Logs This blog is the second in a multi-part series to cover the available logs and telemetry of the Azure platform, discuss the security insights that we can obtain from them and also to highlight existing blind spots that can save you a few headaches down the line. https://davidokeyode.medium.com/understanding-azure-logs-from-a-security-perspective-part-2-nsg-flow-logs-3edc5c42f39a #azure

🔶 Designing Least Privilege AWS IAM Policies for People Got engineers with AdministratorAccess? Here's how to deploy reduced privilege IAM roles for people without breaking their workflows. https://www.iampulse.com/t/designing-least-privilege-aws-iam-policies-for-people #aws

🔴 VPC Service Controls in Plain English GCP offers powerful security controls to mitigate API-based data exfiltration called VPC Service Controls. To execute a successful and secure cloud architecture with VPC Service Controls, it is important to understand exactly how they work. https://scalesec.com/blog/vpc-service-controls-in-plain-english/ #gcp

🔷 Azure Privilege Escalation via Service Principal Abuse Post explaining how to abuse Service Principals to escalate rights in Azure and how to protect yourself against it. https://posts.specterops.io/azure-privilege-escalation-via-service-principal-abuse-210ae2be2a5 #azure

🔶 AWS WAF's Dangerous Defaults AWS WAF's defaults make bypassing trivial in POST requests, even when you enable the AWS Managed Rules. https://osamaelnaggar.com/blog/aws_waf_dangerous_defaults/ #aws

🔴 Scaling Kubernetes Tenant Management with Hierarchical Namespaces Controller Post explaining details of Mercari's multitenant Kubernetes architecture, and the issues they faced while migrating from on-premise deployments to containers on GCP by using Google Kubernetes Engine (GKE). https://engineering.mercari.com/blog/entry/20210930-scaling-kubernetes-tenant-management-with-hierarchical-namespaces-controller/ #gcp

🔷 Azure Service Authentication and Authorization table A table for reviewing service authentication and authorization security in Azure, especially cross-service security. https://github.com/jsa2/aad-auth-n-z #azure

🔴 Org Policies by default An opinionated list of common organization policies you should use in Google Cloud. https://medium.com/google-cloud/org-policies-by-default-3adc0c8925b0 #gcp

🔶 Serverless Policy Enforcement: Connecting OPA and AWS Lambda Recent updates to the project aim to better integrate OPA with serverless architectures and other infrastructure with intermittent compute. https://blog.openpolicyagent.org/serverless-policy-enforcement-connecting-opa-and-aws-lambda-e624f7176a3 #aws

🔷 Azure Security Roadmap What do you do when you're handed a pile of new-to-you Azure accounts to secure? https://www.coffeehousecoders.org/blog/azure_security_roadmap.html #azure

🔴 Improve your security posture with new Overly Permissive Firewall Rule Insights Google introduced a new module within Firewall Insights called "Overly Permissive Firewall Rule Insights", which allows customers to rely on GCP to automatically analyze massive amounts of firewall logs and generate easy-to-understand insights and recommendations to help them optimize their firewall configurations and improve their network security posture. https://cloud.google.com/blog/products/gcp/use-firewall-insights-to-improve-security-posture #gcp

🔶 Announcing Terraform AWS Cloud Control Provider Tech Preview A new provider for Terraform, built around the AWS Cloud Control API, is designed to bring new services to Terraform faster. https://www.hashicorp.com/blog/announcing-terraform-aws-cloud-control-provider-tech-preview #aws

🔶 Securely Decoupling Kubernetes-based Applications on Amazon EKS using Kafka with SASL/SCRAM Post exploring a Go-based application deployed to Kubernetes using Amazon EKS. The microservices that comprise the application communicate asynchronously by producing and consuming events from Amazon Managed Streaming for Apache Kafka (Amazon MSK). https://itnext.io/securely-decoupling-applications-on-amazon-eks-using-kafka-with-sasl-scram-48c340e1ffe9 #aws

🔷 It's tough being an Azure fan Even as a user and somewhat of a fan of the Azure technology, it is proving increasing difficult to recommend. https://alexhudson.com/2021/09/17/its-tough-being-an-azure-fan/ #azure

🔶 Control The Blast Radius Of Your Lambda Functions With An IAM Permissions Boundary A great benefit of building Lambda-based applications is that the security best practice of least privilege can be applied at a very granular level, the individual Lambda function. https://www.iampulse.com/t/control-the-blast-radius-of-your-lambda-functions-with-an-iam-permissions-boundary #aws

🔷 10 Common Security Issues when Migrating from On Premises to Azure This article is focused on the security risks involved in a cloud migration, and provides a compilation of common security anti-patterns and best practices for architects only familiar with traditional on-premise data centers to follow. https://www.praetorian.com/blog/migrating-to-azure/ #azure

🔶 Revisiting Lambda Persistence As an attacker, Serverless environments are a very different target when compared with their traditional server-based counterparts. Even gaining remote code execution, which would normally spur a race to escalate privileges, has a very different connotation. https://frichetten.com/blog/revisiting_lambda_persistence/ #aws

🔷 Escalating Azure Privileges with the Log Analytics Contributor Role A (now fixed) privilege escalation that allowed an Azure AD user to escalate from the Log Analytics Contributor role to a full Subscription Contributor role. https://www.netspi.com/blog/technical/cloud-penetration-testing/escalating-azure-privileges-with-the-log-analystics-contributor-role/ #azure