Cloud Security

[Recap to security, identity, and compliance sessions at AWS re:Invent 2022 AWS Security Blog](https://aws.amazon.com/blogs/security/recap-to-security-identity-and-compliance-sessions-at-aws-reinvent-2022/)

Security state of the Azure DevOps Marketplace

AWS re:Invent 2022 - Context is everything: CNAPP revolution to secure AWS deployments (PRT254) - YouTube

[Three key security themes from AWS re:Invent 2022 AWS Security Blog](https://aws.amazon.com/blogs/security/three-key-security-themes-from-aws-reinvent-2022/)
[The anatomy of ransomware event targeting data residing in Amazon S3 AWS Security Blog](https://aws.amazon.com/blogs/security/anatomy-of-a-ransomware-event-targeting-data-in-amazon-s3/?ck_subscriber_id=1509582773)
[Updated whitepaper available: AWS Security Incident Response Guide AWS Security Blog](https://aws.amazon.com/blogs/security/updated-whitepaper-available-aws-security-incident-response-guide/?ck_subscriber_id=1509582773)

Cedar: A new policy language – One Cloud Please

Detecting Anomalous AWS Sessions From Temporary Credentials - 1 of 2

[Blog SES-pionage](https://permiso.io/blog/s/aws-ses-pionage-detecting-ses-abuse/)
[Responding to an attack in AWS. A case study — Part 1 by Invictus Incident Response Jan, 2023 AWS Tip](https://awstip.com/responding-to-an-attack-in-aws-9048a1a551ac)

PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources

[Recap of AWS re:Invent 2022: An Honest Review Resmo](https://www.resmo.com/blog/aws-reinvent-2022-recap)
[‘Go get your swag!’: Five days living large at a giant Vegas tech-fest The Spinoff](https://thespinoff.co.nz/business/10-12-2022/go-get-your-swag-five-days-living-large-at-a-giant-vegas-tech-fest)
[AWS CloudTrail vulnerability: Undocumented API allows CloudTrail bypass Datadog Security Labs](https://securitylabs.datadoghq.com/articles/iamadmin-cloudtrail-bypass/)

A Faster Horse – tecosystems

Penetrating the Cloud: Uncovering Unknown Vulns - YouTube

Elastic IP Hijacking — A New Attack Vector in AWS

[Blog Cloud Cred Harvesting Campaign - Grinch Edition](https://permiso.io/blog/s/christmas-cloud-cred-harvesting-campaign/)

Crimes against cloud: an investigation - by Forrest Brazeal

The Many Ways to Access RDS

[Microsoft Azure’s defense in depth approach to cloud vulnerabilities Azure Blog and Updates Microsoft Azure](https://azure.microsoft.com/en-us/blog/microsoft-azures-defense-in-depth-approach-to-cloud-vulnerabilities/?ck_subscriber_id=1509582773)
[A retrospective on public cloud breaches of 2022, with Rami McCarthy and Houston Hopkins Datadog Security Labs](https://securitylabs.datadoghq.com/articles/public-cloud-breaches-2022-mccarthy-hopkins/)

Compromised Cloud Compute Credentials: Case Studies From the Wild

[Considerations for security operations in the cloud AWS Security Blog](https://aws.amazon.com/blogs/security/considerations-for-security-operations-in-the-cloud/)
[Three recurring Security Hub usage patterns and how to deploy them AWS Security Blog](https://aws.amazon.com/blogs/security/three-recurring-security-hub-usage-patterns-and-how-to-deploy-them/)

Noovolari/awesome-cloudops: A curated list of tools and best practices for CloudOps

Abusing Misconfigured ECR Resource Policies - Hacking The Cloud

[Automated Cleanup of Unused Google Cloud Projects Google Cloud Blog](https://cloud.google.com/blog/topics/developers-practitioners/automated-cleanup-unused-google-cloud-projects/)
[Establishing a data perimeter on AWS: Allow only trusted identities to access company data AWS Security Blog](https://aws.amazon.com/blogs/security/establishing-a-data-perimeter-on-aws-allow-only-trusted-identities-to-access-company-data/)

The Many Ways to Access RDS

[Cloud Security Table Top Exercises by Matt Fuller Level Up Coding](https://levelup.gitconnected.com/cloud-security-table-top-exercises-629d353c268e)
[pentesting.cloud part 1: “Open To The Public” CTF walkthrough by Pawel Rzepa Nov, 2022 InfoSec Write-ups](https://infosecwriteups.com/pentesting-cloud-part-1-open-to-the-public-ctf-walkthrough-aa4dae59ec4e)

https://medium.com/gsktech/from-zero-to-production-in-sixty-minutes-building-a-cloud-platform-for-product-development-1d7e9bcd995d

https://fivexl.io/blog/fivexl-reaction/

https://github.com/1debit/alternat/

STOP PLAYING WHAC-A-MOLE, START USING LEAST PRIVILEGE IAM POLICIES

Finding the “minimum permissions” for an IAM policy can feel like playing a game of Whac-A-Mole. Our latest blog post discusses best practices for defining least privilege IAM policies so you can avoid the back-and-forth.

[How to use trust policies with IAM roles AWS Security Blog](https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/)

Source & Binary / You should have lots of AWS accounts TODO

Guide to AWS Lambda Function URLs — Cloudash Blog

[Simplifying serverless permissions with AWS SAM Connectors AWS Compute Blog](https://aws.amazon.com/blogs/compute/simplifying-serverless-permissions-with-aws-sam-connectors/?ck_subscriber_id=1509582773)

AWS Secrets Manager and the principle of least-privilege

[AWS CloudTrail — The Good, the Bad, and the Ugly by Seshu Pasam Ariksa Medium](https://medium.com/@seshu/aws-cloudtrail-the-good-the-bad-and-the-ugly-b314c32138d9)

(20) Seshu Pasam on Twitter: “Many #CSPM and #CIEM use-cases rely on #AWS #CloudTrail. Lets check how good it is! AWS CloudTrail — The Good, the Bad, and the Ugly: https://t.co/QwHpUUOCs5 #IAM” / Twitter

[The importance of a mentor in your cloud learning journey AWS Training and Certification Blog](https://aws.amazon.com/blogs/training-and-certification/the-importance-of-a-mentor-in-your-cloud-learning-journey/?ck_subscriber_id=1509582773)

aws/rolesanywhere-credential-helper

I like what AWS has done with its IAM Roles Anywhere release; as a refresher, it lets you get an IAM role anywhere you have a certificate signed by your designated certificate authority. That said, this stuff is finicky to get right–so AWS has launched its rolesanywhere-credential-helper, a reference implementation that’ll help you get your own implementation dialed in.

26 AWS Security Best Practices to Adopt in Production - DEV Community 👩‍💻👨‍💻

26 AWS Security Best Practices to Adopt in Production – Sysdig

Securely Using External ID for Accessing AWS Accounts Owned by Others

[Black Hat USA: Deliberately vulnerable AWS, Azure cloud infrastructure is a pen tester’s playground The Daily Swig](https://portswigger.net/daily-swig/black-hat-usa-deliberately-vulnerable-aws-azure-cloud-infrastructure-is-a-pen-testers-playground)

(23) Aidan W Steele on Twitter: “I regret to inform that I am extremely back on my bullshit. I’ve been thinking about connectivity in unusual places. And I got to thinking: can I establish bidirectional connectivity over the Internet between two EC2 instances in private subnets without a third-party relay? https://t.co/kMKb3138L4” / Twitter

Comparison of AWS Compute Options in 2022 – keep moving

AWS Secrets Manager GitHub Action · Actions · GitHub Marketplace

Securing a new AWS account - Starting with Trusted Advisor - DEV Community 👩‍💻👨‍💻

[Protect Sensitive Data with Amazon CloudWatch Logs AWS News Blog](https://aws.amazon.com/blogs/aws/protect-sensitive-data-with-amazon-cloudwatch-logs/)

AWS Ramp-Up Guide: Security

iann0036/tree-view-cfn: Force CloudFormation to generate a tree view for any stack

[How to detect root hackers on AWS and prevent the launching of unauthorized EC2 instances by David Rampil Medium](https://medium.com/@Frozenashes/how-to-detect-management-console-root-hackers-on-amazon-web-services-c046ab9c3191)

Audit Considerations - CloudSecDocs

AWS IAM (Identity and Access Management) Cheat-sheet/Wrap-up
TODO

[How to let builders create IAM resources while improving security and agility for your organization AWS Security Blog](https://aws.amazon.com/blogs/security/how-to-let-builders-create-iam-resources-while-improving-security-and-agility-for-your-organization/)

The Complete Guide to AWS KMS

[Security Nuances of the AWS Metadata Service in Container Workloads by David Levitsky Simply CloudSec Medium](https://medium.com/simply-cloudsec/security-nuances-of-the-aws-metadata-service-in-container-workloads-680be43b63e)

Simple Route53/Cloudfront/S3 Subdomain Takeover - Hacking The Cloud

awslabs/terraform-iam-policy-validator: A command line tool that validates AWS IAM Policies in a Terraform template against AWS IAM best practices

[A comprehensive cloud security approach for state and local governments Google Cloud Blog](https://cloud.google.com/blog/topics/public-sector/comprehensive-cloud-security-approach-state-and-local-governments)

AWS IAM Interview Questions - k9 Security

[How to move towards continuous compliance while avoiding misconfigurations Google Cloud Blog](https://cloud.google.com/blog/products/identity-security/how-to-move-towards-continuous-compliance-while-avoiding-misconfigurations)
[How to let builders create IAM resources while improving security and agility for your organization AWS Security Blog](https://aws.amazon.com/blogs/security/how-to-let-builders-create-iam-resources-while-improving-security-and-agility-for-your-organization/)
[Identity Guide – Preventive controls with AWS Identity – SCPs AWS Cloud Operations & Migrations Blog](https://aws.amazon.com/blogs/mt/identity-guide-preventive-controls-with-aws-identity-scps/)
[Insecure Deserialization in AWS Lambda What is the Vulnerability and How to Avoid It? Contrast Security - Security Boulevard](https://securityboulevard.com/2022/08/insecure-deserialization-in-aws-lambda-what-is-the-vulnerability-and-how-to-avoid-it-contrast-security/)

Identifying publicly accessible resources with Amazon VPC Network Access Analyzer
TODO

[Building security guardrails for developers with Google Cloud Google Cloud Blog](https://cloud.google.com/blog/topics/inside-google-cloud/building-security-guardrails-for-developers-with-google-cloud)
[Building AWS Lambda governance and guardrails AWS Compute Blog](https://aws.amazon.com/blogs/compute/building-aws-lambda-governance-and-guardrails/)

Guide to AWS Lambda Function URLs

Reusing Connections with Keep-Alive in Node.js - AWS SDK for JavaScript

Cost Optimisation In The Cloud – Practical Design Steps For Architects and Developers – Part 1 – Baldacchino Automation

https://automation.baldacchino.net/cost-optimising-your-architecture-on-azure-practical-design-steps-for-builders-to-cost-optimise-your-tech-stack-part-2/

[Introducing Virtual Machine Threat Detection to block critical threats Google Cloud Blog](https://cloud.google.com/blog/products/identity-security/introducing-virtual-machine-threat-detection-to-block-critical-threats)

Trivy: Enhanced with AWS scan integration

GuardDuty - the Good, the Bad and the Ugly - Chandrapal Badshah

[Update of AWS Security Reference Architecture is now available AWS Security Blog](https://aws.amazon.com/blogs/security/update-of-aws-security-reference-architecture-is-now-available/?ck_subscriber_id=1509582773)
[Get more out of service control policies in a multi-account environment AWS Security Blog](https://aws.amazon.com/blogs/security/get-more-out-of-service-control-policies-in-a-multi-account-environment/)

An Easy Misconfiguration to Make: Hidden Dangers in the Cloud Control Plane

A Review of the AWS Security Model - Nick Jones https://twitter.com/nojonesuk/status/1529182459799257089

[Securing AWS Lambda function URLs Wiz Blog](https://www.wiz.io/blog/securing-aws-lambda-function-urls)

AWS Account Setup and Root User :: AWS Well-Architected Labs

[Security Considerations For Hosting Domain Controllers In Cloud Personal notes on Cybersecurity and Cloud](https://blog.karims.cloud/2022/08/09/security-considerations-for-hosting-domain-controllers-in-cloud.html)

State of the Cloud 2022 · Bessemer Venture Partners

IAM Vulnerable - Assessing the AWS Assessment Tools | Bishop Fox TODO

Cloud Permissions

A quick overview of AWS principals, identity-based policies, and resource-based policies

Implement IAM Permission Boundaries with AWS SSO using Terraform
Chris McKinnel

AWS IAM Security Best Practices

Data Perimeter Workshop

[IAM policy types: How and when to use them AWS Security Blog](https://aws.amazon.com/blogs/security/iam-policy-types-how-and-when-to-use-them/?ck_subscriber_id=1509582773)

AWS account root user credentials and IAM user credentials - AWS General Reference


google/k8s-digester: Add digests to container and init container images in Kubernetes pod and pod template specs. Use either as a mutating admission webhook, or as a client-side KRM function with kpt or kustomize.

Deepfence ThreatMapper 1.4 Unveils Open Source Threat Graph to Visualize Cloud Native Threat Landscape | Business Wire

  • ThreatGraph, a powerful a new feature that uses runtime context like network flows to prioritize threat scan results and enables organizations to narrow down attack path alerts from thousands to a handful of the most meaningful (and threatening)
  • Agentless cloud security posture management (CSPM) of cloud assets mapped to various compliance controls like CIS, HIPAA, GDPR, SOC 2, and more
  • YaraHunter, the industry’s first open source malware scanner for cloud native environments

Should AWS really be the default go-to option?

[Research Partnership explores Cloud Analytics by Ingrid Skoog MITRE-Engenuity Jul, 2022 Medium](https://medium.com/mitre-engenuity/research-partnership-explores-cloud-analytics-6dddebbac807)
[Announcing Cloud Analytics, Google’s latest partnership with MITRE Google Cloud Blog](https://cloud.google.com/blog/products/identity-security/announcing-cloud-analytics-googles-latest-partnership-with-mitre)

https://twitter.com/ArmanSameer95/status/1555002208948817920

https://twitter.com/levelsio/status/1555612453999886347 Also thinking about finding the right partner :)

[Protecting GCP Services with VPC Service Controls and Terraform by Ryan Canty ScaleSec](https://blog.scalesec.com/protecting-gcp-services-with-vpc-service-controls-and-terraform-858019d8b4ff)

(20) Zack Kanter on Twitter: “Google Cloud will never be profitable. It is borderline impossible for a company whose core product is high margin to build cost discipline in a low-margin secondary product. AWS’s biggest advantage is being borne from (and run like) a low margin core business. https://t.co/AWPTcSZ91p” / Twitter

[Cloud Security Wiki Cloud Security Wiki](https://www.secwiki.cloud/?utm_medium=email)

Protect Your Data from Ransomware with S3 Object Lock TODO

https://www.linkedin.com/posts/shilpi-bhattacharjee_cloudsecurity-cloudsecuritypodcast-infosec2022-activity-6946709091809394688-cmaI?utm_source=linkedin_share&utm_medium=member_desktop_web Cloud Security interviews from BSidesSF

[Serverless is a State of Mind. The point is focus — that is the why of… by Ben Kehoe Medium](https://ben11kehoe.medium.com/serverless-is-a-state-of-mind-717ef2088b42)

Speeding Up AWS IAM Least Privileges with Cloudsplaining, Elastic Stack, & AWS Access Analyzer - YouTube

[How to think about threat detection in the cloud Google Cloud Blog](https://cloud.google.com/blog/products/identity-security/how-to-think-about-threat-detection-in-the-cloud)

Secure SSH on EC2: What are the real threats? – Sysdig

glassechidna/trackiam: A project to collate IAM actions, AWS APIs and managed policies from various public sources.

[Announcing MITRE ATT&CK mappings for Google Cloud security capabilities Google Cloud Blog](https://cloud.google.com/blog/products/identity-security/announcing-mitre-attck-mappings-released-for-google-cloud-security-capabilities)

CloudGoat Scenario: Avoiding AWS Security Detection and Response

Granted, Common Fate, and AWS Functionality with Chris Norman - Last Week in AWS Podcast

[Use templated answers to perform Well-Architected reviews at scale AWS Architecture Blog](https://aws.amazon.com/blogs/architecture/use-templated-answers-to-perform-well-architected-reviews-at-scale/)
[Google Cloud Security Overview Google Cloud Blog](https://cloud.google.com/blog/topics/developers-practitioners/google-cloud-security-overview)

Noovolari/leapp: Leapp is the DevTool to access your cloud https://twitter.com/a_cava94

I’m the maintainer of an open-source Desktop App and CLI that works in a similar way, it manages OKTA as identity provider in order to generate short lived credentials and rotate them locally!

Threat Alert: New Attack Vector Targeting Your Cloud Environment
TODO

Attacker’s Tactics and Techniques in Unsecured Docker Daemons Revealed

Infrastructure-as-code templates are the source of many cloud infrastructure weaknesses

tektoncd / pipeline
A K8s-native Pipeline resource. https://tekton.dev

  • https://github.com/tektoncd/triggers
  • https://github.com/tektoncd/catalog - Catalog of shared Tasks and Pipelines.

Catalog of shared Tasks and Pipelines