RCP (Resource control policies) examples:

https://github.com/aws-samples/data-perimeter-policy-examples/tree/main/resource_control_policies

◽ identity_perimeter_rcp – Enforces identity perimeter controls on resources within your Organizations organization.
◽ network_perimeter_rcp – Enforces network perimeter controls on resources within your Organizations organization.
◽ data_perimeter_governance_rcp – Includes controls for protecting data perimeter controls’ dependencies, such as session tags used to control their scope.

Note that the RCP policy do not grant any permissions; they only restrict access by explicitly denying specific data access patterns. You still have to grant appropriate permissions with explicit Allow statements in identity-based or resource-based policies.

#RCP #security

Стыд и скрам:

Within minutes, we found a publicly accessible ClickHouse database linked to DeepSeek, completely open and unauthenticated, exposing sensitive data. It was hosted at oauth2callback.deepseek.com:9000 and dev.deepseek.com:9000.

https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leak

#security

Preventing Data Leaks in RAG Pipelines with Bedrock

🔹 Securing the RAG Ingestion Pipeline

https://aws.amazon.com/blogs/security/securing-the-rag-ingestion-pipeline-filtering-mechanisms/

🔹 Hardening the RAG Chatbot Architecture

https://aws.amazon.com/blogs/security/hardening-the-rag-chatbot-architecture-powered-by-amazon-bedrock-blueprint-for-secure-design-and-anti-pattern-migration/

🔹 Building Secure and Scalable RAG Applications with Bedrock

https://aws.amazon.com/blogs/machine-learning/building-scalable-secure-and-reliable-rag-applications-using-amazon-bedrock-knowledge-bases/

#Bedrock #security

Comparison of different WAFs

◽️ AWS WAF
◽️ CloudFlare WAF
◽️ Google Cloud Armor
◽️ F5
◽️ Fortinet FortiWeb
◽️ Imperva Cloud WAF
◽️ Microsoft Azure WAF
◽️ NGINX ModSecurity
◽️ open-appsec

https://www.openappsec.io/post/best-waf-solutions-in-2024-2025-real-world-comparison

To make it easier to understand, I have added clearer captions to the graph.

#security

AWS Trust Center — single source of truth for security and compliance.

https://aws.amazon.com/trust-center/

Like Amazon Builders' Library but for security.

#security

Google + Wiz

Что не было куплено год назад за 23 миллиарда $, теперь куплено за 32.

https://cloud.google.com/blog/products/identity-security/google-announces-agreement-acquire-wiz

Что ж. Се ля курити.

#security

IngressNightmare — сразу несколько уязвимостей NGINX Controller for Kubernetes доступом к секретам всего и везде без авторизации:

https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities

◽️ Кто пострадал — обладатели NGINX Controller версий до 1.12.1/1.11.5. Для устранения нужно срочно обновиться на последнюю версию.

◽️ Кто не пострадал — пользователи EKS:

EKS does not provide or install the ingress-nginx controller and is not affected by these issues.

Официальный отчёт о уязвимости Kubernetes:

https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/

#Kubernetes #security

Multi-party approval — когда нужно реализовать подтверждение на операцию в AWS от нескольких человек:

https://docs.aws.amazon.com/mpa/latest/userguide/

#security #organizations

AWS WAF vs CVE-2025-55182 (React2Shell)

https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/

CVE-2025-55182 - злобная уязвимость, при попытке раскатать защиту от которой, намедни прилёг CloudFlare.

Стоит поскорее обновить свои реактивные ресурсы.

В случае использования AWS WAF с дефолтным AWSManagedRulesKnownBadInputsRuleSet можно не переживать (но всё равно обновиться).

#security

Б — безопасность.

#AI #security #пятничное