πΆ Hacking Github AWS integrations again
Another post looking at the perils of unproperly scoping access provided by OIDC.
https://dagrz.com/writing/aws-security/hacking-github-aws-oidc
#aws
Another post looking at the perils of unproperly scoping access provided by OIDC.
https://dagrz.com/writing/aws-security/hacking-github-aws-oidc
#aws
π₯2β€1π1
πΆ AWS Security Monitoring in 2023: Untangle the chaos
This post provides recommendations for implementing an effective security monitoring strategy in AWS.
https://marbot.io/blog/2023-08-04-aws-security-monitoring-in-2023.html
#aws
This post provides recommendations for implementing an effective security monitoring strategy in AWS.
https://marbot.io/blog/2023-08-04-aws-security-monitoring-in-2023.html
#aws
π4π₯1π±1
πΆ SSRF Tricks - Thread
Some tricks Β«rhynoraterΒ» picked up over the past 5 years of web app testing.
https://x.com/rhynorater/status/1689400476452679682?s=52&t=J3j_Bp59pI4rfliKITPeZQ
(Use VPN to open from Russia)
#aws
Some tricks Β«rhynoraterΒ» picked up over the past 5 years of web app testing.
https://x.com/rhynorater/status/1689400476452679682?s=52&t=J3j_Bp59pI4rfliKITPeZQ
(Use VPN to open from Russia)
#aws
π4β€1π₯1π±1
π· An Azure Tale of VPN, Conditional Access and MFA Bypass
A walkthrough review of the implementation of an on-prem VPN server that used Azure AD as the idP and enforced MFA via conditional access policies.
https://simondotsh.com/infosec/2023/08/15/azure-tale-vpn-ca-mfa-bypass.html
#azure
A walkthrough review of the implementation of an on-prem VPN server that used Azure AD as the idP and enforced MFA via conditional access policies.
https://simondotsh.com/infosec/2023/08/15/azure-tale-vpn-ca-mfa-bypass.html
#azure
π3π₯1π1
πΆ When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability
Threat actors used SugarCRM's zero-day CVE-2023-22952 and cloud account misconfigurations to access credentials.
https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat
#aws
Threat actors used SugarCRM's zero-day CVE-2023-22952 and cloud account misconfigurations to access credentials.
https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat
#aws
π5β€1π₯1
πΆ Identifying & Reducing Permission Explosion in AWS
The slides of a BlackHat 2023 talk that discusses how to identify, fix, and prevent permission explosion in your AWS environment.
https://i.blackhat.com/BH-US-23/Presentations/US-23-Moolrajani-Reducing-AWS-Permission-Explosion.pdf
#aws
The slides of a BlackHat 2023 talk that discusses how to identify, fix, and prevent permission explosion in your AWS environment.
https://i.blackhat.com/BH-US-23/Presentations/US-23-Moolrajani-Reducing-AWS-Permission-Explosion.pdf
#aws
π4π₯2π1
πΆ How to setup geofencing and IP allow-list for Cognito user pool
AWS recently announced that is now possible to enable WAF protection for Cognito user pools. And one of the things you can do with this is to implement geo-fencing and IP allow/deny lists.
https://theburningmonk.com/2022/08/how-to-setup-geofencing-and-ip-allow-list-for-cognito-user-pool/
#aws
AWS recently announced that is now possible to enable WAF protection for Cognito user pools. And one of the things you can do with this is to implement geo-fencing and IP allow/deny lists.
https://theburningmonk.com/2022/08/how-to-setup-geofencing-and-ip-allow-list-for-cognito-user-pool/
#aws
π3π₯2π±1
πΆ Terraform best practices for reliability at any scale
At scale, many Terraform state files are better than one. But how do you draw the boundaries and decide which resources belong in which state files? What are the best practices for organizing Terraform state files to maximize reliability, minimize the blast-radius of changes, and align with the design of cloud providers?
https://substrate.tools/blog/terraform-best-practices-for-reliability-at-any-scale
#aws
At scale, many Terraform state files are better than one. But how do you draw the boundaries and decide which resources belong in which state files? What are the best practices for organizing Terraform state files to maximize reliability, minimize the blast-radius of changes, and align with the design of cloud providers?
https://substrate.tools/blog/terraform-best-practices-for-reliability-at-any-scale
#aws
π3π1π₯1π±1
πΆ Methods to Backdoor an AWS Account
Post exploring some methods that an adversary can use to create backdoors in your AWS account: access keys, AssumeRole, changing Security Groups, UserData scripts, and SSM Send-Command.
https://mystic0x1.github.io/posts/methods-to-backdoor-an-aws-account/
#aws
Post exploring some methods that an adversary can use to create backdoors in your AWS account: access keys, AssumeRole, changing Security Groups, UserData scripts, and SSM Send-Command.
https://mystic0x1.github.io/posts/methods-to-backdoor-an-aws-account/
#aws
π6π₯1π1
πΆ Pivoting Clouds in AWS Organizations: Examining AWS Security Features and Tools for Enumeration
The architecture and considerable number of enabled/delegated service possibilities in AWS Organizations presents a serious vector for lateral movement within corporate environments. This could easily turn a single AWS account takeover into a multiple account takeover.
https://www.netspi.com/blog/technical/cloud-penetration-testing/pivoting-clouds-aws-organizations-part-2/
#aws
The architecture and considerable number of enabled/delegated service possibilities in AWS Organizations presents a serious vector for lateral movement within corporate environments. This could easily turn a single AWS account takeover into a multiple account takeover.
https://www.netspi.com/blog/technical/cloud-penetration-testing/pivoting-clouds-aws-organizations-part-2/
#aws
π3π₯1π1
πΆ Risk in AWS SSM Port Forwarding
A surprising AWS Systems Manager Session Manager (SSM) default that can introduce risk, especially for customers using SSM's Port Forwarding features.
https://ramimac.me/ssm-iam
#aws
A surprising AWS Systems Manager Session Manager (SSM) default that can introduce risk, especially for customers using SSM's Port Forwarding features.
https://ramimac.me/ssm-iam
#aws
π4π₯1π1
πΆ Shipping RDS IAM Authentication (with a bastion host & SSM)
A basic guide to getting RDS IAM Authentication set up when you're using a Private Endpoint.
https://ramimac.me/rds-iam-auth
#aws
A basic guide to getting RDS IAM Authentication set up when you're using a Private Endpoint.
https://ramimac.me/rds-iam-auth
#aws
π3π₯1π±1
π· New zero trust and digital sovereignty controls in Workspace, powered by AI
Google announced new zero trust, digital sovereignty, and threat defense controls powered by Google AI to help organizations keep their data safe.
https://workspace.google.com/blog/identity-and-security/accelerating-zero-trust-and-digital-sovereignty-ai
#azure
Google announced new zero trust, digital sovereignty, and threat defense controls powered by Google AI to help organizations keep their data safe.
https://workspace.google.com/blog/identity-and-security/accelerating-zero-trust-and-digital-sovereignty-ai
#azure
π4π₯1π1
π· How to Detect When an Azure Guest User Account Is Being Exploited
In Azure environments, guest users are the go-to option when giving access to a user from a different tenant. However, this could prove to be a costly mistake.
https://orca.security/resources/blog/detect-guest-user-account-exploited
#azure
In Azure environments, guest users are the go-to option when giving access to a user from a different tenant. However, this could prove to be a costly mistake.
https://orca.security/resources/blog/detect-guest-user-account-exploited
#azure
π2β€1π₯1
π΄ Grafana security update: GPG signing key rotation
Grafana signing keys have been exposed. Be sure to update their trusted certificate if you are a Grafana user.
https://grafana.com/blog/2023/08/24/grafana-security-update-gpg-signing-key-rotation/
#gcp
Grafana signing keys have been exposed. Be sure to update their trusted certificate if you are a Grafana user.
https://grafana.com/blog/2023/08/24/grafana-security-update-gpg-signing-key-rotation/
#gcp
π3π₯1π±1
πΆ Authorizing cross-account KMS access with aliases
KMS aliases are a great way to make KMS keys more convenient. But permitting one account to use an KMS key in another account through a KMS alias can be difficult. This article explains why, and how to solve the problem correctly.
https://lucvandonkersgoed.com/2023/08/25/authorizing-cross-account-kms-access-with-aliases
#aws
KMS aliases are a great way to make KMS keys more convenient. But permitting one account to use an KMS key in another account through a KMS alias can be difficult. This article explains why, and how to solve the problem correctly.
https://lucvandonkersgoed.com/2023/08/25/authorizing-cross-account-kms-access-with-aliases
#aws
π3π₯1π±1
π· 5 Tips to prevent or limit the impact of an incident in Azure
Five low-cost and easy to implement measures with high-impact to prevent or limit the impact of an incident in Azure: setup budget quotas, restrict app registration, prevent subscriptions from entering your tenant, ingest audit logging, and limit external collaboration.
https://invictus-ir.medium.com/5-tips-to-prevent-or-limit-the-impact-of-an-incident-in-azure-e9f664fe0100
(Use VPN to open from Russia)
#azure
Five low-cost and easy to implement measures with high-impact to prevent or limit the impact of an incident in Azure: setup budget quotas, restrict app registration, prevent subscriptions from entering your tenant, ingest audit logging, and limit external collaboration.
https://invictus-ir.medium.com/5-tips-to-prevent-or-limit-the-impact-of-an-incident-in-azure-e9f664fe0100
(Use VPN to open from Russia)
#azure
π3β€1π₯1
πΆ Verifying images in a private Amazon ECR with Kyverno and IAM Roles for Service Accounts (IRSA)
Applications, such as Kyverno, running within a Pod's containers can utilize the AWS SDK to make API requests to AWS services by leveraging AWS Identity and Access Management (IAM) permissions.
https://www.cncf.io/blog/2023/08/29/verifying-images-in-a-private-amazon-ecr-with-kyverno-and-iam-roles-for-service-accounts-irsa/
#aws
Applications, such as Kyverno, running within a Pod's containers can utilize the AWS SDK to make API requests to AWS services by leveraging AWS Identity and Access Management (IAM) permissions.
https://www.cncf.io/blog/2023/08/29/verifying-images-in-a-private-amazon-ecr-with-kyverno-and-iam-roles-for-service-accounts-irsa/
#aws
π4π₯1π±1
πΆπ·π΄ New Attack Vector In The Cloud: Attackers caught exploiting Object Storage Services
Security Joes Incident Response team recently became aware of a set of relatively new CVEs that were released at the end of March 2023. Surprisingly, these vulnerabilities have received little to no media coverage regarding their ease of exploitation and the potential security implications they pose to any cluster running a non-native object storage.
https://www.securityjoes.com/post/new-attack-vector-in-the-cloud-attackers-caught-exploiting-object-storage-services
#aws #azure #gcp
Security Joes Incident Response team recently became aware of a set of relatively new CVEs that were released at the end of March 2023. Surprisingly, these vulnerabilities have received little to no media coverage regarding their ease of exploitation and the potential security implications they pose to any cluster running a non-native object storage.
https://www.securityjoes.com/post/new-attack-vector-in-the-cloud-attackers-caught-exploiting-object-storage-services
#aws #azure #gcp
π3π₯1π1
πΆ Cloud Detection and Response Needs To Break Down Boundaries
The attack patterns of the modern day threat actor are changing as they are able to traverse across multiple environments in the cloud. CDR needs to keep up.
https://permiso.io/blog/cloud-detection-and-response-needs-to-break-down-boundaries
#aws
The attack patterns of the modern day threat actor are changing as they are able to traverse across multiple environments in the cloud. CDR needs to keep up.
https://permiso.io/blog/cloud-detection-and-response-needs-to-break-down-boundaries
#aws
π4π₯1π1