πΆ Identifying & Reducing Permission Explosion in AWS
The slides of a BlackHat 2023 talk that discusses how to identify, fix, and prevent permission explosion in your AWS environment.
https://i.blackhat.com/BH-US-23/Presentations/US-23-Moolrajani-Reducing-AWS-Permission-Explosion.pdf
#aws
The slides of a BlackHat 2023 talk that discusses how to identify, fix, and prevent permission explosion in your AWS environment.
https://i.blackhat.com/BH-US-23/Presentations/US-23-Moolrajani-Reducing-AWS-Permission-Explosion.pdf
#aws
π4π₯2π1
πΆ How to setup geofencing and IP allow-list for Cognito user pool
AWS recently announced that is now possible to enable WAF protection for Cognito user pools. And one of the things you can do with this is to implement geo-fencing and IP allow/deny lists.
https://theburningmonk.com/2022/08/how-to-setup-geofencing-and-ip-allow-list-for-cognito-user-pool/
#aws
AWS recently announced that is now possible to enable WAF protection for Cognito user pools. And one of the things you can do with this is to implement geo-fencing and IP allow/deny lists.
https://theburningmonk.com/2022/08/how-to-setup-geofencing-and-ip-allow-list-for-cognito-user-pool/
#aws
π3π₯2π±1
πΆ Terraform best practices for reliability at any scale
At scale, many Terraform state files are better than one. But how do you draw the boundaries and decide which resources belong in which state files? What are the best practices for organizing Terraform state files to maximize reliability, minimize the blast-radius of changes, and align with the design of cloud providers?
https://substrate.tools/blog/terraform-best-practices-for-reliability-at-any-scale
#aws
At scale, many Terraform state files are better than one. But how do you draw the boundaries and decide which resources belong in which state files? What are the best practices for organizing Terraform state files to maximize reliability, minimize the blast-radius of changes, and align with the design of cloud providers?
https://substrate.tools/blog/terraform-best-practices-for-reliability-at-any-scale
#aws
π3π1π₯1π±1
πΆ Methods to Backdoor an AWS Account
Post exploring some methods that an adversary can use to create backdoors in your AWS account: access keys, AssumeRole, changing Security Groups, UserData scripts, and SSM Send-Command.
https://mystic0x1.github.io/posts/methods-to-backdoor-an-aws-account/
#aws
Post exploring some methods that an adversary can use to create backdoors in your AWS account: access keys, AssumeRole, changing Security Groups, UserData scripts, and SSM Send-Command.
https://mystic0x1.github.io/posts/methods-to-backdoor-an-aws-account/
#aws
π6π₯1π1
πΆ Pivoting Clouds in AWS Organizations: Examining AWS Security Features and Tools for Enumeration
The architecture and considerable number of enabled/delegated service possibilities in AWS Organizations presents a serious vector for lateral movement within corporate environments. This could easily turn a single AWS account takeover into a multiple account takeover.
https://www.netspi.com/blog/technical/cloud-penetration-testing/pivoting-clouds-aws-organizations-part-2/
#aws
The architecture and considerable number of enabled/delegated service possibilities in AWS Organizations presents a serious vector for lateral movement within corporate environments. This could easily turn a single AWS account takeover into a multiple account takeover.
https://www.netspi.com/blog/technical/cloud-penetration-testing/pivoting-clouds-aws-organizations-part-2/
#aws
π3π₯1π1
πΆ Risk in AWS SSM Port Forwarding
A surprising AWS Systems Manager Session Manager (SSM) default that can introduce risk, especially for customers using SSM's Port Forwarding features.
https://ramimac.me/ssm-iam
#aws
A surprising AWS Systems Manager Session Manager (SSM) default that can introduce risk, especially for customers using SSM's Port Forwarding features.
https://ramimac.me/ssm-iam
#aws
π4π₯1π1
πΆ Shipping RDS IAM Authentication (with a bastion host & SSM)
A basic guide to getting RDS IAM Authentication set up when you're using a Private Endpoint.
https://ramimac.me/rds-iam-auth
#aws
A basic guide to getting RDS IAM Authentication set up when you're using a Private Endpoint.
https://ramimac.me/rds-iam-auth
#aws
π3π₯1π±1
π· New zero trust and digital sovereignty controls in Workspace, powered by AI
Google announced new zero trust, digital sovereignty, and threat defense controls powered by Google AI to help organizations keep their data safe.
https://workspace.google.com/blog/identity-and-security/accelerating-zero-trust-and-digital-sovereignty-ai
#azure
Google announced new zero trust, digital sovereignty, and threat defense controls powered by Google AI to help organizations keep their data safe.
https://workspace.google.com/blog/identity-and-security/accelerating-zero-trust-and-digital-sovereignty-ai
#azure
π4π₯1π1
π· How to Detect When an Azure Guest User Account Is Being Exploited
In Azure environments, guest users are the go-to option when giving access to a user from a different tenant. However, this could prove to be a costly mistake.
https://orca.security/resources/blog/detect-guest-user-account-exploited
#azure
In Azure environments, guest users are the go-to option when giving access to a user from a different tenant. However, this could prove to be a costly mistake.
https://orca.security/resources/blog/detect-guest-user-account-exploited
#azure
π2β€1π₯1
π΄ Grafana security update: GPG signing key rotation
Grafana signing keys have been exposed. Be sure to update their trusted certificate if you are a Grafana user.
https://grafana.com/blog/2023/08/24/grafana-security-update-gpg-signing-key-rotation/
#gcp
Grafana signing keys have been exposed. Be sure to update their trusted certificate if you are a Grafana user.
https://grafana.com/blog/2023/08/24/grafana-security-update-gpg-signing-key-rotation/
#gcp
π3π₯1π±1
πΆ Authorizing cross-account KMS access with aliases
KMS aliases are a great way to make KMS keys more convenient. But permitting one account to use an KMS key in another account through a KMS alias can be difficult. This article explains why, and how to solve the problem correctly.
https://lucvandonkersgoed.com/2023/08/25/authorizing-cross-account-kms-access-with-aliases
#aws
KMS aliases are a great way to make KMS keys more convenient. But permitting one account to use an KMS key in another account through a KMS alias can be difficult. This article explains why, and how to solve the problem correctly.
https://lucvandonkersgoed.com/2023/08/25/authorizing-cross-account-kms-access-with-aliases
#aws
π3π₯1π±1
π· 5 Tips to prevent or limit the impact of an incident in Azure
Five low-cost and easy to implement measures with high-impact to prevent or limit the impact of an incident in Azure: setup budget quotas, restrict app registration, prevent subscriptions from entering your tenant, ingest audit logging, and limit external collaboration.
https://invictus-ir.medium.com/5-tips-to-prevent-or-limit-the-impact-of-an-incident-in-azure-e9f664fe0100
(Use VPN to open from Russia)
#azure
Five low-cost and easy to implement measures with high-impact to prevent or limit the impact of an incident in Azure: setup budget quotas, restrict app registration, prevent subscriptions from entering your tenant, ingest audit logging, and limit external collaboration.
https://invictus-ir.medium.com/5-tips-to-prevent-or-limit-the-impact-of-an-incident-in-azure-e9f664fe0100
(Use VPN to open from Russia)
#azure
π3β€1π₯1
πΆ Verifying images in a private Amazon ECR with Kyverno and IAM Roles for Service Accounts (IRSA)
Applications, such as Kyverno, running within a Pod's containers can utilize the AWS SDK to make API requests to AWS services by leveraging AWS Identity and Access Management (IAM) permissions.
https://www.cncf.io/blog/2023/08/29/verifying-images-in-a-private-amazon-ecr-with-kyverno-and-iam-roles-for-service-accounts-irsa/
#aws
Applications, such as Kyverno, running within a Pod's containers can utilize the AWS SDK to make API requests to AWS services by leveraging AWS Identity and Access Management (IAM) permissions.
https://www.cncf.io/blog/2023/08/29/verifying-images-in-a-private-amazon-ecr-with-kyverno-and-iam-roles-for-service-accounts-irsa/
#aws
π4π₯1π±1
πΆπ·π΄ New Attack Vector In The Cloud: Attackers caught exploiting Object Storage Services
Security Joes Incident Response team recently became aware of a set of relatively new CVEs that were released at the end of March 2023. Surprisingly, these vulnerabilities have received little to no media coverage regarding their ease of exploitation and the potential security implications they pose to any cluster running a non-native object storage.
https://www.securityjoes.com/post/new-attack-vector-in-the-cloud-attackers-caught-exploiting-object-storage-services
#aws #azure #gcp
Security Joes Incident Response team recently became aware of a set of relatively new CVEs that were released at the end of March 2023. Surprisingly, these vulnerabilities have received little to no media coverage regarding their ease of exploitation and the potential security implications they pose to any cluster running a non-native object storage.
https://www.securityjoes.com/post/new-attack-vector-in-the-cloud-attackers-caught-exploiting-object-storage-services
#aws #azure #gcp
π3π₯1π1
πΆ Cloud Detection and Response Needs To Break Down Boundaries
The attack patterns of the modern day threat actor are changing as they are able to traverse across multiple environments in the cloud. CDR needs to keep up.
https://permiso.io/blog/cloud-detection-and-response-needs-to-break-down-boundaries
#aws
The attack patterns of the modern day threat actor are changing as they are able to traverse across multiple environments in the cloud. CDR needs to keep up.
https://permiso.io/blog/cloud-detection-and-response-needs-to-break-down-boundaries
#aws
π4π₯1π1
πΆ Lessons from Recent Social Engineering Attacks on Okta Super Admin Accounts
Post exploring the latest Okta security incidents and explaining how to fortify your IAM system against social engineering attacks.
https://acsense.com/blog/okta-super-admin-breach-steps-for-iam-resilience
#aws
Post exploring the latest Okta security incidents and explaining how to fortify your IAM system against social engineering attacks.
https://acsense.com/blog/okta-super-admin-breach-steps-for-iam-resilience
#aws
π3π₯1π1
πΆ aws-list-resources
Uses the AWS Cloud Control API to list resources that are present in a given AWS account and region(s).
https://github.com/welldone-cloud/aws-list-resources
#aws
Uses the AWS Cloud Control API to list resources that are present in a given AWS account and region(s).
https://github.com/welldone-cloud/aws-list-resources
#aws
π2β€1π₯1π±1
π· Announcing Notation Azure Key Vault plugin v1.0 for signing container images
The Notary Project is being adopted by Azure Key Vault.
https://techcommunity.microsoft.com/t5/apps-on-azure-blog/announcing-notation-azure-key-vault-plugin-v1-0-for-signing/ba-p/3920895
#azure
The Notary Project is being adopted by Azure Key Vault.
https://techcommunity.microsoft.com/t5/apps-on-azure-blog/announcing-notation-azure-key-vault-plugin-v1-0-for-signing/ba-p/3920895
#azure
π3β€1π₯1
π· The Azure Metadata Protection You Didn't Know Was There
Some Azure services have an additional, not widely known, protection mechanism against session token exfiltration.
https://ermetic.com/blog/azure/the-azure-metadata-protection-you-didnt-know-was-there/
#azure
Some Azure services have an additional, not widely known, protection mechanism against session token exfiltration.
https://ermetic.com/blog/azure/the-azure-metadata-protection-you-didnt-know-was-there/
#azure
π4π₯1π1
πΆ AWS Console Session Traceability: How Attackers Obfuscate Identity Through the AWS Console
Attackers can take advantage of a quirk of the default AWS configuration (without SourceIdentity configured) to potentially make detecting and attributing their actions more difficult.
https://www.gem.security/post/aws-console-session-traceability-how-attackers-obfuscate-identity-through-the-aws-console
#aws
Attackers can take advantage of a quirk of the default AWS configuration (without SourceIdentity configured) to potentially make detecting and attributing their actions more difficult.
https://www.gem.security/post/aws-console-session-traceability-how-attackers-obfuscate-identity-through-the-aws-console
#aws
π4π₯1π1