#aws, #build

Square developed and open sourced an extension that pre-fetches secrets from AWS Secrets Manager. By prefetching it is possible to eliminate the overhead introduced by calls to Secrets Manager, thus making secrets available immediately for Lambda function invocations.

#aws, #vault, #build

HashiCorp announced the public preview of a HashiCorp Vault AWS Lambda extension, utilizing the newly announced AWS Lambda Extensions API (also in public preview) to securely retrieve secrets from HashiCorp Vault.

#gcp, #attack

Whitepaper digging deep into Firebase and its security flaws.

#aws, #gcp, #vault, #attack

Project Zero found two vulnerabilities in HashiCorp Vault and its integration with AWS and GCP, which can lead to an authentication bypass in configurations that use the aws and gcp auth methods. Both vulnerabilities (CVE-2020-16250/16251) were addressed by HashiCorp and are fixed in Vault versions 1.2.5, 1.3.8, 1.4.4 and 1.5.1 released in August.

#azure, #attack

Some techniques for how a red team can gain a foothold and then escalate their privileges and move laterally within an Azure environment by using the Azure RBAC module.

#aws, #attack

A security review of AWS CloudFormer (beta), a tool created by AWS that helps create CloudFormation templates of existing resources within an account.

#defend

Building a public cloud security program from scratch is a lot of work. There are a ton of things you need to do and figuring out what you need to do and the priority is critical.

#gcp, #defend

How to set up a pipeline to stream data from Google Operations (ex Stackdriver) to the Elastic Stack so to can analyze Google Cloud logs alongside other observability data.

#aws, #explain

Article explaining with visual examples the AWS Lambda permission model, focusing on cross-account access and the principle of least privilege.

#azure, #build

Online workshops teaching how to build end-to-end continuous integration (CI) and continuous deployment (CD) capabilities directly in GitHub repositories using GitHub Actions.

#azure, #vault, #build

How to integrate Vault with Azure Active Directory and managed identities, and also use this authentication method to access dynamic short-lived secrets for a MySQL database.

#istio, #defend

Implement a technical check that verifies implemented security measurements. In case of network policies, try to establish a blocked network connection. Keep the checks as simple as possible and propagate the results in the existing monitoring solution.

IAMCTL is a tool that you can use to extract the IAM roles and policies from two accounts, compare them, and report out the differences and statistics. You can also have a look at the companion blog post.

gcpviz is a visualization tool that takes input from Cloud Asset Inventory, creates relationships between assets and outputs to a format compatible with graphviz.

AWS introduced "Extensions" for Lambda, a new way for tools to more easily integrate deeply into the Lambda execution environment to control and participate in Lambda’s lifecycle. They use the Extensions API, a new HTTP interface, to register for lifecycle events and get greater control during function initialization, invocation, and shutdown. As of today, it is possible to use extensions for the following tools: AppDynamics, Check Point, Datadog, Dynatrace, Epsagon, HashiCorp, Lumigo, New Relic, Thundra, Splunk, AWS AppConfig, and CloudWatch Lambda Insights.

Post outlining a design that can be used or modified to fit Amazon Elastic Container Registry (Amazon ECR) to the requirements of your organization.

AWS Security Hub improved how it displays details for security standards, which are collections of automated security checks based on industry and regulatory frameworks like the Center for Internet Security's (CIS) AWS Foundational Benchmarks, the Payment Card Industry Data Security Standard (PCI DSS), and AWS' own Foundational Security Best Practices.

Using GitHub Actions to test and deploy Docker containers on Google Cloud Run.