Security

TL;DR: AWS Managed Policies are safe. Currently. :arrows_counterclockwise: Previously in Policy Validation Before AWS Access Analyzer (AA) - Policy Validation release, few open source initiatives were available to lint AWS IAM Policies, like Parliament from Duolabs, CloudSplaining (Salesforce). The tricky part of these tools is that they are community-driven, from volunteer contributors, and most of the master data comes from AWS IAM docs web scrapping. It is difficult to maintain over time, especially if the documentation format is changing, or if the documentation is not in sync with the IAM reality. It will be easier for everyone if the one who is providing the rules is the one who creates the validation tool to run against these rules — Isn’t it? ...

Since my last post, on how to deal with information Overload and reading pipeline, I’ve created a free digest newsletter about AWS Security. The goal of this curated AWS Security Digest is to condensate what was happening from last week on the most relevant sources: 🔦 A Highlight of the week 👮 Change since last week on AWS Managed IAM Policies 💌 Curated Cloud Security Newsletters 👀 AWS API changes 🔒 IAM Permissions changes 🆙 Most upvoted posts on r/AWS 🔗 Top shared links on Twitter (by cloudsec folks) 🐦 Most engaged Tweets from the community This is an ongoing side project, so more content will be added over time. ...

TL;DR I’m now using PGP for archive file encryption. The trigger This summer, I read Permanent Record from Edward Snowden, “Ed” for those in the know. I was pretty impressed at how a government organization with billions of dollars budget can organize a mass surveillance program at a worldwide scale in only a few decades. “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.” ...

This Article was created posted in September 2019. Updated in February 2020. Disclaimer Thanks to @0xdabbad00 from SummitRoute for the original idea and jq parsing. Purpose When your production workloads rely on AWS IAM Managed Policies (don’t do this), you will need to be notified when changes occur behind the scene. It’s also interesting to monitor new AWS services releases prior announcements to get spoiled. This pet project automates the retrieval (every 4 hours) of new AWS Managed IAM Policies to make it easier to monitor and get alerted when changes occur (by AWS) using “Watch” feature from Github, RSS or dedicated Twitter Account. ...

In my day-to-day job, I was wasting my time to keep reinstall, and deal with dependencies of all my favorite tools for AWS Security Audits and Assessments. So, lately, I’ve decided to start another pet project trying to solve this issue and provide a simple Docker container that contains all security-related tooling for your AWS Assessments. I’ve decided to open-source it, after some discussion with my peers, they were interested in this kind of stuff to avoid wasting hours to install a myriad of Apps and Python dependencies on their own laptop or customer machine. ...