Security

As businesses continue to adopt cloud computing and move their operations to the cloud, it’s crucial to ensure the security of their cloud environment. Amazon Web Services (AWS) is the leading cloud platform, but with the ease of use comes the responsibility of securing the data, applications, and services deployed on the cloud. AWS provides a vast array of security services, but it can be challenging to keep track of all the activities and changes happening in your AWS account. That’s where the AWS Security Survival Kit (ASSK) comes in. This comprehensive and free open-source kit sets up basic proactive monitoring and alerting on common suspicious activities in your AWS account. ...

Update from: 2021-12-23 Official Security bulletin from AWS AWSSupportServiceRolePolicy Informational Update https://aws.amazon.com/security/security-bulletins/AWS-2021-007/ You will find below details about the security incident that led to this unattended access for millions of AWS customers. On 22nd December 2021, AWS deployed a new version (v20) of AWSSupportServiceRolePolicy, used by a mandatory role AWSServiceRoleForSupport for AWS Support access to all AWS Accounts. In this policy, they added the action s3:getObject, which gives AWS Support teams access to all customer Amazon S3 data. ...

TL;DR: AWS Managed Policies are safe. Currently. :arrows_counterclockwise: Previously in Policy Validation Before the AWS Access Analyzer (AA) Policy Validation release, a few open source initiatives were available to lint AWS IAM Policies, like Parliament from Duolabs and CloudSplaining (Salesforce). The tricky part of these tools is that they are community-driven, from volunteer contributors, and most of the master data comes from AWS IAM docs web scraping. It is difficult to maintain over time, especially if the documentation format is changing, or if the documentation is not in sync with the IAM reality. It will be easier for everyone if the one who is providing the rules is the one who creates the validation tool to run against these rules. Isn’t it? ...

Since my last post on how to deal with information overload and reading pipeline, I’ve created a free digest newsletter about AWS Security. The goal of this curated AWS Security Digest is to condense what happened last week, from the most relevant sources: 🔦 A highlight of the week 👮 Changes since last week on AWS Managed IAM Policies 💌 Curated cloud security newsletters 👀 AWS API changes 🔒 IAM permissions changes 🆙 Most upvoted posts on r/AWS 🔗 Top shared links on Twitter (by cloudsec folks) 🐦 Most engaged tweets from the community This is an ongoing side project, so more content will be added over time. ...

TL;DR I’m now using PGP for archive file encryption. The trigger This summer, I read Permanent Record from Edward Snowden, “Ed” for those in the know. I was pretty impressed at how a government organization with a multi-billion dollar budget can organize a mass surveillance program at a worldwide scale in only a few decades. “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.” ...