Welcoem to posts!!
in the future - u will be able to do some more stuff here,,,!! like pat catgirl- i mean um yeah... for now u can only see others's posts :c
Want to learn how to build real AWS resources with Terraform? 🧐
Join us for a live Cybr workshop where Tyler Petty will walk us through step-by-step how to deploy a static S3 website using only Infrastructure as Code (IaC) -- no "ClickOps" or accessing the AWS console.
This is a vital skill to learn for anyone serious about learning how to manage cloud resources (even beyond a security perspective). If you don't already use an IaC tool like Terraform, you really need to attend this session as it will be one of the most important skills you build this year.
I know that's a big claim, but I'm being serious.
This workshop is totally free and free lab accounts will be provided if you'd rather not use your own AWS account. Grab your spot here: cybr.com/webinars/building-on-aws-with-terraform/
9 - 2
How can you tell if your threat detection measures are working in AWS? 🤔
Or that your security controls and incident response playbooks are effective? 🧐
One effective approach 👉 create chaos and simulate real-world attack techniques, and see if it detects them or works as expected!
Sounds awesome, but how do I do that? Won’t that take a bunch of work?
It sure would if you started from scratch, but turns out there are some awesome open source tools that do exactly that. Let’s take a look at a few, and I’ll include a link at the end with multiple other tools similar to these:
- Red Canary’s Atomic Red Team™
- DataDog’s Stratus Red Team
- Amazon’s GuardDuty tester
- and more (keep reading)
Let's take a closer look at each one 👇👇👇
🔴 Red Canary’s Atomic Red Team™
Atomic Red Team is -- in a word -- a beast. It’s an impressive library of tests that security teams can use to execute simulated adversarial attacks, which can help you identify whether your defenses are working as expected or not. It’s even mapped to MITRE ATT&CK®.
While this tool has multiple scenarios for cloud environments, it wasn’t specifically designed for the cloud. That’s where this next tool shines…
🔴 DataDog’s Stratus Red Team
Stratus Red Team *was* designed for the cloud and it includes tests for AWS, Azure, GCP, and Kubernetes.
For example, to retrieve a bunch of secrets stored in Amazon's Secrets Manager, you can detonate this module:
> stratus detonate aws.credential-access.secretsmanager-batch-retrieve-secrets
What’s most impressive about this tool (at least to me) is how it creates its own required changes to detonate a TTP, keeps track of state, and then cleans up the resources. This is a lot easier said than done and quite impressive of an implementation.
🔴 Amazon’s GuardDuty tester
This one is a lot more specific because it’s really only focused on testing that you’ve successfully enabled Amazon GuardDuty in your environment(s) and it helps show examples of findings. Helpful, but limited and much more narrowly scoped than the prior two, and as compared to the rest of the list below.
Want to see more tools like this? Check them out on CloudSec.Cybr here: cloudsec.cybr.com/aws/threat-detection/simulate-at…
6 - 0
What are the biggest threats facing Kubernetes deployments? A great way to learn is to turn to resources from OWASP 👇👇👇
💡 If you're not already familiar with OWASP, they're a nonprofit driven by volunteers, and they've been putting out fantastic (free) resources for years. Their most well known project is the "OWASP Top 10" which lists out the top 10 web application security risks...
...but not as well known is that they *also* have an OWASP Top 10 for Kubernetes Risks (link below)
🐐 The open source tool that we demonstrated in one of our recent live presentations (link below) called Kubernetes Goat has learning scenarios that map directly to the top 10 list so that you can learn about the risks and impacts hands-on. You can even do this all for free, since you have the ability to run it locally instead of in the cloud if you want.
Four free resources to keep learning about this:
➡️ OWASP K8s Top 10: owasp.org/www-project-kubernetes-top-ten/
➡️ K8s Goat: github.com/madhuakula/kubernetes-goat
➡️ More cheat sheets like this: cybr.com/tag/cheat-sheets/
➡️ Webinars: cybr.com/webinars
♻️ If you know anyone running Kubernetes or learning about it, help share to make sure they see this! ♻️
#kubernetessecurity #cloudsecurity #cloudsecurityengineer
7 - 0
My AWS access keys were exposed and are being exploited by a threat actor. What do I do?!?! 😱
➡️ Did you know that AWS has multiple Incident Response playbooks you can access for free and has one exactly for this scenario? 🥳 Not only can this help you in an emergency situation, but these playbooks have important information that can help you study for the AWS Certified Security Specialty exam.
Let’s take a closer look at what I mean with the #IAM credential exposure playbook 👇👇👇
📚 This playbook tells you what to do step-by-step if you believe you have compromised credentials that were used by an actor to create resources, modify configurations, establish persistence, etc...
💡 At a high level, you want to figure out:
💥 Vulnerabilities exploited
💥 Exploits and tools observed
💥 Actor’s intent
💥 Actor’s attribution
💥 Damage inflicted to the environment and business
To ultimately achieve your recovery point: returning to the original and hardened configuration
You can get there by following response steps from NIST:
✅ Analysis
✅ Containment
✅ Eradication
✅ Recovery
✅ Post-incident activity
This isn't always a linear process. For example, once you've performed basic analysis and identified it's not a false positive, you may want to contain by disabling exposed credentials before moving on to performing further analysis.
In this playbook, #AWS recommends using Amazon #Athena for most of the analysis. Athena can perform advanced querying across multiple AWS sources like:
- ALB
- CloudFront
- #CloudTrail
- #GuardDuty
- and a lot more...
Directly from Amazon #S3 by using SQL.
While not mentioned in this playbook, you could even visualize query results in #QuickSight.
From this resource alone, you can learn:
📌 What AWS services might be involved in incident response
📌 Data pipelines for IR (ie: CloudTrail -> S3 -> Athena -> QuickSight)
📌 What Athena is used for and what it can do
📌 Different categories of containment and steps in AWS (depending on different factors and scenarios)
📌 What types of IAM roles you might use in this situation
These are all potential topics you can expect to see on your AWS Certified Security Specialty exam, and of course, they're important topics to know when working within AWS if you're part of a response team.
Sources and more info:
🔗 IAM credential exposure playbook: github.com/aws-samples/aws-incident-response-playb…
🔗 AWS Security Incident Response Guide: docs.aws.amazon.com/whitepapers/latest/aws-securit…
🔗 NIST 800-61: csrc.nist.gov/pubs/sp/800/61/r2/final
More AWS security cheat sheets: cybr.com/cheat-sheets
♻️ Found this helpful? Please leave a like and share! ♻️
#awscertification #cloudsecurity
17 - 6
This is what least privilege looks like in AWS for Amazon S3 bucket policies.
🗺️ Scenario:
You’re tasked with locking down access to a ‘sensitive-app-data’ bucket so that only these principals have access:
👩💼 Administrators: admin (role), ci (user) – to administer the bucket
📱 Application: app (role) – read & write data to/from bucket
🛠️ Support: cust-service (role) – to read data
Here’s how you should go about granting least privilege permissions to this bucket (in order):
1️⃣ Deny access to the bucket and its objects to everyone who is not one of the intended principals
2️⃣ Grant the administrators privileges to administer the bucket
3️⃣ Allow the application and customer support roles to read data from the bucket
4️⃣ Allow the application to write data into the bucket
5️⃣ Add any other policy enforcements, like requiring encryption in transit and at rest
💡 Pro tips:
✅ Organize your statements by capabilities granted to principals so you can track who has those capabilities over time
(I didn’t use to do this and my statements were an absolute mess before I heard this advice)
✅ For you to only grant access to intended principals and resources, two things should be included in your security policies:
➡️ Identity policies attached to principals should scope resource access to implement the least privilege for the principal
➡️ Resource policies should allow intended principals and explicit deny everyone else to implement the least privilege for the resources
💾 Download a higher resolution version of the cheat sheet here: cybr.com/cloud-security/create-a-least-privilege-s…
10 - 0
Cheat sheet for some of the most useful CloudTrail CLI commands including:
📌 General/operational commands
📌 Event History & Insights Events commands
📌 Commands to work with trails (finding specific events in log files for example)
📌 Working with CloudTrail Lake
📌 Enabling and retrieving insights from Insights Events
💾 Download a higher res version here: cybr.com/cloudtrail-cli
6 - 0
I wanted to a try a different way of uploading courses to YouTube to see how it would do, and so that's what I had just done last month when I uploaded my AWS CloudTrail course as individual lessons. The feedback and data is pretty clear -- you all prefer one large upload instead of individual lesson uploads! This latest course video I just uploaded on CloudTrail is the same content as the videos I recently had uploaded and just removed, so if you already went through all of those, this is nothing new. If you hadn't watched those video, though, well then check it out because it's an important course if you're building on AWS :)
Just wanted to drop a quick mention in case you were confused!
Happy AWSing
- Christophe
5 - 1
What are you studying or learning this month? 🎓 I’ll start:
1️⃣ Professionally - I’m studying up on some #awssecurity services that I haven’t used as much because I haven’t needed them for my workloads in the past, but that I still need to know about for more well-rounded knowledge 🙌 For example, taking a look at Verified Access which was recently released, and then some on-prem access related services/features
2️⃣ Personally - I’m learning how to make beer. I made my first Witbier just in time for Halloween, and while it wasn’t the flavors I usually go for (a little light), it turned out really good! A couple of weekends ago, I helped my neighbor (who is teaching me) make a Chocolate Hazelnut Porter which will be ready in time for the Holidays. An early taste test was very promising though 😄
What about you? Any end-of-year learning goals? Let me know in the comments 👇
12 - 0
Are you keeping your data stored in AWS safe? Amazon S3 has multiple controls you can use to protect your data. Let's take a look:
📀 Data access 📀
✅ #S3 Block Public Access — a default deny model for an entire account that is enabled for new buckets, and that orgs can turn on to prohibit any S3 bucket from being made publicly accessible
✅ #IAM policies — User, group, and role-based access control to storage buckets through IAM policies
✅ Bucket policies — Policies applied to a specific S3 bucket (this enables multiple layers of security for your data since you could have both a bucket policy and IAM policies. ie: if you allow access in a user policy but block access in a bucket policy, access will be denied)
✅ ACLs — Can grant basic read and write permissions to buckets and objects, to other #AWS accounts. This feature should no longer be used unless required for a one-off use case
✅ Query string auth (aka Presigned URLs) — REST-based access key strings that can be passed to AWS for access control
✅ CORS — can be enabled and configured to allow certain web apps in different domains to access/interact with your resources using specific HTTP methods
✅ MFA delete — prevent changing Bucket Versioning settings and deleting object versions without MFA
🔒 Encryption 🔑
➡️ Server-side encryption — using SSE-S3, SSE-KMS, or DSSE-KMS (for 2 separate layers of encryption). Amazon S3 now applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in S3. All new object uploads to Amazon S3 are automatically encrypted at no additional cost and with no impact on performance.
➡️ Client-side encryption — This part happens outside of S3. You encrypt your data client-side and upload the encrypted data to S3. You manage the encryption process, encryption keys, and related tools.
🗂️ Object protection 🛡️
✅ Object versioning — keeps multiple versions of an object to track changes and recover from unintended or malicious user actions. Also makes it possible to turn on Object Lock
✅ S3 Object Lock — turns an S3 bucket into a write-once-read-many (WORM) model. This is useful for legal retention and evidence in chain-of-custody cases, for example.
🔎 #Logging, #Monitoring, Analysis 🕵️♀️
➡️ AWS #CloudTrail data events — enables CloudTrail data events to log S3 object-level API operations in the CloudTrail console
➡️ Server access logs — provides a detailed record of all requests made to an S3 bucket to a separate bucket for collection and analysis. (Tip: CloudTrail logs provide a detailed view of API activity for S3 bucket-level and object-level operations; Server access logs provide visibility into object-level operations on your data stored in S3)
➡️ Pair with Amazon Macie — for monitoring and reporting on sensitive data and access
👍 If you found this helpful, please drop me a like :)
13 - 0
Whether you’re actively trying to secure your AWS environments, you’re studying for the Certified Security Specialty exam, or you’re just curious and want to learn more about AWS & #cloud security, you’ll find that AWS offers quite a few security-focused services and features. This can be daunting when you’re first getting started, but it doesn’t have to be! 🌟💡
Each of these services can be categorized under core security pillars. Let’s see where each service fits in: 👇👇👇
🔐 Identity & Access Management:
🔵 IAM: Your cornerstone for securely managing access to AWS services and resources
🔵 IAM Access Analyzer: Fine-tune access with granular permissions (Tip: use this to give least privilege permissions!)
🔵 AWS Organizations: Manage and govern multiple AWS accounts
🔵 IAM Identity Center: Simplify workforce access across AWS accounts/services/apps
🛡️ Data Protection:
🟪 Amazon Macie: Discover and shield sensitive data at scale
🟪 AWS KMS: Your locksmith, managing cryptographic keys with finesse
🟪 AWS Secrets Manager: A secure vault, safeguarding and rotating your secrets (Tip: Use to get rid of hard-coded and plaintext secrets)
🟪 AWS Certificate Manager: Provision and deploy SSL/TLS certs
🌐 Edge & Network Protection:
🟧 AWS WAF: Block web threats like SQL injection and XSS
🟧 AWS Shield: Guard against DDoS attacks
🟧 AWS Firewall Manager: Manage firewall rules, SGs, and Shield, across your AWS Organization
🟧 AWS Network #Firewall: Fortify network security across Amazon VPCs by filtering traffic
🔍 Threat Detection & Response:
🔴 Amazon #GuardDuty: A relentless threat detection service, continuously monitoring for malicious activities (Tip: pair with EventBridge for action/notifications)
🔴 Amazon Detective: Dive deep into security data and visualize threats
🔴 Amazon Inspector: Discover workloads and scan them for software vulnerabilities
🔴 AWS CloudTrail: A meticulous recorder, logging user activity and API usage (Tip: push to CloudWatch Logs for tracking & to generate metrics and alerts)
🔴 AWS Config: A detailed observer, recording and evaluating configurations of AWS resources (Tip: use with SSM and Lambda for automated remediation)
🔴 AWS #Security Hub: Unified security command center, providing a comprehensive view of alerts and posture
📜 Compliance:
🟩 AWS Audit Manager: Continuously auditing AWS usage against prebuilt and custom frameworks
🟩 AWS Artifact: Your gateway to compliance reports from AWS and ISVs
🟩 AWS Control Tower: Account deployment and governance
🚨 Remember that you do not need to be using all of these services. It depends on your use case/workload/business requirements. You may also find third-party solutions that offer a better approach.
➡️ That’s also why I’m here! Get started with our Introduction to #AWS Security course (now with Hands-On Labs!): cybr.com/courses/introduction-to-aws-security/
8 - 0
Learn cloud security with our training resources ☁️🔒