AWS

background.png

The Security Benefits of Infrastructure as Code

We have developed and delivered new ways to deliver infrastructure quickly and without these misconfigurations. Prevention is the only cure; we’ll talk about how you can implement this today.

DALL-E-2024-01-24-07.31.18---A-digital-illustration-representing-OpenID-Connect--OIDC--integration-between-GitHub-and-AWS--with-a-black-GitHub-Octocat-logo-and-the-AWS-logo.-The-G.png

OIDC for GitHub Actions

At Cloud Security Partners, we perform a lot of code reviews and Cloud Security Assessments. During these engagements, we see many different CI/CD patterns that cause us to raise our eyebrows. One situation in particular that we encounter relatively often is the unsafe use of AWS credentials. The CIS Benchmark for AWS indicates that Access Keys must be rotated every 90 days. And generally, IAM users should be avoided, instead roles should be utilized. OpenID Connect is an authentication standard

iam.png

Our Support For Cloudsplaining

We’re proud to announce that Cloud Security Partners will be forking and maintaining Cloudsplaining, the popular cloud IAM tool. Open source and giving back to the community are very important to us and something we try to do often via contributions and free training! The cloud security community has built some amazing tools from Prowler to Parliment and obviously, Cloudsplaining. Cloudsplaining plays an important role in that it gives security teams insight into their IAM policies and possible

-4dd1-4b9f-b55d-07c3b7ffbfa4.png

Gen AI Security: An Introduction and Resource Guide

Like many industries, Artificial Intelligence has taken the security industry by storm. Security practitioners now are faced with the challenge of understanding new classifications of threats and new techniques of attack. Threat Actors are utilizing AI to improve their attacks, while also exploiting AI services. AI and Generative AI utilize many types of new technologies to build services that are used to improve efficiency and offer new solutions to problems of the past. Of course, along with t

lascon.jpg

LASCON Recap - Infrastructure as Code

Recently, we had the privilege of participating in and sponsoring the Lonestar Application Security Conference (LASCON). Our CEO, Michael McCabe, and Ken Toler delivered a training session and a talk on exploiting Terraform for remote code execution; both received a fantastic turnout. In between operating our booth, we had the opportunity to attend some insightful talks. During the event, one presentation that stood out was delivered by Bug Bounty and focused on how to manage a bug bounty progr

nils_public_rds_security_open_door_castle_cloud_4k_future_71d20f54-e378-40e2-9c5f-95455aff475e.png

RDS Revealed? Time to Give It Some Shade!

By: John Poulin At Cloud Security Partners, we have audited thousands of customer AWS accounts as part of our security reviews. Across our customers, roughly 5% of the AWS Relational Database Service (RDS) instances we analyze are publicly accessible. A general rule of thumb across the security industry is that resources generally should not be directly accessible on the Internet, especially databases. More often than not, resources can be deployed behind controls, such as Load Balancers, Priva

Screenshot-2023-09-05-at-1.25.22-PM.png

Exploring Amazon Athena in Incident Response: A Practical Approach

Recently, our team was pulled into an incident response engagement. As part of the breach investigation, we needed to review months of extensive nginx log files stored on Amazon S3 to determine an application issue causing data leakage. Complicating matters, we had no access to our traditional SIEM tools, prompting us to explore alternative solutions. We explored leveraging Amazon Athena to directly query the logs stored in S3. The post will showcase Amazon Athena's relevance in Incident Respon

true-agency-o4UhdLv5jbQ-unsplash.jpg

Finding Strings Everywhere with Roles Anywhere

While scrolling Twitter, I came across this tweet talking about the new AWS feature Roles Anywhere. I was messing around with the aws_signing_helper and got this panic. The trace path doesn't make me feel super confident about the security of their build process. Not that I was happy about the "download this from a random S3 bucket" distribution method either. pic.twitter.com/B58g8fOk49 — David Adams (@daveadams) July 13, 2022 Roles Anywhere is a new way to use IAM roles on systems that aren

4k_rail_road_lines_futuristic_dark_2ad08817-0057-40ca-9f90-655f61b10d8e-1.png

The Hidden Dangers of Using Terraform's Remote-Exec Provisioner

Terraform is a powerful infrastructure as code tool that can support multi-cloud deployments. Terraform provides consistent and reliable deployments for cloud infrastructure. But as with every tool there are hidden dangers built-in we need to check for! The remote-exec provisioner in Terraform can be a valuable tool, providing the ability to execute scripts and commands on remote resources. However, it can pose significant security risks to your infrastructure without proper control and awarene

juanjo-jaramillo-mZnx9429i94-unsplash.jpg

Infrastructure as Code Security

I was excited to have the opportunity to speak recently at Kernelcon and BSidesNYC about one of my favorite topics, infrastructure as code (IAC). Having helped multiple companies build IAC security programs, talking about what we've learned is always enjoyable. Companies moving to centralized and well-managed infrastructure as code pipelines with built-in security controls is a massive security win. However, utilizing these tools comes with certain risks that we must manage. As I outlined in m

Subscribe



Subscribe to Cloud Security Partners Blog

Don't miss out on the latest news. Sign up now to get access to the library of members-only articles.

Subscribe