17 posts tagged with "security"

The Log4shell (log4j) vulnerability (CVE-2021-44228) emphasized more than ever the importance of setting network controls & policies not only on inbound traffic but also on outbound traffic.

In this blog we will go through:

• What are the requirements for log4j exploitability?
• What are the possible ways to expose different AWS resources to the internet via outbound access?.
• How to find resources unrestricted outbound with CloudQuery open-source cloud asset inventory. This will help both to prioritize updates in the current situation as well as help apply network best practices in general.

In this blog post you will learn how to build an open-source cloud asset inventory with CloudQuery and Grafana.

General architecture:

• CloudQuery will take care of extracting, transforming and loading all your assets, across cloud and SaaS apps to PostgreSQL.
• Grafana will be used to query, visualize, monitor, and alert.

This is what you will get:

• All your assets configuration across cloud providers and SaaS apps in one database
• Vanilla PostgreSQL
• Reuse your current (assuming you use Grafana) visualization, monitoring and alerting workflows - send reports and alerts via email, slack.
• 3 out-of-the-box Grafana Dashboards filterable asset inventory dashboards for AWS and GCP including security & compliance dashboards.

In Google Cloud Platform (GCP) it is common to have multiple projects for different environments (like dev, staging, prod, prod-team1, etc.). It is also a common use-case to have one set of credentials (service account) to access multiple accounts, For example:

• Auditing: one service account with read-only access to all projects
• Multi-project access/communication: one service in one project might need access/communicate to other services in different projects.

In this tutorial we will show you how to create one service account in GCP that can access multiple projects either under the same organization/account or even completely different accounts (for AWS users this is the GCP's assume role equivalent).

AWS SSO and AWS Organization were released around 2017 and are probably the best way to manage AWS access at scale.

"AWS Single Sign-On (SSO) is a cloud SSO service that makes it easy to centrally manage SSO access to multiple AWS accounts and business applications. It enables users to sign in to an AWS IAM user with their existing corporate credentials and access all of their assigned accounts and applications from one place." Quote From AWS SSO page

This is a huge security and operational win, some highlights:

• No need to rotate another new password in AWS IAM
• 2FA is already managed at your IdP (Google Workspace (G Suite)/Okta/AzureAD) level
• When a user is leaving an organization he is automatically removed access from the organization
• Easily automate the provisioning of AWS access when a user joins an organisation or department

In this article we, will go through a step-by-step guide to set-up AWS SSO with Google Workspace (previously G Suite) as an IdP. If you are using Google Workspace and use it as your central directory, this is the guide for you.

AWS SSO is one of the best and most popular ways to centrally manage access of users/developers to AWS Accounts, especially when combined with AWS Organizations for multi-account access and management.

AWS SSO Usually integrates with an IDP (like, Okta, G Suite, AzureAD). This approach has many benefits, for instance: Only users that are in your Okta, G Suite, AzureAD directory can access the AWS accounts. Authentication and MFA is managed centrally at IDP level. Any user that leaves the organisation is also automatically revoked access from AWS.