It’s a new beginning! Ermetic is now Tenable Cloud Security.

Avatar

Lior Zatlavi

Exfiltrated, Signed, Delivered – What Can Go Wrong When an Amazon Elastic Compute Cloud (EC2) Instance is Exposed to SSRF 

New CNAPPgoat scenario makes experimentation easy by triggering calls to AWS service from an EC2 instance exposed to SSRF

Lior Zatlavi
By Lior Zatlavi Oct 04, 2023

What’s New with CNAPPgoat? 

Read about the newest, expanded features in the Ermetic [now Tenable Cloud Security] open source vulnerable-by-design tool for enhancing your security skills

Lior Zatlavi
By Lior Zatlavi Sep 14, 2023

The Azure Metadata Protection You Didn’t Know Was There

Some Azure services have an additional, not widely known, protection mechanism against session token exfiltration

Lior Zatlavi
By Lior Zatlavi Sep 11, 2023

The Next Step in the IMDSv1 Redemption Journey 

Learn about AWS’s new open source library for enforcing IMDSv2 and Tenable Cloud Security’s new lab for trying it out

Lior Zatlavi
By Lior Zatlavi Aug 17, 2023

CNAPPgoat: The Multicloud Open-Source Tool for Deploying Vulnerable-by-Design Cloud Resources

All about CNAPPgoat, our open-source project designed to modularly provision vulnerable-by-design components in cloud environments.

Lior Zatlavi
By Lior Zatlavi Aug 02, 2023

The Default Toxic Combination of GCP Compute Engine Instances

By default, compute instances in GCP are prone to a toxic combination that you should be aware of, and can avoid and fix

Lior Zatlavi
By Lior Zatlavi Jun 29, 2023

Terraform Lab: Taking the New VPC Endpoint Condition Keys Out for a Spin

Our new open source Terraform project offers hands-on experience with VPC endpoints and demos AWS's new condition keys for securing EC2 instances

Lior Zatlavi
By Lior Zatlavi Apr 03, 2023

Federating Kubernetes Workloads with Cloud Identities

Your K8s workloads legitimately need access to sensitive cloud resources – federated identities let you grant it easily and securely

Lior Zatlavi
By Lior Zatlavi Mar 27, 2023

A New Incentive for Using AWS VPC Endpoints

If you haven’t been using VPC endpoints until now, AWS's two new condition keys should make you consider doing so

Lior Zatlavi
By Lior Zatlavi Mar 09, 2023

Secure Your AWS EC2 Instance Metadata Service (IMDS)

Read this review of IMDS, an important AWS EC2 service component, to understand its two versions and improve your AWS security

Lior Zatlavi
By Lior Zatlavi Feb 27, 2023

A Caveat for Azure VM Public IP Configuration

If you’re not familiar enough with the SKU attribute of the Azure public IP address, you may think you’re configuring VMs as public to the internet... but aren’t.

Lior Zatlavi
By Lior Zatlavi Jan 16, 2023

How to Minimize Unintended Access and Achieve Least Privilege with Ermetic and AWS

Lior Zatlavi explains how to set up the platform in your environment and get maximum value

Lior Zatlavi
By Lior Zatlavi Jan 11, 2023

IAM Role Trust Update – What You Need to Know

When it comes to assuming roles, AWS is changing an aspect of how trust policy is evaluated; here is a quick digest of what this change may mean to you.

Lior Zatlavi
By Lior Zatlavi Oct 19, 2022

Public Network Access to Azure Resources Is Too Easy to Configure

For some types of Microsoft Azure resources and subnets, it’s extremely easy to configure what is essentially public network access. We describe here some examples and how to reduce such risks.

Lior Zatlavi
By Lior Zatlavi Oct 06, 2022

Five Lessons Every Cybersecurity Team Can Learn from the Uber Incident

Upon hearing of a cyber security incident, alleged or factual, the most productive thing to do is learn what you can from its main lessons

Lior Zatlavi
By Lior Zatlavi Sep 22, 2022

Taking Notice of AWS IAM Roles Anywhere

IAM Roles Anywhere may be a pivotal moment for security — the new service lets you enrich the arsenal of tools at your disposal to improve your AWS security posture.

Lior Zatlavi
By Lior Zatlavi Aug 30, 2022

3 Ways to Reduce the Risk from Misused AWS IAM User Access Keys

Used incorrectly, AWS IAM User Access Keys can pose high risk; the good news is that great alternatives, explored here, exist

Lior Zatlavi
By Lior Zatlavi Aug 10, 2022

The Advanced Risk of Basic Roles In GCP IAM

Basic roles in GCP allow data-level actions, even though at first glance it might seem like they don’t. Avoid using basic roles, and if you must use them, make a special effort to protect any sensitive data you store in your GCP projects.

Lior Zatlavi
By Lior Zatlavi May 17, 2022

Identity Access Management in Google Cloud Platform (GCP IAM)

An introduction for anyone getting started with GCP or even experienced professionals who are looking for a structured overview.

Lior Zatlavi
By Lior Zatlavi May 17, 2022

Hidden Risk in the Default Roles of Google-Managed Service Accounts

Some Google-managed service accounts are binded by default to a role granting access to storage.objects.read. This hidden risk is (yet another) great reason to use customer-managed KMS keys to encrypt your sensitive data stored in buckets.

Lior Zatlavi
By Lior Zatlavi May 17, 2022

Keep Your S3 Safe from CloudTrail Auditors

AWSCloudTrailReadOnlyAccess currently allows s3:GetObject for “*” and s3:ListAllMyBuckets – and reading CloudTrail logs may also give access to bucket object keys. BE CAREFUL!

Lior Zatlavi
By Lior Zatlavi Feb 03, 2022

Tracking Adversaries in AWS using Anomaly Detection, Part 2

Going through the cyber “kill chain” with Pacu and using automated analysis to detect anomalous behavior

Lior Zatlavi
By Lior Zatlavi Jan 11, 2022

Tracking Adversaries in AWS using Anomaly Detection, Part 1

Minimizing the impact of a breach by identifying malicious actors’ anomalous behavior and taking action.

Lior Zatlavi
By Lior Zatlavi Jan 11, 2022
SEGA’s Saga of Nearly Compromised Credentials

SEGA’s Saga of Nearly Compromised Credentials

A look at VPNO’s recent findings of publicly accessible S3 buckets on SEGA’s infrastructure and what we can learn from it.

Lior Zatlavi
By Lior Zatlavi Jan 06, 2022
Protect Your AWS Environment Beyond Patching Log4j

Protect Your AWS Environment Beyond Patching Log4j

The crucial strategic lessons overlooked by enterprises dealing with the recently reported Log4j vulnerability.

Lior Zatlavi
By Lior Zatlavi Dec 29, 2021

Not Just Buckets: Are You Aware of ALL Your Public Resources?

A misconfiguration of resource based policies can inadvertently make resources public. Do you have such misconfigured policies present in your environment?

Lior Zatlavi
By Lior Zatlavi Nov 23, 2021

How Smart Secrets Storage Can Help You Avoid Cloud Security Risks

The not-so-sensitive locations that may tempt you when storing sensitive information -- why to avoid them and how

Lior Zatlavi
By Lior Zatlavi Nov 03, 2021

The Urgent Threat of Ransomware to S3 Buckets Due to Misconfigurations

Misconfigurations that can lead to S3 ransomware exposure and the mitigation tools you can leverage to prevent it

Lior Zatlavi
By Lior Zatlavi Oct 07, 2021
Five Strategies For Mitigating The S3 Ransomware Threat

Five Strategies for Mitigating Your S3 Misconfiguration Ransomware Threat

Detailed steps for better ransomware protection of your AWS environment

Lior Zatlavi
By Lior Zatlavi Oct 07, 2021

Access Keys: An Unintended Backdoor-by-Design to Azure Storage Accounts Data

The importance of understanding the assignments of Azure resource roles when giving permissions.

Lior Zatlavi
By Lior Zatlavi Aug 10, 2021

TeamTNT Strikes Again: A Wake-Up Call to Start Securing Cloud Entitlements

Examining the news that TeamTNT is targeting 16 more applications, including Google Cloud.

Lior Zatlavi
By Lior Zatlavi Jun 14, 2021

AWS Condition Context Keys for Reducing Risk

A Least Privilege cheat sheet on using AWS global condition context keys to achieve least privilege.

Lior Zatlavi
By Lior Zatlavi May 25, 2021

Least Privilege Policy: Automated Analysis Trumps Native AWS Tools

AWS methods for granting & controlling access, plus native tools for detecting & repairing excessive permissions.

Lior Zatlavi
By Lior Zatlavi May 18, 2021

The ABCs of Azure Identity Governance Tools

The main Azure mechanisms for governing identities and providing access permissions.

Lior Zatlavi
By Lior Zatlavi Apr 12, 2021

AWS’s Access Analyzer Preview Access is Great — But Is It Enough?

Learn the ins and outs of the preview access capability in Access Analyzer.

Lior Zatlavi
By Lior Zatlavi Mar 16, 2021

Deconstructing Azure Access Management using RBAC

The basics of Azure RBAC -- the main mechanism in Azure for granting permissions to resources.

Lior Zatlavi
By Lior Zatlavi Mar 10, 2021
Skip to content