AWS

IAM Role Trust Update – What You Need to Know

When it comes to assuming roles, AWS is changing an aspect of how trust policy is evaluated; here is a quick digest of what this change may mean to you.

Lior Zatlavi By Lior Zatlavi

Diving Deeply into IAM Policy Evaluation – Highlights from AWS re:Inforce IAM433

One of the most talked-about sessions at AWS re:Inforce, and my favorite, was IAM433, on AWS IAM’s internal evaluation mechanisms

Noam Dahan By Noam Dahan

Why It’s Important to Take Notice of AWS IAM Roles Anywhere 

IAM Roles Anywhere may be a pivotal moment for security — the new service lets you enrich the arsenal of tools at your disposal to improve your AWS security posture.

Lior Zatlavi By Lior Zatlavi

3 Ways to Reduce the Risk from Misused AWS IAM User Access Keys

Used incorrectly, AWS IAM User Access Keys can pose high risk; the good news is that great alternatives, explored here, exist

Lior Zatlavi By Lior Zatlavi

6 Tips for Successfully Securing Your AWS Environment

Top six actions and practices you can take to protect your AWS environment today.

Ermetic Team By Ermetic Team

Access Undenied on AWS

Ermetic is launching a new open-source tool: Access Undenied on AWS. The tool parses AWS AccessDenied CloudTrail events, explains the reasons for them and offers actionable fixes.

Noam Dahan By Noam Dahan

Keep Your S3 Safe from CloudTrail Auditors

AWSCloudTrailReadOnlyAccess currently allows s3:GetObject for “*” and s3:ListAllMyBuckets – and reading CloudTrail logs may also give access to bucket object keys. BE CAREFUL!

Lior Zatlavi By Lior Zatlavi

Testing the Waters: First Impressions of CloudTrail Lake

Our first impressions of AWS's new managed audit and security lake that allows you to aggregate, immutably store, and query activity logs.

Noam Dahan By Noam Dahan

Tracking Adversaries in AWS using Anomaly Detection, Part 2

Going through the cyber “kill chain” with Pacu and using automated analysis to detect anomalous behavior

Lior Zatlavi By Lior Zatlavi

Tracking Adversaries in AWS using Anomaly Detection, Part 1

Minimizing the impact of a breach by identifying malicious actors’ anomalous behavior and taking action.

Lior Zatlavi By Lior Zatlavi
SEGA’s Saga of Nearly Compromised Credentials

SEGA’s Saga of Nearly Compromised Credentials

A look at VPNO’s recent findings of publicly accessible S3 buckets on SEGA’s infrastructure and what we can learn from it.

Lior Zatlavi By Lior Zatlavi
Protect Your AWS Environment Beyond Patching Log4j

Protect Your AWS Environment Beyond Patching Log4j

The crucial strategic lessons overlooked by enterprises dealing with the recently reported Log4j vulnerability.

Lior Zatlavi By Lior Zatlavi

Not Just Buckets: Are You Aware of ALL Your Public Resources?

A misconfiguration of resource based policies can inadvertently make resources public. Do you have such misconfigured policies present in your environment?

Lior Zatlavi By Lior Zatlavi

Don’t Hide Your Secrets in Plain Sight

The not-so-sensitive locations that may tempt you when storing sensitive information -- why to avoid them and how

Lior Zatlavi By Lior Zatlavi

The Urgent Threat of Ransomware to S3 Buckets Due to Misconfigurations

Misconfigurations that can lead to S3 ransomware exposure and the mitigation tools you can leverage to prevent it

Lior Zatlavi By Lior Zatlavi
Five Strategies For Mitigating The S3 Ransomware Threat

Five Strategies for Mitigating Your S3 Misconfiguration Ransomware Threat

Detailed steps for better ransomware protection of your AWS environment

Lior Zatlavi By Lior Zatlavi

The AWS Shared Responsibility Model: Everything You Need to Know

What the Shared Responsibility model means, its many challenges & how to protect your cloud infrastructure.

Ermetic Team By Ermetic Team

AWS Resource Provisioning with Attribute Based Access Control (ABAC) – What You Need To Know

What to pay attention to when using ABAC in order to avoid unnecessary security gaps.

Lior Zatlavi By Ermetic Team

AWS Condition Context Keys for Reducing Risk

A Least Privilege cheat sheet on using AWS global condition context keys to achieve least privilege.

Lior Zatlavi By Lior Zatlavi

Least Privilege Policy: Automated Analysis Trumps Native AWS Tools

AWS methods for granting & controlling access, plus native tools for detecting & repairing excessive permissions.

Lior Zatlavi By Lior Zatlavi

AWS’s Access Analyzer Preview Access is Great — But Is It Enough?

Learn the ins and outs of the preview access capability in Access Analyzer.

Lior Zatlavi By Lior Zatlavi

Keep Your IAM Users Close, Keep Your Third Parties Even Closer – Part 1

Part 1 on third-party access configuration and control, and how it can go sideways with IAM permissions.

Ermetic Team By Ermetic Team

Keep Your IAM Users Close, Keep Your Third Parties Even Closer – Part 2

Part 2 explores best practices against third-party access risk and how automated analysis can help.

Ermetic Team By Ermetic Team

Auditing IAM PassRole: A Problematic Privilege Escalation Permission

How to determine which identities need iam:PassRole to help enforce “use it or lose it” least-privilege.

Noam Dahan By Noam Dahan

The AWS Managed Policies Trap

The “AWS Managed Policies Trap” and how to escape using automated analysis of environment configuration and activity logs.

Ermetic Team By Ermetic Team

Who Holds the Keys to the Kingdom? (Part 2 of 2)

Part 2 takes a look at sensitive AWS Resources – secret strings and keys used in AWS.

Ermetic Team By Ermetic Team

Who Holds the Keys to the Kingdom? (Part 1 of 2)

Part 1 of a series takes a look at sensitive AWS Resources - secret strings and keys used in AWS.

Ermetic Team By Ermetic Team

AWS Identity Federation and Least Privilege – Friends or Foes?

How to address the challenges in basic and advanced implementations of AWS federation.

Ermetic Team By Ermetic Team