The Next Step in the IMDSv1 Redemption Journey
Learn about AWS’s new open source library for enforcing IMDSv2 and Ermetic’s new lab for trying it out
Sometimes What Sounds Benign Can Bite You: An Unexpected Implication of Lambda Privileges
Learn how an AWS service usage and permissions combination discovered by Ermetic may increase risk upon a certain non-compliance
Terraform Lab: Taking the New VPC Endpoint Condition Keys Out for a Spin
Our new open source Terraform project offers hands-on experience with VPC endpoints and demos AWS's new condition keys for securing EC2 instances
A New Incentive for Using AWS VPC Endpoints
If you haven’t been using VPC endpoints until now, AWS's two new condition keys should make you consider doing so
Secure Your AWS EC2 Instance Metadata Service (IMDS)
Read this review of IMDS, an important AWS EC2 service component, to understand its two versions and improve your AWS security
How to Minimize Unintended Access and Achieve Least Privilege with Ermetic and AWS
Lior Zatlavi explains how to set up the platform in your environment and get maximum value
IAM Role Trust Update – What You Need to Know
When it comes to assuming roles, AWS is changing an aspect of how trust policy is evaluated; here is a quick digest of what this change may mean to you.
Diving Deeply into IAM Policy Evaluation – Highlights from AWS re:Inforce IAM433
One of the most talked-about sessions at AWS re:Inforce, and my favorite, was IAM433, on AWS IAM’s internal evaluation mechanisms
Taking Notice of AWS IAM Roles Anywhere
IAM Roles Anywhere may be a pivotal moment for security — the new service lets you enrich the arsenal of tools at your disposal to improve your AWS security posture.
3 Ways to Reduce the Risk from Misused AWS IAM User Access Keys
Used incorrectly, AWS IAM User Access Keys can pose high risk; the good news is that great alternatives, explored here, exist
6 Tips for Successfully Securing Your AWS Environment
Top six actions and practices you can take to protect your AWS environment today.
Access Undenied on AWS
Ermetic is launching a new open-source tool: Access Undenied on AWS. The tool parses AWS AccessDenied CloudTrail events, explains the reasons for them and offers actionable fixes.
Keep Your S3 Safe from CloudTrail Auditors
AWSCloudTrailReadOnlyAccess currently allows s3:GetObject for “*” and s3:ListAllMyBuckets – and reading CloudTrail logs may also give access to bucket object keys. BE CAREFUL!
Testing the Waters: First Impressions of CloudTrail Lake
Our first impressions of AWS's new managed audit and security lake that allows you to aggregate, immutably store, and query activity logs.
Tracking Adversaries in AWS using Anomaly Detection, Part 2
Going through the cyber “kill chain” with Pacu and using automated analysis to detect anomalous behavior
Tracking Adversaries in AWS using Anomaly Detection, Part 1
Minimizing the impact of a breach by identifying malicious actors’ anomalous behavior and taking action.
SEGA’s Saga of Nearly Compromised Credentials
A look at VPNO’s recent findings of publicly accessible S3 buckets on SEGA’s infrastructure and what we can learn from it.
Protect Your AWS Environment Beyond Patching Log4j
The crucial strategic lessons overlooked by enterprises dealing with the recently reported Log4j vulnerability.
Not Just Buckets: Are You Aware of ALL Your Public Resources?
A misconfiguration of resource based policies can inadvertently make resources public. Do you have such misconfigured policies present in your environment?
How Smart Secrets Storage Can Help You Avoid Cloud Security Risks
The not-so-sensitive locations that may tempt you when storing sensitive information -- why to avoid them and how
The Urgent Threat of Ransomware to S3 Buckets Due to Misconfigurations
Misconfigurations that can lead to S3 ransomware exposure and the mitigation tools you can leverage to prevent it
Five Strategies for Mitigating Your S3 Misconfiguration Ransomware Threat
Detailed steps for better ransomware protection of your AWS environment
The AWS Shared Responsibility Model: Everything You Need to Know
What the Shared Responsibility model means, its many challenges & how to protect your cloud infrastructure.
AWS Resource Provisioning with Attribute Based Access Control (ABAC) – What You Need To Know
What to pay attention to when using ABAC in order to avoid unnecessary security gaps.
AWS Condition Context Keys for Reducing Risk
A Least Privilege cheat sheet on using AWS global condition context keys to achieve least privilege.
Least Privilege Policy: Automated Analysis Trumps Native AWS Tools
AWS methods for granting & controlling access, plus native tools for detecting & repairing excessive permissions.
AWS’s Access Analyzer Preview Access is Great — But Is It Enough?
Learn the ins and outs of the preview access capability in Access Analyzer.
Keep Your IAM Users Close, Keep Your Third Parties Even Closer
An in-depth review on third-party access configuration and control with IAM permissions
Auditing IAM PassRole: A Problematic Privilege Escalation Permission
How to determine which identities need iam:PassRole to help enforce “use it or lose it” least-privilege.
The AWS Managed Policies Trap
The “AWS Managed Policies Trap” and how to escape using automated analysis of environment configuration and activity logs.
Who Holds the Keys to the Kingdom? (Part 2 of 2)
Part 2 takes a look at sensitive AWS Resources – secret strings and keys used in AWS.
Who Holds the Keys to the Kingdom? (Part 1 of 2)
Part 1 of a series takes a look at sensitive AWS Resources - secret strings and keys used in AWS.
AWS Identity Federation and Least Privilege – Friends or Foes?
How to address the challenges in basic and advanced implementations of AWS federation.