IAM Pulse Check #16 - Happenings

Researchers breaking the cloud like gangbusters

Read Issue on Revue
IAM Pulse Check #16 - Happenings

Hey folks,

Well, it sure has been a week in cloud security land… which is becoming quite the evergreen statement. Research teams keep finding major vulnerabilities across the major providers, sparking all sorts of grandiose claims and spirited debates online. What is happening?! I have nothing to posture other than acknowledging that cloud environments are getting increasingly more complex, and the surface area too deep and wide to reason with.

Every major cloud provider is a builder, seller, and consumer of their services. The scope of the offering has been far too complex for your average outsider to fully grasp, but it’s increasingly far too complex for even insiders. With a near infinite possible combination of configurations, things are bound to go wrong. Teams are getting better at handling these complexities, but so are the researchers. More importantly, so are the attackers.When there’s no customer impact, and newly found zero days get address quickly and effectively, you can sigh a bit of relief knowing that red & blue teams working in concert with providers are a net-positive for the strength and stability of the cloud offerings themselves. When there is customer impact, there’s a reasonable collective freakout. Either way, there’s always the lingering thought of, “well, what’s next?” You can safely assume there will be a next, but at who’s hands and at what measure?

Keeps things interesting, that’s for sure!

Cheers,

Ivan

IAM reading from the community...

AWS IAM: The challenge | IAM Pulse

Community member Bhupender Singh from Opstree kicks off a blog series introducing the fundamentals of AWS IAM, pointing out a few of the reasons why it’s such a hard domain to tackle. I look forward to his follow up articles with Terraform examples.

Terraform Dynamic IAM Policy Construction | IAM Pulse

Revisiting this excellent article contributed by Kyler Middleton, who joined our team last week as our Cloud IAM Advocate. As a top notch community contributor, we’re excited and honored to have her on our team!

IAM checking these out...

10 real-world stories of how we’ve compromised CI/CD pipelines – NCC Group Research

CI/CD pipelines are one of the most difficult and often overlooked implementations of IAM to get right. On one hand, the intention is for automated services to be able to perform actions in your environments. On the other hand, the level of privilege and entrypoints for escalation are vast. Here’s a great deep dive article from the team at NCC Group, covering 10 scenarios.

AWS IAM explained for Red and Blue teams | by Security Shenanigans | InfoSec Write-ups

This article is from last year, but I just discovered it and it felt timely given the intro, so worth sharing again. Starting as an introductory piece, the focus quickly gets into exploitation paths and tools. If you’re inspired to run your own pentests, this is a great place to start.

Configure AWS SSO ABAC for EC2 instances and Systems Manager Session Manager | Amazon Web Services

Great technical guide from the AWS Security blog on defining ABAC permissions for federated users via AWS SSO. You can create more fine-grained permissions using directory attributes to control access to services like EC2 and Session Manager.

IAM listening to this...

Bobby Hutcherson – Happenings (1967, Vinyl) - Discogs

I’ve often thought that if I were to pick up an instrument later in life, it would be the vibraphone… assuming I have enough room in my house to fit one. The instrument has such a beautiful sound that always puts me in a trance. Top 5 vibes players in my book, and most people’s book is Bobby Hutcherson, who had a storied career on Blue Note. This one from 1967 boasts one of the coolest cover designs of the era to match the sounds. Includes an excellent cover of the Herbie Hancock classic, Maiden Voyage.

Get the IAM Pulse Check Newsletter

We send out a periodic newsletter full of tips & tricks, contributions from the community, commentary on the industry, relevant social posts, and more.

Checkout past issues for a sampling of the goods.