The state of ABAC on AWS (in 2024)
Scott Piper checked in on “The state of ABAC on AWS” back in 2020. Things are only a little better.
Scott Piper checked in on “The state of ABAC on AWS” back in 2020. Things are only a little better.
The inimitable Daniel Grzelak (dagrz) over at Plerion shared “15 ideas for cloud security research”
This is a short guide on how to use Steampipe to operationalize AWS Access Advisor.
Service Control Policies
On Sequoia Capital’s Crucible Moments podcast, Paypal co-founder Max Levchin recounted the company’s early struggle to combat fraud. Their breakthrough came ...
I previously shared four different AWS specific phishing attacks: Credential Phishing Device Authentication Phishing CloudFormation Stack Phishing A...
I recently stumbled on a suprising AWS Systems Manager Session Manager (SSM) default that can introduce risk, especially for customers using SSM’s Port Forwa...
I tried out RDS IAM Authentication. The environment follows common patterns, containing: An RDS Instance, deployed in a VPC, with Public Access disabled ...
Your company is rushing to build product features that use AI, how do you do that securely? A deep dive guide to securely buidling on top of AI APIs.
12/13/23: This post has been updated with details on leveraging Date Partitioning. 11/20/23: AWS has lauched Data Partitioning for S3 Access Logs. I strongly...
AWS currently has somewhere between two- and three-hundred unique services, thirty-going-on-thirty-five regions and almost thirteen thousand unique APIs.
Every couple years I find myself needing to brush up on the risks and threat model of AWS Lambda.
In AWS Phishing: Four ways, I mentioned the potential for AWS SSO Device Authentication Phishing.
10/20/23: I’ve published a fifth phishing threat - AWS SES Phishing
A retrospective on 2022 in public cloud breaches, featuring thoughts from a conversation with Houston Hopkins and me.
The collected stories of Staff+ Security Engineers.
A client’s guide to buying and getting value from security services.
A meta-database collecting resources that compile lists of (security) incidents
Sometimes, things make their way into a Github repository that cannot be stored in that context. The common examples include credentials, secrets, and privat...
On June 4th, 2022 - I gave the talk “Buying Security: A Client’s Guide” at BSidesSF. I simultaneously released a guide on the same topic over on tldrsec. Bot...
On May 15th, 2022 I spoke on the OWASP DevSlop livestream, discussing the public catalog of AWS Customer Security Incidents I maintain, covering over twenty ...
On February 3rd, 2022 I published a blog post for Cedar, breaking down our security team values, and the process we ran to define them.
On August 23rd, 2021, I published a version of my Cloud Security Orienteering DEFCON Cloud Village talk with my friend Clint Gibler over at tl;dr sec. For po...
On August 8th, 2021, I gave a 40-minute talk at DEF CON Cloud Village. The details are recorded here for posterity.
On November 14th, 2020, I gave a 30-minute talk at BSidesCT. The details are recorded here for posterity.
On September 26th, 2020, I gave a 50-minute talk at BSides Boston. The details are recorded here for posterity.
Identity and Access Management (IAM) is a cornerstone of security. AWS IAM is the cloud provider’s native service for securely managing access to AWS resourc...
For posterity and discoverability, I’m syndicating all of my public work for NCC Group to this personal blog.
The CCSK is the Cloud Security Alliance’s Certificate of Cloud Security Knowledge. It is one of the top two cloud-agnostic security certifications, along wit...
The CCSK is the Cloud Security Alliance’s Certificate of Cloud Security Knowledge. It is one of the top two cloud-agnostic security certifications, along wit...
I graduated from Northeastern University in 2018 with a Bachelor’s Degree in Computer Science, and a concentration in Cyber Operations. Only a year later, I ...
For posterity and discoverability, I’m syndicating all of my public work for NCC Group to this personal blog.
$ git blame
On November 9th, 2019, I gave a 50-minute talk at BSidesCT. The details are recorded here for posterity.
For posterity and discoverability, I’m syndicating all of my public work for NCC Group to this personal blog.
On October 19th, 2019, I gave a 4-hour workshop at Boston Application Security Conference (BASC), with my coworker Josh Dow (@0xJDow). The details are record...
For posterity and discoverability, I’m syndicating all of my public work for NCC Group to this personal blog.
For posterity and discoverability, I’m syndicating all of my public work for NCC Group to this personal blog.
For posterity and discoverability, I’m syndicating all of my public work for NCC Group to this personal blog.
For posterity and discoverability, I’m syndicating all of my public work for NCC Group to this personal blog.
$ git blame
$ git blame
Scott Piper checked in on “The state of ABAC on AWS” back in 2020. Things are only a little better.
The inimitable Daniel Grzelak (dagrz) over at Plerion shared “15 ideas for cloud security research”
This is a short guide on how to use Steampipe to operationalize AWS Access Advisor.
Service Control Policies
I previously shared four different AWS specific phishing attacks: Credential Phishing Device Authentication Phishing CloudFormation Stack Phishing A...
I recently stumbled on a suprising AWS Systems Manager Session Manager (SSM) default that can introduce risk, especially for customers using SSM’s Port Forwa...
I tried out RDS IAM Authentication. The environment follows common patterns, containing: An RDS Instance, deployed in a VPC, with Public Access disabled ...
12/13/23: This post has been updated with details on leveraging Date Partitioning. 11/20/23: AWS has lauched Data Partitioning for S3 Access Logs. I strongly...
AWS currently has somewhere between two- and three-hundred unique services, thirty-going-on-thirty-five regions and almost thirteen thousand unique APIs.
Every couple years I find myself needing to brush up on the risks and threat model of AWS Lambda.
In AWS Phishing: Four ways, I mentioned the potential for AWS SSO Device Authentication Phishing.
10/20/23: I’ve published a fifth phishing threat - AWS SES Phishing
On August 23rd, 2021, I published a version of my Cloud Security Orienteering DEFCON Cloud Village talk with my friend Clint Gibler over at tl;dr sec. For po...
On August 8th, 2021, I gave a 40-minute talk at DEF CON Cloud Village. The details are recorded here for posterity.
On November 14th, 2020, I gave a 30-minute talk at BSidesCT. The details are recorded here for posterity.
On September 26th, 2020, I gave a 50-minute talk at BSides Boston. The details are recorded here for posterity.
Identity and Access Management (IAM) is a cornerstone of security. AWS IAM is the cloud provider’s native service for securely managing access to AWS resourc...
For posterity and discoverability, I’m syndicating all of my public work for NCC Group to this personal blog.
On November 9th, 2019, I gave a 50-minute talk at BSidesCT. The details are recorded here for posterity.
For posterity and discoverability, I’m syndicating all of my public work for NCC Group to this personal blog.
On October 19th, 2019, I gave a 4-hour workshop at Boston Application Security Conference (BASC), with my coworker Josh Dow (@0xJDow). The details are record...
Your company is rushing to build product features that use AI, how do you do that securely? A deep dive guide to securely buidling on top of AI APIs.
Every couple years I find myself needing to brush up on the risks and threat model of AWS Lambda.
A retrospective on 2022 in public cloud breaches, featuring thoughts from a conversation with Houston Hopkins and me.
The collected stories of Staff+ Security Engineers.
A client’s guide to buying and getting value from security services.
On May 15th, 2022 I spoke on the OWASP DevSlop livestream, discussing the public catalog of AWS Customer Security Incidents I maintain, covering over twenty ...
On February 3rd, 2022 I published a blog post for Cedar, breaking down our security team values, and the process we ran to define them.
On August 23rd, 2021, I published a version of my Cloud Security Orienteering DEFCON Cloud Village talk with my friend Clint Gibler over at tl;dr sec. For po...
For posterity and discoverability, I’m syndicating all of my public work for NCC Group to this personal blog.
For posterity and discoverability, I’m syndicating all of my public work for NCC Group to this personal blog.
For posterity and discoverability, I’m syndicating all of my public work for NCC Group to this personal blog.
For posterity and discoverability, I’m syndicating all of my public work for NCC Group to this personal blog.
For posterity and discoverability, I’m syndicating all of my public work for NCC Group to this personal blog.
For posterity and discoverability, I’m syndicating all of my public work for NCC Group to this personal blog.
For posterity and discoverability, I’m syndicating all of my public work for NCC Group to this personal blog.
$ git blame
$ git blame
$ git blame
On August 8th, 2021, I gave a 40-minute talk at DEF CON Cloud Village. The details are recorded here for posterity.
On November 14th, 2020, I gave a 30-minute talk at BSidesCT. The details are recorded here for posterity.
On September 26th, 2020, I gave a 50-minute talk at BSides Boston. The details are recorded here for posterity.
On November 9th, 2019, I gave a 50-minute talk at BSidesCT. The details are recorded here for posterity.
On October 19th, 2019, I gave a 4-hour workshop at Boston Application Security Conference (BASC), with my coworker Josh Dow (@0xJDow). The details are record...
The CCSK is the Cloud Security Alliance’s Certificate of Cloud Security Knowledge. It is one of the top two cloud-agnostic security certifications, along wit...
The CCSK is the Cloud Security Alliance’s Certificate of Cloud Security Knowledge. It is one of the top two cloud-agnostic security certifications, along wit...
I graduated from Northeastern University in 2018 with a Bachelor’s Degree in Computer Science, and a concentration in Cyber Operations. Only a year later, I ...