| Follow @lancinimarco

Continuous Visibility into Ephemeral Cloud Environments

A collection of resources and tutorials for providing continuous visibility into ephemeral cloud environments.

This is the high-level outline of the different sections:

What cloud resources are needed, and how to define them in a manner that safely allows a tool to perform a security audit across a fleet of AWS accounts/GCP projects.

    • AWS Setup
      1. Resource Definition
        1. Setup Role role-security-audit in every account
        2. Setup Role role-security-assume in Hub account
        3. Setup User user-security-audit in Hub account
      2. Setup Tooling for Cross-Account Auditing
        1. Setup ~/.aws/credentials
        2. Setup ~/.aws/config
    • GCP Setup
      1. Resource Definition
      2. Setup Tooling for Cross-Account Auditing

How to leverage Cartography to detect, identify, categorize, and visualize all the assets being deployed in your estate.

    • The Challenges Posed by Ephemeral Environments
    • Enter Cartography
      1. Cartography's Value Proposition
    • Real World Setup
      1. Multi-Cloud Auditing
        1. Access Configuration: AWS IAM
        2. Access Configuration: GCP IAM
      2. Deployment on Kubernetes
        1. Neo4j Deployment
        2. Cartography Deployment
    • Data Consumption
      1. The Basics: Neo4j Browser
      2. The Automation: Programmatic Analysis
        1. Custom Query Format
        2. Creation of New Queries
        3. Query Manager
      3. Repeatability: Jupyter Notebooks
        1. Code Structure
        2. Run Notebooks
        3. Upgrade to Dashboards

How to leverage Cartography and Elasticsearch to continuously monitor all cloud assets in your estate and alert on any instance of drift.

    • Multi-Cloud Auditing with Cartography
    • Elasticsearch Integration
      1. High Level Setup
      2. Deployment on Kubernetes
        1. Ingestor Deployment
        2. Elasticsearch Deployment
      3. Data Consumption: Kibana
    • Drift Detection
      1. Drift Detection with Elasticsearch
      2. Elastalert Alerts (Slack and Jira)

How to setup Domain-Wide Delegation of Authority in GSuite.

    • The Need for Domain-Wide Delegation of Authority
    • Process
      1. 1️⃣️ Create an Account in GSuite
      2. 2️⃣️ Create a Service Account in GCP

How to design a state of the art multi-account security logging platform in AWS.

    • Problem Statement
    • Which Services Can We Leverage?
      1. CloudTrail
      2. CloudWatch
      3. GuardDuty
      4. Config
      5. Access Logs
    • State of the Art Security Logging Platform in AWS
      1. Collection
      2. Delivery
      3. Long-Term Storage and Audit Trail
      4. Monitoring and Alerting

About

Hi, I'm Marco Lancini. I'm a Security Engineer, mainly interested in cloud native technologies and security...  [read more] 

Buy me a coffeeBuy me a coffee

Sponsor

CloudSec* Projects

 CloudSecList  CloudSecDocs

Collections

Continuous Visibility into Ephemeral Cloud Environments
Kubernetes Primer for Security Professionals
Offensive Infrastructure with Modern Technologies

Must Read

Security Logging in Cloud Environments - AWS
Tracking Moving Clouds: How to continuously track cloud assets with Cartography
So I Heard You Want to Learn Kafka
The Current State of Kubernetes Threat Modelling
Mapping Moving Clouds: How to stay on top of your ephemeral environments with Cartography
Cross Account Auditing in AWS and GCP
Red Teaming Mind Map from The Hacker Playbook 3
So I Heard You Want to Learn Kubernetes
Offensive ELK: Elasticsearch for Offensive Security

Recent Articles

A Quick Look at GKE Autopilot (in 15 minutes)
Security Logging in Cloud Environments - AWS
Semgrep for Cloud Security
Introducing CloudSecDocs.com
Domain-Wide Delegation of Authority in GSuite

Tags

Twitter Feed