Skip to content

pfilourenco/cloud-security-goodies

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ย 

History

15 Commits
ย 
ย 
ย 
ย 
ย 
ย 

Repository files navigation

๐Ÿ›ก๏ธ Cloud Security Goodies ๐Ÿ›ก๏ธ

Dive into this stash of cool stuff all about keeping your cloud stuff safe! From hacks to protect your AWS secrets to making Azure less grumpy, we've got your back. Whether you're a cloud wizard or just getting started, find tips, tools, and laughs to level up your cloud security game. Join the party, share your tricks, and let's keep the cloud vibes secure and chill!

Table of contents:

Reading Resources ๐Ÿ“–

Link Description
Cloud Sec Docs CloudSecDocs is a website collecting and sharing technical notes and knowledge on cloud-native technologies, security, technical leadership, and engineering culture.
Cloud Security Roadmap Template Micro-website contains the full list of controls (95 as of today) that can be rolled out to establish a cloud security program aimed at protecting a cloud native, service provider agnostic, container-based, offering.
Infrastructure Review Micro-website contains the list of questions that can be asked while reviewing the security architecture of a multi-cloud SaaS company and finding its most critical components.
Cloud Hacktricks Wiki where you will find each hacking trick/technique/whatever.
Cloud Sec Wiki Cloud Security Wiki is an initiative to provide all Cloud security related resources to Security Researchers and developers at one place.
Hacking The Cloud Hacking the cloud is an encyclopedia of the attacks/tactics/techniques that offensive security professionals can use on their next cloud exploitation adventure.
Book Hacktricks Page where you will find each hacking trick/technique/whatever related to CI/CD & Cloud.

AWS ๐Ÿงก

Link Description
AWS Security Incident Response Guide This guide presents an overview of the fundamentals of responding to security incidents within a customerโ€™s Amazon Web Services (AWS) Cloud environment.
AWS Security Maturity Model This model will help you prioritize recommended actions to strengthen your security posture at every stage of your journey to the cloud.
AWS Security Maturity Roadmap 2021 To give companies a series or actionable steps to improve the security of their AWS environments.
AWS Security Mind Map AWS Security Mind Map.
AWS Security Reference Architecture The AWS Security Reference Architecture.
AWS Security Survival Kit Elevate your AWS Security with basic alerting.
Effective IAM for AWS Effective IAM for Amazon Web Services is for Cloud engineers who design, develop, and review AWS IAM security policies in their daily work.

GCP ๐Ÿ’›

Link Description
GCP Enterprise Foundations Blueprint This document describes the best practices that let you deploy a foundational set of resources in Google Cloud.
GCP Incident Response Poster GCP Forensics Poster.
GCP Security Foundations Blueprint An enterprise solution that includes Google Cloud recommended products and security capabilities to help organizations achieve a strong security posture and protections for their Google Cloud environment.
GCP Security Overview This document describes GCP approach to security, privacy, and compliance.

Azure ๐Ÿ’™

Link Description
Azure Security Architect Mind Map High-level view and quick insights about what is available and how to choose between the different services according to some functional needs.
Azure Security Benchmark Foundation Provides a set of baseline infrastructure patterns to help you build a secure and compliant Azure environment.
Azure Attack Paths Show how different services and permissions can lead to a vulnerable environment.

Newsletters ๐Ÿ“ข

Link Description
CloudSecList CloudSecList is the best way to stay on top of the cloud security landscape without being overwhelmed by all the noise.
Security Pills The Security Pills Newsletter is a hand curated list that brings you the news, latest research, tips, and vulnerabilities focused to the appsec and smart contract landscape.
tl;dr sec The best way to keep up with cybersecurity research.

Blogs ๐ŸŽž

Link Description
AWS Security Official AWS Security blog.
Azure Security Official Azure Security blog.
Darkreading Cloud Security Official Darkreading Cloud Secuirty blog.
DATADOG Official DATADOG blog.
GCP Security Official GCP Security blog.
Marco Lancini Marco Lancini blog.
ORCA Official ORCA blog.
RHINO Secuirty Labs Official RHINO Secuirty Labs blog.
WIZ Official WIZ blog.

Conferences โœˆ

Link Description
CloudNativeSecurityCon CloudNativeSecurityCon is a two-day event designed to foster collaboration, discussion and knowledge sharing of cloud native security projects and how to best use these to address security challenges and opportunities.
fwd:cloudsec fwd:cloudsec is a non-profit conference on cloud security.

Podcasts ๐ŸŽง

Link Description
WIZ - crying-out-cloud Podcast & newsletter by cloud security pros, for cloud security pros.
Cloud Security Podcast by Google The Cloud Security Podcast from Google is a weekly news and interview show with insights from the cloud security community.
Cloud Security Podcast A Top 10 Award Winning Media Company with the largest Cloud Security Leaders and Practitioners audience around the globe.
Expert Insights Podcast The Experts Insights Podcast brings you insights and knowledge from cybersecurity and technology experts. Each episode, we conduct in-depth interviews with top cybersecurity leaders from leading vendors, practitioners and security teams.
Azure DevOps Podcast
Security Now
The Hacker Mind The Hacker Mind is an original podcast from the makers of Mayhem Security. Itโ€™s the stories from the individuals behind the hacks youโ€™ve read about.

Databases ๐Ÿ”ฅ

Link Description
Cloud Threat Landscape A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques. Powered by Wiz Research.

Tools ๐Ÿ› 

Link Description
Amazon GuardDuty Tester This repository contains scripts and guidance that can be used as a proof-of-concept to generate Amazon GuardDuty findings related to real AWS resources.
Atomic Red Team Atomic Red Teamโ„ข is a library of tests mapped to the MITRE ATT&CKยฎ framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments.
AWSealion AWSealion is a CLI tool designed to work as a plugin for the AWS CLI to be used by pentesters and security enthusiasts in both professional and CTF settings.
AzureHound The BloodHound data collector for Microsoft Azure
ccat Cloud Container Attack Tool.
Cloud Enum Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud.
CloudBrute A tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode). The outcome is useful for bug bounty hunters, red teamers, and penetration testers alike.
cloudfox CloudFox helps you gain situational awareness in unfamiliar cloud environments. Itโ€™s an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure.
cloudlist Cloudlist is a multi-cloud tool for getting Assets from Cloud Providers.
Gato Github Attack TOolkit
Leonidas A framework for executing attacker actions in the cloud.
MicroBurst MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping.
pacu Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments.
ScoutSuite Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
Status Red Team Stratus Red Team is "Atomic Red Teamโ„ข" for the cloud, allowing to emulate offensive attack techniques in a granular and self-contained manner.
The DeRF DeRF (Detection Replay Framework) is an "Attacks As A Service" framework, allowing the emulation of offensive techniques and generation of repeatable detection samples from a UI - without the need for End Users to install software, use the CLI or possess credentials in the target environment.

GOATs ๐Ÿ

Link Description
Azure Goat A Damn Vulnerable Azure Infrastructure.
CloudFoxable An intentionally vulnerable Amazon Web Services (AWS) environment.
CloudGoat A vulnerable by design Amazon Web Services (AWS) deployment tool.
CloudSec Tidbits Infrastructure as Code (IaC) laboratory reproducing interesting pentest findings by DoyenSec.
CNAPPGoat CNAPPgoat is a multi-cloud, vulnerable-by-design environment deployment tool โ€“ specifically engineered to facilitate practice arenas for defenders and pentesters.
CONVEX An open-source CTF platform that lets you spin up CTF events in your Microsoft Azure environment.
Damn Vulnerable Cloud Application an intentionally vulnerable cloud application to teach privilege escalation on Amazon Web Services (AWS).
EKS Cluster Games A hosted Wiz-sponsored AWS EKS based CTF.
FLAWS A CTF site based on common mistakes and gotchas when using Amazon Web Services (AWS).
FLAWS2 The sequel to the flAWS.cloud CTF site with both an Attacker and Defender track using Amazon Web Services (AWS).
GCP Goat An intentionally vulnerable GCP environment to learn and practice GCP security.
IAM Vulnerable Use Terraform to deploy IAM resources to learn how to identify and exploit vulnerable IAM configurations.
Lambhack A vulnerable serverless Amazon Web Services (AWS) lambda application.
S3 CTF Challenges A series of challenges focusing on Amazon Web Services (AWS) S3 misconfigurations.
Sadcloud Tool for spinning up insecure AWS infrastructure with Terraform.
ServerlessGoat An Amazon Web Services (AWS) serverless application that demonstrates common serverless security flaws.
TerraGoat Bridgecrew's "Vulnerable by Design" Terraform repository.
The Big IAM Challenge by Wiz A hosted Identity and Access Management (IAM) based CTF.
Thunder CTF A CTF site based on attacking vulnerable cloud projects on Google Cloud Platform (GCP).
WrongSecrets A vulnerable app which demonstrates how to not use secrets. With AWS/Azure/GCP support.

Awesome Lists ๐Ÿš€

Link
https://github.com/4ndersonLin/awesome-cloud-security
https://github.com/CyberSecurityUP/Awesome-Cloud-PenTest
https://github.com/donnemartin/awesome-aws
https://github.com/Funkmyster/awesome-cloud-security
https://github.com/houey/awesome-service-control-policies
https://github.com/hysnsec/awesome-policy-as-code
https://github.com/iknowjason/Awesome-CloudSec-Labs
https://github.com/infralicious/awesome-service-control-policies
https://github.com/jassics/awesome-aws-security
https://github.com/kdeldycke/awesome-iam
https://github.com/kmcquade/awesome-azure-security
https://github.com/ksoclabs/awesome-kubernetes-security
https://github.com/Kyuu-Ji/Awesome-Azure-Pentest
https://github.com/magnologan/awesome-k8s-security
https://github.com/meirwah/awesome-incident-response
https://github.com/Metarget/awesome-cloud-native-security
https://github.com/NextSecurity/Awesome-Cloud-Security
https://github.com/paralax/awesome-honeypots
https://github.com/puresec/awesome-serverless-security
https://github.com/RyanJarv/awesome-cloud-sec
https://github.com/sottlmarek/DevSecOps
https://github.com/TaptuIT/awesome-devsecops

Certifications ๐Ÿ“š

Cloud Service Providers

Link
AWS Certified Security Specialty
Azure Security Engineer Associate
Google Professional Cloud Security Engineer

ISC2 - International Information System Security Certification Consortium

Link
CCSP - Certified Cloud Security Professional

CSA - Cloud Security Alliance

Link
CCSK - Certificate of Cloud Security Knowledge
CCAK - Certificate of Cloud Auditing Knowledge

Comptia

Link
CompTIA Cloud+

Kubernetes

Link
Certified Kubernetes Security Specialist (CKS)