Skip to content

Instantly share code, notes, and snippets.

@MelloIocus
Forked from chanj/AWS Security Resources
Created July 31, 2017 04:49
Show Gist options
  • Save MelloIocus/df587b0bb309701819822cb638f6da87 to your computer and use it in GitHub Desktop.
Save MelloIocus/df587b0bb309701819822cb638f6da87 to your computer and use it in GitHub Desktop.
AWS Security Resources
INTRO
I get asked regularly for good resources on AWS security. This gist collects some of these resources (docs, blogs, talks, open source tools, etc.). Feel free to suggest and contribute.
Short Link: http://tiny.cc/awssecurity
Official AWS Security Resources
* Security Blog - http://blogs.aws.amazon.com/security/
* Security Advisories - http://aws.amazon.com/security/security-bulletins/
* Security Whitepaper (AWS Security Processes/Practices) - http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
* Security Best Practices Whitepaper - http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
* Risk and Compliance Whitepaper - http://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf
* Security Center - http://aws.amazon.com/security/
* Compliance Center - http://aws.amazon.com/compliance/
* Policy Generator (auto build S3, IAM, etc. policies) - http://awspolicygen.s3.amazonaws.com/policygen.html
* IAM Policy Simulator - http://docs.aws.amazon.com/IAM/latest/UsingPolicySimulatorGuide/iam-policy-simulator-guide.html
* IAM Best Practices - http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html
* EC2 Resource-Level Permissions - http://blogs.aws.amazon.com/security/post/Tx2KPWZJJ4S26H6/Demystifying-EC2-Resource-Level-Permissions
Other Relevant Official AWS Resources
* YouTube Channel (RE:Invent talks, etc.) - https://www.youtube.com/channel/UCd6MoB9NC6uYN2grvUNT-Zg
* AWS Blog - http://aws.amazon.com/blogs/aws/
* AWS Documentation - https://aws.amazon.com/documentation/
* Discussion Forums - https://forums.aws.amazon.com/index.jspa
Some of my Talks and Slides on AWS and Cloud Security
* AppSecUSA 2012 Real World Cloud Security - http://vimeo.com/54157394
* LASCON 2013 Alternate Approaches to Product Security - http://vimeo.com/79778836
* SAINTCON 2014 AWS Security Training - http://www.slideshare.net/jason_chan/amazon-web-services-security
* Slideshare page (lots of AWS and cloud security talks) - http://www.slideshare.net/jason_chan
Other Relevant AWS and Cloud Security Talks
* Kevin Glisson (Netflix) AppSecUSA 2014 Monterey (inventory/testing system on AWS) - https://www.youtube.com/watch?v=BKJL0s8Ocqs
* Ben Hagen (Netflix) AppSecUSA 2014 Cloud Security - https://www.youtube.com/watch?v=Q1wnjQ9Khdo
* Erik Peterson (Veracode) AppSecUSA 2014 Attacking Amazon - https://www.youtube.com/watch?v=y8nftRzbiXk
* Jay Zarfoss (Netflix) Cloud Security @ Netflix - http://www.slideshare.net/zarfide/cloud-security-at-netflix-october-2013
* Alex Stamos (Yahoo!) Building Cloud Security from Scratch RE:Invent 2012 - https://www.youtube.com/watch?v=U4hdPpDpsMw
* Jonathan Chittenden (iSEC Partners) AppSec 2012 AWS Scout - https://www.youtube.com/watch?v=GCnlFlq1-nw
AWS Security Tools
* Security Monkey (Netflix OSS tool for monitoring AWS security configuration) - https://github.com/Netflix/security_monkey
* Reddalert (Prezi OSS tool for monitoring/alerting on top of Edda) - https://github.com/prezi/reddalert
* Nimbostratus (tools for fingerprinting/exploiting AWS infrastructures) - http://andresriancho.github.io/nimbostratus/
* Edda (Netflix OSS tool for tracking AWS changes) - https://github.com/Netflix/edda
* Securosis' Security Squirrel (POC cloud/secops automation suite) - https://github.com/Securosis/SecuritySquirrel
* iSEC Partners' AWS Scout and Scout2 (IAM, EC2, S3 auditing) - https://github.com/iSECPartners/scout, https://github.com/iSECPartners/Scout2
* CloudSploit (AWS security auditing and evaluation) - https://github.com/cloudsploit/scans
Other Resources
* Nag Medida's (Netflix) collection of AWS hacks - https://github.com/nagwww
* Nag Medida's (Netflix) blog - 25 tips for securing AWS - http://palakonda.org/2014/06/24/aws-security-25-tips-for-securing-aws/
* Reddit's AWS subreddit - https://www.reddit.com/r/aws
Useful/Interesting Individual Posts and Articles
* Instagram Engineering's Post #1 on EC2->VPC->FB Migration - http://instagram-engineering.tumblr.com/post/89992572022/migrating-aws-fb
* Instagram Engineering's Post #2 on EC2->VPC->FB Migration (Neti OSS release) - http://instagram-engineering.tumblr.com/post/100758229719/migrating-from-aws-to-aws
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment