-
-
Save tolidano/cbdb860cb13b1a27831b06007378219b to your computer and use it in GitHub Desktop.
AWS Security Resources
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
INTRO | |
I get asked regularly for good resources on AWS security. This gist collects some of these resources (docs, blogs, talks, open source tools, etc.). Feel free to suggest and contribute. | |
Short Link: http://tiny.cc/awssecurity | |
Official AWS Security Resources | |
* Security Blog - http://blogs.aws.amazon.com/security/ | |
* Security Advisories - http://aws.amazon.com/security/security-bulletins/ | |
* Security Whitepaper (AWS Security Processes/Practices) - http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf | |
* Security Best Practices Whitepaper - http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf | |
* Risk and Compliance Whitepaper - http://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf | |
* Security Center - http://aws.amazon.com/security/ | |
* Compliance Center - http://aws.amazon.com/compliance/ | |
* Policy Generator (auto build S3, IAM, etc. policies) - http://awspolicygen.s3.amazonaws.com/policygen.html | |
* IAM Policy Simulator - http://docs.aws.amazon.com/IAM/latest/UsingPolicySimulatorGuide/iam-policy-simulator-guide.html | |
* IAM Best Practices - http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html | |
* EC2 Resource-Level Permissions - http://blogs.aws.amazon.com/security/post/Tx2KPWZJJ4S26H6/Demystifying-EC2-Resource-Level-Permissions | |
Other Relevant Official AWS Resources | |
* YouTube Channel (RE:Invent talks, etc.) - https://www.youtube.com/channel/UCd6MoB9NC6uYN2grvUNT-Zg | |
* AWS Blog - http://aws.amazon.com/blogs/aws/ | |
* AWS Documentation - https://aws.amazon.com/documentation/ | |
* Discussion Forums - https://forums.aws.amazon.com/index.jspa | |
Some of my Talks and Slides on AWS and Cloud Security | |
* AppSecUSA 2012 Real World Cloud Security - http://vimeo.com/54157394 | |
* LASCON 2013 Alternate Approaches to Product Security - http://vimeo.com/79778836 | |
* SAINTCON 2014 AWS Security Training - http://www.slideshare.net/jason_chan/amazon-web-services-security | |
* Slideshare page (lots of AWS and cloud security talks) - http://www.slideshare.net/jason_chan | |
Other Relevant AWS and Cloud Security Talks | |
* Kevin Glisson (Netflix) AppSecUSA 2014 Monterey (inventory/testing system on AWS) - https://www.youtube.com/watch?v=BKJL0s8Ocqs | |
* Ben Hagen (Netflix) AppSecUSA 2014 Cloud Security - https://www.youtube.com/watch?v=Q1wnjQ9Khdo | |
* Erik Peterson (Veracode) AppSecUSA 2014 Attacking Amazon - https://www.youtube.com/watch?v=y8nftRzbiXk | |
* Jay Zarfoss (Netflix) Cloud Security @ Netflix - http://www.slideshare.net/zarfide/cloud-security-at-netflix-october-2013 | |
* Alex Stamos (Yahoo!) Building Cloud Security from Scratch RE:Invent 2012 - https://www.youtube.com/watch?v=U4hdPpDpsMw | |
* Jonathan Chittenden (iSEC Partners) AppSec 2012 AWS Scout - https://www.youtube.com/watch?v=GCnlFlq1-nw | |
AWS Security Tools | |
* Security Monkey (Netflix OSS tool for monitoring AWS security configuration) - https://github.com/Netflix/security_monkey | |
* Reddalert (Prezi OSS tool for monitoring/alerting on top of Edda) - https://github.com/prezi/reddalert | |
* Nimbostratus (tools for fingerprinting/exploiting AWS infrastructures) - http://andresriancho.github.io/nimbostratus/ | |
* Edda (Netflix OSS tool for tracking AWS changes) - https://github.com/Netflix/edda | |
* Securosis' Security Squirrel (POC cloud/secops automation suite) - https://github.com/Securosis/SecuritySquirrel | |
* iSEC Partners' AWS Scout and Scout2 (IAM, EC2, S3 auditing) - https://github.com/iSECPartners/scout, https://github.com/iSECPartners/Scout2 | |
* CloudSploit (AWS security auditing and evaluation) - https://github.com/cloudsploit/scans | |
Other Resources | |
* Nag Medida's (Netflix) collection of AWS hacks - https://github.com/nagwww | |
* Nag Medida's (Netflix) blog - 25 tips for securing AWS - http://palakonda.org/2014/06/24/aws-security-25-tips-for-securing-aws/ | |
* Reddit's AWS subreddit - https://www.reddit.com/r/aws | |
Useful/Interesting Individual Posts and Articles | |
* Instagram Engineering's Post #1 on EC2->VPC->FB Migration - http://instagram-engineering.tumblr.com/post/89992572022/migrating-aws-fb | |
* Instagram Engineering's Post #2 on EC2->VPC->FB Migration (Neti OSS release) - http://instagram-engineering.tumblr.com/post/100758229719/migrating-from-aws-to-aws |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment