Dive into this stash of cool stuff all about keeping your cloud stuff safe! From hacks to protect your AWS secrets to making Azure less grumpy, we've got your back. Whether you're a cloud wizard or just getting started, find tips, tools, and laughs to level up your cloud security game. Join the party, share your tricks, and let's keep the cloud vibes secure and chill!
Table of contents:
- Cloud Security Goodies 🛡️
- Reading Resources 📖
- Newsletters 📢
- Blogs 🎞
- Conferences ✈
- Podcasts 🎧
- Databases 🔥
- Tools 🛠
- Awesome Lists 🚀
- Certifications 📚
| Link | Description |
|---|---|
| Cloud Sec Docs | CloudSecDocs is a website collecting and sharing technical notes and knowledge on cloud-native technologies, security, technical leadership, and engineering culture. |
| Cloud Security Roadmap Template | Micro-website contains the full list of controls (95 as of today) that can be rolled out to establish a cloud security program aimed at protecting a cloud native, service provider agnostic, container-based, offering. |
| Infrastructure Review | Micro-website contains the list of questions that can be asked while reviewing the security architecture of a multi-cloud SaaS company and finding its most critical components. |
| Cloud Hacktricks | Wiki where you will find each hacking trick/technique/whatever. |
| Cloud Sec Wiki | Cloud Security Wiki is an initiative to provide all Cloud security related resources to Security Researchers and developers at one place. |
| Hacking The Cloud | Hacking the cloud is an encyclopedia of the attacks/tactics/techniques that offensive security professionals can use on their next cloud exploitation adventure. |
| Book Hacktricks | Page where you will find each hacking trick/technique/whatever related to CI/CD & Cloud. |
| Link | Description |
|---|---|
| AWS Security Incident Response Guide | This guide presents an overview of the fundamentals of responding to security incidents within a customer’s Amazon Web Services (AWS) Cloud environment. |
| AWS Security Maturity Model | This model will help you prioritize recommended actions to strengthen your security posture at every stage of your journey to the cloud. |
| AWS Security Maturity Roadmap 2021 | To give companies a series or actionable steps to improve the security of their AWS environments. |
| AWS Security Mind Map | AWS Security Mind Map. |
| AWS Security Reference Architecture | The AWS Security Reference Architecture. |
| AWS Security Survival Kit | Elevate your AWS Security with basic alerting. |
| Effective IAM for AWS | Effective IAM for Amazon Web Services is for Cloud engineers who design, develop, and review AWS IAM security policies in their daily work. |
| Link | Description |
|---|---|
| GCP Enterprise Foundations Blueprint | This document describes the best practices that let you deploy a foundational set of resources in Google Cloud. |
| GCP Incident Response Poster | GCP Forensics Poster. |
| GCP Security Foundations Blueprint | An enterprise solution that includes Google Cloud recommended products and security capabilities to help organizations achieve a strong security posture and protections for their Google Cloud environment. |
| GCP Security Overview | This document describes GCP approach to security, privacy, and compliance. |
| Link | Description |
|---|---|
| Azure Security Architect Mind Map | High-level view and quick insights about what is available and how to choose between the different services according to some functional needs. |
| Azure Security Benchmark Foundation | Provides a set of baseline infrastructure patterns to help you build a secure and compliant Azure environment. |
| Azure Attack Paths | Show how different services and permissions can lead to a vulnerable environment. |
| Link | Description |
|---|---|
| CloudSecList | CloudSecList is the best way to stay on top of the cloud security landscape without being overwhelmed by all the noise. |
| Security Pills | The Security Pills Newsletter is a hand curated list that brings you the news, latest research, tips, and vulnerabilities focused to the appsec and smart contract landscape. |
| tl;dr sec | The best way to keep up with cybersecurity research. |
| Link | Description |
|---|---|
| AWS Security | Official AWS Security blog. |
| Azure Security | Official Azure Security blog. |
| Darkreading Cloud Security | Official Darkreading Cloud Secuirty blog. |
| DATADOG | Official DATADOG blog. |
| GCP Security | Official GCP Security blog. |
| Marco Lancini | Marco Lancini blog. |
| ORCA | Official ORCA blog. |
| RHINO Secuirty Labs | Official RHINO Secuirty Labs blog. |
| WIZ | Official WIZ blog. |
| Link | Description |
|---|---|
| CloudNativeSecurityCon | CloudNativeSecurityCon is a two-day event designed to foster collaboration, discussion and knowledge sharing of cloud native security projects and how to best use these to address security challenges and opportunities. |
| fwd:cloudsec | fwd:cloudsec is a non-profit conference on cloud security. |
| Link | Description |
|---|---|
| WIZ - crying-out-cloud | Podcast & newsletter by cloud security pros, for cloud security pros. |
| Cloud Security Podcast by Google | The Cloud Security Podcast from Google is a weekly news and interview show with insights from the cloud security community. |
| Cloud Security Podcast | A Top 10 Award Winning Media Company with the largest Cloud Security Leaders and Practitioners audience around the globe. |
| Expert Insights Podcast | The Experts Insights Podcast brings you insights and knowledge from cybersecurity and technology experts. Each episode, we conduct in-depth interviews with top cybersecurity leaders from leading vendors, practitioners and security teams. |
| Azure DevOps Podcast | |
| Security Now | |
| The Hacker Mind | The Hacker Mind is an original podcast from the makers of Mayhem Security. It’s the stories from the individuals behind the hacks you’ve read about. |
| Link | Description |
|---|---|
| Cloud Threat Landscape | A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques. Powered by Wiz Research. |
| Link | Description |
|---|---|
| Amazon GuardDuty Tester | This repository contains scripts and guidance that can be used as a proof-of-concept to generate Amazon GuardDuty findings related to real AWS resources. |
| Atomic Red Team | Atomic Red Team™ is a library of tests mapped to the MITRE ATT&CK® framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments. |
| AWSealion | AWSealion is a CLI tool designed to work as a plugin for the AWS CLI to be used by pentesters and security enthusiasts in both professional and CTF settings. |
| AzureHound | The BloodHound data collector for Microsoft Azure |
| ccat | Cloud Container Attack Tool. |
| Cloud Enum | Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud. |
| CloudBrute | A tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode). The outcome is useful for bug bounty hunters, red teamers, and penetration testers alike. |
| cloudfox | CloudFox helps you gain situational awareness in unfamiliar cloud environments. It’s an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure. |
| cloudlist | Cloudlist is a multi-cloud tool for getting Assets from Cloud Providers. |
| Gato | Github Attack TOolkit |
| Leonidas | A framework for executing attacker actions in the cloud. |
| MicroBurst | MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping. |
| pacu | Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments. |
| ScoutSuite | Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. |
| Status Red Team | Stratus Red Team is "Atomic Red Team™" for the cloud, allowing to emulate offensive attack techniques in a granular and self-contained manner. |
| The DeRF | DeRF (Detection Replay Framework) is an "Attacks As A Service" framework, allowing the emulation of offensive techniques and generation of repeatable detection samples from a UI - without the need for End Users to install software, use the CLI or possess credentials in the target environment. |
| Link | Description |
|---|---|
| Azure Goat | A Damn Vulnerable Azure Infrastructure. |
| CloudFoxable | An intentionally vulnerable Amazon Web Services (AWS) environment. |
| CloudGoat | A vulnerable by design Amazon Web Services (AWS) deployment tool. |
| CloudSec Tidbits | Infrastructure as Code (IaC) laboratory reproducing interesting pentest findings by DoyenSec. |
| CNAPPGoat | CNAPPgoat is a multi-cloud, vulnerable-by-design environment deployment tool – specifically engineered to facilitate practice arenas for defenders and pentesters. |
| CONVEX | An open-source CTF platform that lets you spin up CTF events in your Microsoft Azure environment. |
| Damn Vulnerable Cloud Application | an intentionally vulnerable cloud application to teach privilege escalation on Amazon Web Services (AWS). |
| EKS Cluster Games | A hosted Wiz-sponsored AWS EKS based CTF. |
| FLAWS | A CTF site based on common mistakes and gotchas when using Amazon Web Services (AWS). |
| FLAWS2 | The sequel to the flAWS.cloud CTF site with both an Attacker and Defender track using Amazon Web Services (AWS). |
| GCP Goat | An intentionally vulnerable GCP environment to learn and practice GCP security. |
| IAM Vulnerable | Use Terraform to deploy IAM resources to learn how to identify and exploit vulnerable IAM configurations. |
| Lambhack | A vulnerable serverless Amazon Web Services (AWS) lambda application. |
| S3 CTF Challenges | A series of challenges focusing on Amazon Web Services (AWS) S3 misconfigurations. |
| Sadcloud | Tool for spinning up insecure AWS infrastructure with Terraform. |
| ServerlessGoat | An Amazon Web Services (AWS) serverless application that demonstrates common serverless security flaws. |
| TerraGoat | Bridgecrew's "Vulnerable by Design" Terraform repository. |
| The Big IAM Challenge by Wiz | A hosted Identity and Access Management (IAM) based CTF. |
| Thunder CTF | A CTF site based on attacking vulnerable cloud projects on Google Cloud Platform (GCP). |
| WrongSecrets | A vulnerable app which demonstrates how to not use secrets. With AWS/Azure/GCP support. |
| Link |
|---|
| AWS Certified Security Specialty |
| Azure Security Engineer Associate |
| Google Professional Cloud Security Engineer |
| Link |
|---|
| CCSP - Certified Cloud Security Professional |
| Link |
|---|
| CCSK - Certificate of Cloud Security Knowledge |
| CCAK - Certificate of Cloud Auditing Knowledge |
| Link |
|---|
| CompTIA Cloud+ |
| Link |
|---|
| Certified Kubernetes Security Specialist (CKS) |