personal-page/_master_wiki/Readwise/8 Principles for a Secure Cloud Environment.md

8 Principles for a Secure Cloud Environment

Metadata

• Author: omerxx@gmail.com
• Full Title: 8 Principles for a Secure Cloud Environment
• Category: #articles
• URL: https://omnivore.app/aleidk/8-principles-for-a-secure-cloud-environment-18f1fa5c54d
• Archive: https://web-archive.alecodes.page/bookmarks?bf=1&search=&title=8%20Principles%20for%20a%20Secure%20Cloud%20Environment

[!tldr] On July 15th, 2019, I messed up bad. Real bad. I wanted to finish a project quickly, and show a quick POC to a customer I was working with. To make a long story short, I pushed a container, to a public repo, containing admin credentials to an AWS account.

Highlights

CISO BS. View Highlight)

Note

In "8 Principles For a Secure Cloud Environment," the term "CISO" refers to the Chief Information Security Officer, a role responsible for overseeing and ensuring the security of an organization's information and systems. The author implies that some principles may be perceived as excessive or overly cautious, often dismissed as "CISO BS," yet emphasizes their importance based on personal experiences with security incidents. Ultimately, the mention of CISO highlights the necessity of adopting robust security practices to mitigate risks in cloud environments, regardless of differing opinions on their complexity.

Key resources should only be placed in private subnets, effectively isolating them from direct internet access and reducing vulnerability. View Highlight)

The sharing of SSH keys is a common security pitfall. View Highlight)

Utilize a dedicated secret manager to securely store and handle access to these sensitive elements, ensuring they’re encrypted and accessible only to those who truly need them. View Highlight)

Implement a routine where every merge commit is scanned for secret leaks and vulnerabilities using tools like gitleaks. Establish strict policies to halt deployments if issues are found in the codebase or in the container images during CI. Don’t have a CI in place yet? 1. Do it! 2. Run these locally before EVERY push. View Highlight)

Move away from traditional firewall-based security for accessing internal systems remotely. Instead, adopt a VPN or, ideally, a Zero Trust framework View Highlight)

Regularly reviewing your cloud bills can help you identify unused or forgotten resources and even expose potential security threats. View Highlight)

Deploying a WAF can provide a critical defense layer against numerous web-based threats. The default set of rules can cover 80% of randomly sent malicious query attempts which you can then tweak over time to block additional potentially harmful requests. View Highlight)

consider deploying containers that lack any form of shell environment. Building your containers with containers starting with FROM: scratch ensures that only the essential application binaries are running, thereby hardening your containers against simple intrusion attempts. View Highlight)