Skip to content

Instantly share code, notes, and snippets.

@chanj
Last active June 21, 2021 09:49
Star You must be signed in to star a gist
Save chanj/6c48c059ad4b72a60bf3 to your computer and use it in GitHub Desktop.
AWS Security Resources
INTRO
I get asked regularly for good resources on AWS security. This gist collects some of these resources (docs, blogs, talks, open source tools, etc.). Feel free to suggest and contribute.
Short Link: http://tiny.cc/awssecurity
Official AWS Security Resources
* Security Blog - http://blogs.aws.amazon.com/security/
* Security Advisories - http://aws.amazon.com/security/security-bulletins/
* Security Whitepaper (AWS Security Processes/Practices) - http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
* Security Best Practices Whitepaper - http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
* Risk and Compliance Whitepaper - http://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf
* Security Center - http://aws.amazon.com/security/
* Compliance Center - http://aws.amazon.com/compliance/
* Policy Generator (auto build S3, IAM, etc. policies) - http://awspolicygen.s3.amazonaws.com/policygen.html
* IAM Policy Simulator - http://docs.aws.amazon.com/IAM/latest/UsingPolicySimulatorGuide/iam-policy-simulator-guide.html
* IAM Best Practices - http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html
* EC2 Resource-Level Permissions - http://blogs.aws.amazon.com/security/post/Tx2KPWZJJ4S26H6/Demystifying-EC2-Resource-Level-Permissions
Other Relevant Official AWS Resources
* YouTube Channel (RE:Invent talks, etc.) - https://www.youtube.com/channel/UCd6MoB9NC6uYN2grvUNT-Zg
* AWS Blog - http://aws.amazon.com/blogs/aws/
* AWS Documentation - https://aws.amazon.com/documentation/
* Discussion Forums - https://forums.aws.amazon.com/index.jspa
Some of my Talks and Slides on AWS and Cloud Security
* AppSecUSA 2012 Real World Cloud Security - http://vimeo.com/54157394
* LASCON 2013 Alternate Approaches to Product Security - http://vimeo.com/79778836
* SAINTCON 2014 AWS Security Training - http://www.slideshare.net/jason_chan/amazon-web-services-security
* Slideshare page (lots of AWS and cloud security talks) - http://www.slideshare.net/jason_chan
Other Relevant AWS and Cloud Security Talks
* Kevin Glisson (Netflix) AppSecUSA 2014 Monterey (inventory/testing system on AWS) - https://www.youtube.com/watch?v=BKJL0s8Ocqs
* Ben Hagen (Netflix) AppSecUSA 2014 Cloud Security - https://www.youtube.com/watch?v=Q1wnjQ9Khdo
* Erik Peterson (Veracode) AppSecUSA 2014 Attacking Amazon - https://www.youtube.com/watch?v=y8nftRzbiXk
* Jay Zarfoss (Netflix) Cloud Security @ Netflix - http://www.slideshare.net/zarfide/cloud-security-at-netflix-october-2013
* Alex Stamos (Yahoo!) Building Cloud Security from Scratch RE:Invent 2012 - https://www.youtube.com/watch?v=U4hdPpDpsMw
* Jonathan Chittenden (iSEC Partners) AppSec 2012 AWS Scout - https://www.youtube.com/watch?v=GCnlFlq1-nw
AWS Security Tools
* Security Monkey (Netflix OSS tool for monitoring AWS security configuration) - https://github.com/Netflix/security_monkey
* Reddalert (Prezi OSS tool for monitoring/alerting on top of Edda) - https://github.com/prezi/reddalert
* Nimbostratus (tools for fingerprinting/exploiting AWS infrastructures) - http://andresriancho.github.io/nimbostratus/
* Edda (Netflix OSS tool for tracking AWS changes) - https://github.com/Netflix/edda
* Securosis' Security Squirrel (POC cloud/secops automation suite) - https://github.com/Securosis/SecuritySquirrel
* iSEC Partners' AWS Scout and Scout2 (IAM, EC2, S3 auditing) - https://github.com/iSECPartners/scout, https://github.com/iSECPartners/Scout2
* CloudSploit (AWS security auditing and evaluation) - https://github.com/cloudsploit/scans
Other Resources
* Nag Medida's (Netflix) collection of AWS hacks - https://github.com/nagwww
* Nag Medida's (Netflix) blog - 25 tips for securing AWS - http://palakonda.org/2014/06/24/aws-security-25-tips-for-securing-aws/
* Reddit's AWS subreddit - https://www.reddit.com/r/aws
Useful/Interesting Individual Posts and Articles
* Instagram Engineering's Post #1 on EC2->VPC->FB Migration - http://instagram-engineering.tumblr.com/post/89992572022/migrating-aws-fb
* Instagram Engineering's Post #2 on EC2->VPC->FB Migration (Neti OSS release) - http://instagram-engineering.tumblr.com/post/100758229719/migrating-from-aws-to-aws
@schosterbarak
Copy link

schosterbarak commented Dec 18, 2019

Great list!
Another AWS Security tool:
Chekov (Bridgecrew tool for static analysis of terraform & cloudformation code) - https://github.com/bridgecrewio/checkov

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment