Its unfortunately extremely common for customers and enterprises operating in AWS to have chosen a workload/storage bearing account (more than likely, the main production account) as the Organization Management Account (formerly known Organization "Master" account, before AWS adopted better naming).
Many customers and companies operating in AWS made this decision in 2018 or so and its unforunately not something that can be easily changes as of today (2024). Many customers have requests to AWS to make a friendly path for rehoming the Org Management account but last I heard it is still not prioritized. Thus, we as customers are left to go through the nerve-wracking, if not dangerous process of migrating to a new AWS Organization in order to align with modern best practices and reduce common privilege escalation and account to account lateral movement concerns (made worse if you happen to have enabled things like Cloudformation Stacksets, Control Tower, or other powerful services in the s
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@echo off | |
REM Get list of SCPs in the organization | |
for /f "tokens=*" %%i in ('aws organizations list-policies --filter SERVICE_CONTROL_POLICY ^| jq -r ".Policies[].Id"') do ( | |
set scp_id=%%i | |
REM Get SCP content | |
for /f "tokens=*" %%j in ('aws organizations describe-policy --policy-id !scp_id!') do ( | |
set scp_content=%%j | |
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Get list of SCPs in the organization | |
scps=$(aws organizations list-policies --filter SERVICE_CONTROL_POLICY | jq -r '.Policies[].Id') | |
# Loop through each SCP and save its content into a JSON file | |
for scp_id in $scps; do | |
# Get SCP content | |
scp_content=$(aws organizations describe-policy --policy-id $scp_id) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"NotAction": [ | |
"dax:*", | |
"es:ESHttp*" | |
], | |
"Resource": "*", | |
"Effect": "Deny", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#usage deleteallapis.sh us-east-1 | |
for api_id in $(aws apigatewayv2 get-apis --region $1 --query 'Items[*].ApiId' --output text); do aws apigatewayv2 delete-api --region $1 --api-id $api_id ; done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
data "external" "git_commit" { | |
program = ["git", "log", "--pretty=format:{ \"sha\": \"%H\" }", "-1", "HEAD"] | |
} | |
data "external" "git_remote_url" { | |
program = ["sh", "-c", "git remote -v | head -n 1 | awk '{print \"{\\\"url\\\" :\\\"\" $2 \"\\\"}\"}'"] | |
} | |
provider "aws" { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AWSTemplateFormatVersion: 2010-09-09 | |
Description: Enable AWS Config with central logging and notification with enhanced cost conciousness using two lines for opt in usage with large numbers of ResourceTypes | |
Metadata: | |
AWS::CloudFormation::Interface: | |
ParameterGroups: | |
- Label: | |
default: Recorder Configuration | |
Parameters: | |
- AllSupported |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Talks and blog posts that all newcomers should check out when interested in Cloud Security | |
Bringing a machete to the amazon (Peterson) | |
https://youtu.be/y8nftRzbiXk | |
Flying a false flag: (Landers) | |
https://youtu.be/2BEwqbCbQuM | |
Another day another billion packets (Brandwine) | |
https://youtu.be/3qln2u1Vr2E |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## IPv6 Tests | |
http://[::ffff:169.254.169.254] | |
http://[0:0:0:0:0:ffff:169.254.169.254] | |
## AWS | |
# Amazon Web Services (No Header Required) | |
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories | |
http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy | |
http://169.254.169.254/latest/user-data | |
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import certstream | |
keywords = ['paypal', 'paypol'] | |
def extract_domains(domains): | |
res = [] | |
for domain in domains: | |
for keyword in keywords: | |
if keyword in domain: | |
res.append(domain) |