I get asked regularly for good resources on AWS security. This gist collects some of these resources (docs, blogs, talks, open source tools, etc.). Feel free to suggest and contribute.
Short Link: http://tiny.cc/awssecurity
- Security Blog - http://blogs.aws.amazon.com/security/
- Security Advisories - http://aws.amazon.com/security/security-bulletins/
- Security Whitepaper (AWS Security Processes/Practices) - http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
- Security Best Practices Whitepaper - http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
- Risk and Compliance Whitepaper - http://media.amazonwebservices.com/AWS_Risk_and_Compliance_Whitepaper.pdf
- Security Center - http://aws.amazon.com/security/
- Compliance Center - http://aws.amazon.com/compliance/
- Policy Generator (auto build S3, IAM, etc. policies) - http://awspolicygen.s3.amazonaws.com/policygen.html
- IAM Policy Simulator - http://docs.aws.amazon.com/IAM/latest/UsingPolicySimulatorGuide/iam-policy-simulator-guide.html
- IAM Best Practices - http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html
- EC2 Resource-Level Permissions - http://blogs.aws.amazon.com/security/post/Tx2KPWZJJ4S26H6/Demystifying-EC2-Resource-Level-Permissions
- YouTube Channel (RE:Invent talks, etc.) - https://www.youtube.com/channel/UCd6MoB9NC6uYN2grvUNT-Zg
- AWS Blog - http://aws.amazon.com/blogs/aws/
- AWS Documentation - https://aws.amazon.com/documentation/
- Discussion Forums - https://forums.aws.amazon.com/index.jspa
- AppSecUSA 2012 Real World Cloud Security - http://vimeo.com/54157394
- LASCON 2013 Alternate Approaches to Product Security - http://vimeo.com/79778836
- SAINTCON 2014 AWS Security Training - http://www.slideshare.net/jason_chan/amazon-web-services-security
- Slideshare page (lots of AWS and cloud security talks) - http://www.slideshare.net/jason_chan
- Kevin Glisson (Netflix) AppSecUSA 2014 Monterey (inventory/testing system on AWS) - https://www.youtube.com/watch?v=BKJL0s8Ocqs
- Ben Hagen (Netflix) AppSecUSA 2014 Cloud Security - https://www.youtube.com/watch?v=Q1wnjQ9Khdo
- Erik Peterson (Veracode) AppSecUSA 2014 Attacking Amazon - https://www.youtube.com/watch?v=y8nftRzbiXk
- Jay Zarfoss (Netflix) Cloud Security @ Netflix - http://www.slideshare.net/zarfide/cloud-security-at-netflix-october-2013
- Alex Stamos (Yahoo!) Building Cloud Security from Scratch RE:Invent 2012 - https://www.youtube.com/watch?v=U4hdPpDpsMw
- Jonathan Chittenden (iSEC Partners) AppSec 2012 AWS Scout - https://www.youtube.com/watch?v=GCnlFlq1-nw
- Security Monkey (Netflix OSS tool for monitoring AWS security configuration) - https://github.com/Netflix/security_monkey
- Reddalert (Prezi OSS tool for monitoring/alerting on top of Edda) - https://github.com/prezi/reddalert
- Nimbostratus (tools for fingerprinting/exploiting AWS infrastructures) - http://andresriancho.github.io/nimbostratus/
- Edda (Netflix OSS tool for tracking AWS changes) - https://github.com/Netflix/edda
- Securosis' Security Squirrel (POC cloud/secops automation suite) - https://github.com/Securosis/SecuritySquirrel
- iSEC Partners' AWS Scout and Scout2 (IAM, EC2, S3 auditing) - https://github.com/iSECPartners/scout, https://github.com/iSECPartners/Scout2
- CloudSploit (AWS security auditing and evaluation) - https://github.com/cloudsploit/scans
- Nag Medida's (Netflix) collection of AWS hacks - https://github.com/nagwww
- Nag Medida's (Netflix) blog - 25 tips for securing AWS - http://palakonda.org/2014/06/24/aws-security-25-tips-for-securing-aws/
- Reddit's AWS subreddit - https://www.reddit.com/r/aws
- Instagram Engineering's Post #1 on EC2->VPC->FB Migration - http://instagram-engineering.tumblr.com/post/89992572022/migrating-aws-fb
- Instagram Engineering's Post #2 on EC2->VPC->FB Migration (Neti OSS release) - http://instagram-engineering.tumblr.com/post/100758229719/migrating-from-aws-to-aws