This blog post was updated on December 15, 2021, to reflect version 2.20 of the AWS CDK. You may already know that Regula, Fugue's open-source policy engine that uses Open Policy Agent (OPA) for checking infrastructure as code (IaC), can evaluate Terraform and AWS CloudFormation templates for security issues. But did you know that you can use Regula to secure your AWS Cloud Development Kit (CDK) apps, too?
Cloud security has long been focused squarely on the cloud runtime environment to keep infrastructure free of misconfiguration vulnerabilities that can open the door to hackers and lead to data leaks and breaches. It is reasonable considering most (if not all) cloud-based security incidents result from customer mistakes in the form of cloud resource misconfiguration. Gartner calls this Cloud Security Posture Management, or CSPM.
Today we announced that Fugue now supports Google Cloud, in addition to Amazon Web Services (AWS) and Microsoft Azure. Google Cloud support is key to providing our customers with a unified view of—and control over—the security posture of their cloud environment across cloud platforms. It was a top customer request, and considering the number of Google Cloud Projects we’ve seen onboarded to Fugue over the past few days, it’s clear that Google Cloud is experiencing significant growth.
Azure offers two similar but distinct services to allow virtual network (VNet) resources to privately connect to other Azure services. Azure VNet Service Endpoints and Azure Private Endpoints (powered by Azure Private Link) both promote network security by allowing VNet traffic to communicate with service resources without going over the internet, but there are some differences. This three-part blog series goes into detail about both services.
This is a companion post to our Cloud Security Masterclass on the subject. Our objective is to examine some real world, published cloud exploits and examine both the motivations and techniques of the hackers responsible for them so that you can understand who you are up against, how and why they act, and how to better protect your cloud infrastructure.
Much has been said about Amazon S3 security on Amazon Web Services (AWS) in the press and technical publications, and much of it is oversimplified and of limited practical use. Amazon S3 is an incredibly simple cloud service to use, but adequately securing your S3 resources is anything but simple, as too many organizations have discovered.
We’re excited to announce the Cloud Security Masterclass program to help increase awareness of advanced cloud misconfiguration risks and how malicious actors exploit them. We held the first free live Cloud Security Masterclass last month—a deep dive session into the complex layers of Amazon S3 security, which has been at the center of a number of recent high profile data breaches.
The COVID-19 crisis has a profound impact on just about every business, and for cloud engineering and security teams, the rapid and near universal transition to 100% work-from-home has created significant new cloud security risks. Our State of Cloud Security Report, based on our industry survey conducted in late March, showed that 84% of IT professionals are worried about new cloud security vulnerabilities created during the pandemic.
When there’s a data breach involving Amazon Web Services (AWS), more often than not it involves the Amazon S3 object storage service. The service is incredibly popular. Introduced way back in 2006 when few knew what the cloud was, S3 is highly scalable, reliable, and easy to use. But getting the security of S3 right—and making sure it stays that way—continues to confound many AWS customers.