Blog Posts

Check out our research and insights!

Subscribe to stay up to date on cloud data security and our work.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Securing Your Cloud Data: Unencrypted Resources in AWS

We look at what data can be unencrypted in Amazon Web Services, specifically which cloud services have resources that can be unencrypted. While most services offer encryption by default, certain resources can be unencrypted by default or also offer unencrypted options. This post covers observations, those AWS services, and recommendations to improve data security.

Introducing Finders Keypers: A Open Source Tool to Discover Usage and Blast Radius of Encryption Keys in AWS

Introduction of a new open-source tool, Finders Keypers that helps determine usage of KMS encryption keys to encrypt resources in Amazon Web Services (AWS). This tool helps with data perimeters, security and audit, determining blast radius, and helping understand usage and relationships of KMS keys.

Creating a Data Perimeter with Resource Control Policies (RCPs) and AWS KMS

AWS recently released resource control policies as a new type of Organizational policies. These policies can control maximum permissions to resources within an organization. We look at the security impact and how to use these RCPs to craft data perimeters as well as when to use them compared to service control policies.

Protecting Data and Preventing Ransomware: The IAM Guide to Managing and Updating Encryption for AWS Resources

A guide to IAM actions, nuances, and categorization of how to manage and update encryption for AWS resources with KMS. This helps with encryption management such as encryption key rotation, updating, and preventing against cloud data ransomware attacks where data is held hostage by removing access to encryption keys.

The Complexity of AWS Data Access with KMS Encryption: KMS Key Grants and all the possible combinations

Access to KMS and data access in Amazon Web Services can be complex. We look at a potential hidden access source and all the combinations of access that can be granted via KMS Key Grants. We take a different approach to look at evaluation with resource-based policies, IAM, and KMS Key Grants to see effective privilege and best practices for least privilege, encryption management, and data access

Are my AWS Resources Encrypted or Unencrypted by Default?

This research focuses on an aspect of security by default by looking at AWS Resources and their encryption state by default when created. We look into encryption types including AWS Owned and AWS Managed default encryption by KMS, history of encryption by default settings, and additional settings and guardrails to help with cloud data security.

AWS Managed KMS Keys and their Key Policies: Security Implications and Coverage for AWS Services

Deep Dive on AWS Support for AWS Managed Keys. We found 39 AWS Services that Support AWS Managed Keys and created documentation around service support, details and interesting details about AWS Managed Keys and their key policies, and created a tool to help you check support and access for AWS Managed Keys.

The State of AWS's Block Public Access: Is It Secure By Default?

A look at Amazon Web Services's Block Public Access feature across AWS services such as EC2, S3, EMR, DynamoDB and how secure by default principles apply to account configuration to add additional layers of security as well as best practices for configuration.

Amazon S3 Block Public Access Bypass

A scenario with Amazon S3 where S3's Block Public Access Check can be circumvented to make a S3 Bucket public.

The Misleading Encryption State of Amazon Quantum Ledger Database (QLDB)

Research on AWS's Quantum Ledger Database and the misleading reporting of at-rest data encryption. Misleading reporting from encryption status may result in false positives for security and compliance of the QLDB and cause issues for security and application teams.

want to talk Cloud data security?

Info@FOGSECURITY.IO