Wiz Profile picture
Mar 10 5 tweets 3 min read
3 cloud-to-K8s best practices to mitigate the risk of a lateral movement attack 🛡

1️⃣ Avoid storing long-term #cloud keys in workloads
2️⃣ Remove kubeconfig files from publicly exposed workloads
3️⃣ Restrict access to container registries

Details in thread 🧵👇 #kubernetes
1️⃣ Avoid storing long-term #cloud keys in workloads

✅ Attach IAM roles/service accounts/managed identities to workloads and define minimum permissions.

✅ Generate and rotate temporary credentials using the IMDS for improved #cloudsecurity.

🧵 2/5
2️⃣ Remove kubeconfig files from publicly exposed workloads

✅ Remove kubeconfig files from exposed workloads, configure #K8s API server endpoint as private.

✅ Restrict access to specific IP addresses using a strictly configured #security group.

🧵 3/5
3️⃣ Restrict access to container registries

✅ Restrict access by applying strict policies, limiting network access and refraining from enabling public access.

✅ Enable “Tag immutability” and block public access using storage.publicAccessPrevention policy.

🧵 4/5
Want to learn more?

Check out our series on Lateral movement risks in the #cloud and how to prevent them 👇

wiz.io/blog/lateral-m…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Wiz

Wiz Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @wiz_io

Feb 19
State of the #Cloud 2023: An in-depth report on the latest trends and risks ⛈

#cloudsecurity #CNAPP #CISO #Engineer

Report highlights in thread 🧵 or download the full report for free here 👇
wiz.io/blog/the-top-c…
☁️ The responsibility of #security professionals to stay up-to-date on the state of the #cloud has never been greater.

🛡 With cloud adoption continuing to grow, it is crucial to proactively address potential threats and ensure secure deployment of solutions.

🧵2/6
☁️ The number of API calls increased by 15% in #AWS, 20% in #Azure, and 45% in #GCP, leading to expanded attack surfaces.

👨‍🏫 57% of companies use more than one #cloud platform, requiring greater knowledge from #cloudsecurity teams.

🧵3/6
Read 6 tweets
Feb 17
Are you taking advantage of Rego's policy language for your #cloudsecurity needs?

If you're not, you need to check out these amazing resources to help get you started 🧵👇

#CSPM #Coding #CNAPP #CISO #DevSecOps
Gettting started with Open Policy Agent (OPA) to improve your #cloudsecurity!

💙 What is OPA and why should you use Rego
💙 How to write your first OPA policy

#CSPM #Coding #CNAPP #CISO #DevSecOps

🧵2/5
wiz.io/blog/getting-s…
Step 2: Learn the basics of Rego Wiz 👇

#CSPM #Coding #CNAPP #CISO #DevSecOps

🧵3/5

datocms-assets.com/75231/16745778…
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(