Welcome to Fog Security, where we're working to bring clarity to cloud encryption and build better data perimeters.
Check out our resources:
- Fog Security: https://www.fogsecurity.io
- Fog Security Technical Blog: https://www.fogsecurity.io/blog/
- Contact: [email protected]
We've created the following resources to help with understanding encryption and improving cloud security by building data perimeters.
This repository tracks default encryption settings across AWS resources. In our research of 50+ resources across 40+ AWS services, resources were found to either be unencrypted, default encrypted with AWS owned keys, or default encrypted with AWS managed keys.
Read more in our blog post here: https://www.fogsecurity.io/blog/are-my-aws-resources-encrypted-or-unencrypted-by-default
Repository: https://github.com/FogSecurity/aws-default-encryption-tracker
This open source CLI python tool helps determine blast radius and usage of AWS KMS Keys. Currently, this is difficult to do and requires custom tooling or incomplete searches through CloudTrail and IAM references in KMS key policies and KMS key grants. Finders Keypers is a tool built that checks service resources via boto3 API calls to better understand current usage of KMS keys for encryption.
Read more in our blog post here: https://www.fogsecurity.io/blog/introducing-finders-keypers-a-tool-to-discover-usage-and-blast-radius-of-encryption-keys-in-aws
Repository: https://github.com/FogSecurity/finders-keypers
This repository contains multiple IAM references including:
These reference policies help with creating data perimeters and improving cloud security within your AWS Organization at scale. These policies protect resources and can also limit potential actions taken by IAM principals within your AWS Organization and AWS accounts within.
This is helpful to help prevent against ransomware, as a cloud ransomware technique is to hold data hostage by changing encryption keys. This also aids in teams who need to update or manage encryption for existing AWS resources. This repository details the IAM actions required to update encryption for cloud resources that support encryption update and details which cloud resources do not support updating in place and thus need to be recreated.
Read more in our blog posts here:
- https://www.fogsecurity.io/blog/updating-encryption-aws-resources-ransonware
- https://www.fogsecurity.io/blog/data-perimeters-with-resource-control-policies-and-aws-kms
Repository: https://github.com/FogSecurity/aws-data-perimeter-iam
This tool checks which AWS Services support AWS Managed Keys, a type of KMS Encryption Key where the encryption key is managed by AWS, but exists only within the customer AWS Account. Additionally, the tool pulls the managed key policies and uploads them to a repository for reference.
Read more in our blog post here: https://www.fogsecurity.io/blog/encryption-aws-managed-kms-keys
Repository: https://github.com/FogSecurity/aws-managed-kms-keys