Security Tagging Solutions

Mastering AWS Security: Preventing Untagged Resource Creation in AWS Ever wondered how to enforce tagging compliance across your AWS environment? Let’s talk about a game-changer for cloud governance: blocking untagged resources at creation. The Solution Combine IAM Policies (for account-level control) and Service Control Policies (SCPs) (for organization-wide enforcement) to ensure every resource is tagged before deployment. Example IAM Policy Snippet: json Copy { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "Null": { "aws:RequestTag/Environment": "true" } } } This denies resource creation if the "Environment" tag is missing. Pair this with SCPs for org-wide guardrails! Key Takeaways IAM Policies: Manage permissions within an account. SCPs: Enforce organization-wide compliance (e.g., mandatory tags). Tagging: Drives cost allocation, security, and automation. Why It Matters Cost Control: Track and optimize spending with accurate tagging. Security: Identify untagged resources (a common audit red flag!). Compliance: Meet regulatory requirements effortlessly. Let’s Discuss! How are you tackling tagging in your cloud environment? Share your tips or challenges below! #AWS #CloudSecurity #DevOps #FinOps #CloudCompliance #IAM #SCP

For quite some time, MDE Management/Endpoint security settings management has been available for Defender for Endpoint and available for Windows, Windows Server, macOS, and Linux. Microsoft added silently some new long-awaited features to MDE-Management. It was always a challenge to manage "unmanaged" endpoints/ servers from a centralized approach. If there is no Intune/ GPO, it would result in custom scripts via Azure DSC/ PowerShell and more; all hard to get full visibility and control via one centralized portal in the configured setting. 𝐖𝐡𝐚𝐭 𝐢𝐬 𝐧𝐞𝐰? Now it is possible to use dynamic asset rules to define the MDE-Management tag. Previously, there was the option between "all devices" or "tagged devices". Tagged devices work great, but it was not really flexible, and sometimes new devices were not tagged or were forgotten to be tagged. And the dynamic assets rules were not supported. And "all devices" was a bit tricky in large environments. Since this is an all-or-nothing switch. From now on, you can easily create a dynamic asset rule and define the MDE-Management tag via the rules. Which means you can automatically apply the tag to all devices in the filter and use the tagged option in MDE-Management. This makes deployment in large environments so much more scalable and flexible. Still using GPO/ Local scripting or PowerShell? Evaluate MDE-Management and make the switch to control and manage settings centrally with good reporting. Blog; https://lnkd.in/ehbS-fTy #MDE #MicrosoftSecurity

[MDE Tags] MDE allows for local tags to be applied via Registry Key and OMA-URI. This means that any local admin or #intune administrator could apply a tag. Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging, Value: Group, Key Data: Name of Tag Okay so what? If your MDE Device Ranks are based on Tags this may allow a user to "shift" into a different Device group potentially allowing for lighter controls - perhaps a certain group is allowed to access certain sites by Web Content Filtering, has other scoped allows or lighter remediation levels. Also this may push the device outside of an investigating user's Device RBAC, potentially slowing down Incident Response (For example, #SOC analyst not allowed to investigate devices in a different Geo). Also, preferably when scoping Indicator blocks scope all Devices then a user who does not have access to all device Groups cannot tamper with the block, additionally any new Device Groups will get automatically scoped into the block. Additions of new Device Groups can be painful when you have many blocks scoped to Device Groups and you need to add the new group to scope them in.  What to do? Limit Local Admin... (I called out in an earlier post that local admin can effectively nuke MDE as the EDR sooo you had warning already) Limit Security Administrator as they have access to the Device Ranking (and any other URBAC role that can manage Security Settings) Limit Intune Administrator and apply RBAC Roles instead (Isn't that right Jannik Reinhard - Custom Roles will likely be required to fully cover RBAC) Control Device Rank order rules - order matters - Preferably more restricted Tags take a higher rank to prevent shift into a lower protection state from a Local Admin Look At applocker to deny cmd, powershell, reg.exe, winterminal, regedit for standard users to stop standard users querying registry (upcoming post on this!) Try to apply MDE Indicator Blocks to All Devices where possible Audit Registry Events if you can, #KQL available from me on KQL Search Remember Live Response Script Execution can also set Registry keys and hide behind SYSTEM so limit RBAC for Live response and monitor for unsigned script execution being turned on (Bert-Jan Pals has a detection for this) If you need to remove a tag that was added using the above Registry key, clear the contents of the Registry key data instead of removing the 'Group' key. Same story, different Day #MDE #Defender #MrBlockEverything

Most folks don't know you can tag individual Security Group rules I don't mean the groups themselves, I mean the individual rules. This helps you achieve compliance The problem:  You have 200+ security groups. Which rules are temporary? Which are approved exceptions? Which team owns that 0/0 rule? Error-prone. Cumbersome. Painful at scale. Long time ago, security group got unique IDs and tags. But rules are the same! - unique IDs (like sgr-abcdefghi01234561) - And you can TAG them You can tag rules with metadata on creation, or modify at a later date. Most orgs are still managing this in spreadsheets or alike. Don't be most orgs. #aws #resourcetags