Release Date: 03/11/2019 | Issue: 10
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

This week's articles

Thinking Outside the Box: Or, how I learned to stop worrying and love the cloud
These are the slides from Dino's keynote at H2HC. It starts with the mentality shift from thinking about the security of single machines ('box') to the security of many all at once, as fleet-wide scale security is incredibly powerful and makes some hard problems simple. Another main take-away is that in the cloud there are many somewhat overlapping, but mutually inconsistent, security models. Among them, the cloud provider's IAM (like AWS IAM) is the only security model that really matters, with everything else being 'defence in depth' at best.

Exploring container security: Use your own keys to protect your data on GKE
This week, Google released two features to help protect and control GKE environments and support regulatory requirements: the general availability of GKE application-layer Secrets encryption, so you can protect your Kubernetes Secrets with envelope encryption; and customer-managed encryption keys (CMEK) for GKE persistent disks in beta, giving you more control over encryption of persistent disks.

Multi-cluster security with Falco and AWS Firelens on EKS & ECS
Ever wondered how to aggregate all Kubernetes security events across AWS container services? Using AWS FireLens, you can route Falco events from several clusters into AWS CloudWatch, centralizing all security events in one view.

App Identity and Access Adapter with Istio
A blog post describing how to use Istio to secure multi-cloud Kubernetes applications, with zero code changes or redeployments, by leveraging the App Identity and Access Adapter.

AWSume: AWS Assume Made Awesome!
That's a nice utility for easily managing session tokens and assume AWS IAM roles from the command line.

NCC released a tool for standing up (and tearing down!) purposefully insecure cloud infrastructure with Terraform. Sadcloud was created to easily allow security researchers to misconfigure AWS for training purposes, or to assess AWS-related security tools.

Native Container Image Scanning in Amazon ECR
AWS playing catch up with GCP, this time deciding to use CoreOS Clair in ECR to carry out static analysis of vulnerabilities. The ECR API, the AWS CLI and SDKs have been extended with image scanning functionalities, and a managed service has been implemented for use in a CI pipeline. AWS also put together a sample available on GitHub that shows how you can utilize the new image scanning-related ECR APIs to perform scheduled re-scans of container images.

Do you want deal with Kubernetes updates less frequently?
Many Kubernetes users want a LTS release channel that gets fewer updates, but patched actively. Apparently it is now possible on GKE: --release-channel=[stable|regular|rapid]

imgcrypt: OCI Image Encryption Package
The imgcrypt library provides API extensions for containerd to support encrypted container images.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.