Release Date: 15/08/2021 | Issue: 100
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
🎉 CloudSecList reaches the 100th issue! 🎉
This week CloudSecList reaches an important milestone, the 100th issue. It definitely came a long way since issue #1 (go check it out!), and for this I have to thank you, readers and sponsors.
As always, I'm happy to receive feedback: just reply to this email or let me know on Twitter @lancinimarco!
Sponsor

Is your startup SOC 2 compliant? 🦙
Vanta restores trust in internet businesses by giving startups an easy-to-use platform to improve and prove their security. Over 1500 fast-growing companies rely on Vanta to automate their SOC 2, ISO 27001, or HIPAA compliance certifications in weeks instead of months.
Check Vanta out!

This week's articles


Cloud Security Orienteering
A cloud and environment agnostic methodology for getting your bearings if tasked with securing a novel cloud environment.   #aws   #azure   #defend   #gcp   #strategy


So You Inherited an AWS Account. A 30-day security guide for engineers…
Many engineers have found themselves in the unenviable position of being handed the keys to an AWS environment with absolutely no explanation of its contents, documentation, or training.   #aws   #defend


Expanding Secrets Infrastructure to AWS Lambda
How Square extended their datacenter-based secrets infrastructure to enable a cloud migration supporting Lambda. They added SPIFFE compatibility to their secrets infrastructure and developed a Lambda secrets syncer that Square engineers can deploy via a Terraform module.   #aws   #build   #terraform


Hacking G Suite: The Power of Dark Apps Script Magic
You’ve seen plenty of talks on exploiting, escalating, and exfiltrating the magical world of Google Cloud (GCP), but what about its buttoned-down sibling? This talk delves into the dark art of utilizing Apps Script to exploit G Suite (AKA Google Workspace).   #attack   #gcp   #gsuite


Hiding in Plaintext Sight: Abusing The Lack of Kubernetes Auditing Policies
How to enable Kubernetes logging in cloud environments, and how to detect logging evasion.   #attack   #kubernetes   #monitor


Lightsail object storage concerns
Part one of a two part series that will discuss AWS’s new Lightsail object storage. The first part looks at the new access key capability and its security issues.   #attack   #aws


Remediating AWS IMDSv1
An article on remediating IMDSv1 in AWS, a common server-side request forgery vector targeting lateral movement and persistence.   #aws   #defend


How to create IAM roles for deploying your AWS Serverless app
An in-depth guide to creating production-ready, least privilege IAM roles for deploying your serverless application across multiple AWS accounts.   #aws   #build   #iam


Encrypt your Kubernetes Secrets with Mozilla SOPS
How to encrypt and decrypt your secrets with Mozilla SOPS and Azure Key Vault.   #azure   #build   #kubernetes


Introducing the Allstar GitHub App
The Open Source Security Foundation announced Allstar, a GitHub app that provides automated continuous enforcement of security best practices for GitHub projects. With Allstar, owners can check for security policy adherence, set desired enforcement actions, and continuously enact those enforcements when triggered by a setting or file change in the organization or project repository.   #announcement   #ci/cd   #defend   #github


Kubernetes 1.22: Reaching New Peaks
Kubernetes 1.22 has been released, and it contains breaking changes! Go check the CHANGELOG to avoid surprises at upgrade time.   #announcement   #kubernetes

Tools


whoc
A container image that extracts the underlying container runtime and sends it to a remote server. Poke at the underlying container runtime of your favorite CSP container platform.


KUR8
A visual overview of Kubernetes architecture and Prometheus metrics.


service-ca-operator
Controller to mint and manage serving certificates for Kubernetes services.


docker-credential-magic
A magic shim for Docker credential helpers. You can also refer to the companion blog post.


amazon-eks-pod-identity-webhook
Amazon EKS Pod Identity Webhook: this webhook is for mutating pods that will require AWS IAM access.

From the cloud providers


#AWS   Announcing Amazon CloudWatch cross account alarms
Amazon CloudWatch announces cross account alarms, a new feature that enables customers to set alerts and take actions based on changes to metrics in other AWS accounts.


#AWS   AWS Config Adds 3 New Config Rules for Amazon Secrets Manager
AWS Config now supports three new AWS Config managed rules to help you verify that your secrets in AWS Secrets Manager are configured in accordance with your organization’s security and compliance requirements.


#AWS   How to scale your authorization needs by using attribute-based access control with S3
How to scale an S3 authorization strategy as an alternative to using path based authorization, by combining attribute-based access control (ABAC) using IAM with a standard Active Directory Federation Services (AD FS) connected to Microsoft AD.


#AWS   Using multiple segments in Amazon API Gateway base path mapping
Multi-level base path mapping enables segmented paths, with each segment able to route to a different endpoint. This pattern allows developers to use RESTful URLs to identify the application paths in easy-to-understand patterns.


#GCP   Integrating Service Directory with GKE: one registry for all your services
You can now register Google Kubernetes Engine (GKE) services in Service Directory, Google Cloud’s managed service registry.


#GCP   Introducing Unattended Project Recommender
Save money and improve security by automating the discovery, management and reclamation of old projects with Unattended Project Recommender.


#GCP   OWASP Top 10 mitigation options on Google Cloud
This document helps you identify Google Cloud products and mitigation strategies that can help you defend against common application-level attacks that are outlined in the OWASP Top 10.


#AZURE   Azure Sentinel SQL Solution Query Deep-Dive
Post covering each of the Detection and Hunting queries included in the Azure Sentinel SQL solution.


#AZURE   What's new: Incident advanced search is now public
By default, incident searches run across the Incident ID, Title, Tags, Owner, and Product name values only. Now, with the new Advanced search pane, you can scroll down the list to select one or more other parameters to search on.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini