Release Date: 29/08/2021 | Issue: 102
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Watch Expel MDR in action
See what it's like to work with Expel MDR to protect your org from security threats. Expel offers 24x7 security monitoring and response for cloud, hybrid and on-premises environments using the security signals customers already own so organizations can get more value from their existing security investments. We report on confirmed problems and provide step-by-step instructions on what to do next. No registration required.
View Demo

This week's articles


Top Open Source Kubernetes Security Tools of 2021
The top eight most popular open source Kubernetes security tools identified by a Redhat survey: OPA, KubeLinter, Kube-bench, Kube-hunter, Terrascan, Falco, Clair, and Checkov.   #build   #defend   #kubernetes


A Security Review of Docker Official Images: Which Do You Trust?
This research demonstrates the importance of keeping track of the images that you use, and not assuming that even official images from Docker Hub will be maintained in perpetuity.   #attack   #defend   #docker


Cloud Security Orienteering
How to orienteer in a cloud environment, dig in to identify the risks that matter, and put together actionable plans that address short, medium, and long term goals. You can also refer to the companion check list.   #defend   #strategy


Hands on with Kubernetes Pod Security Admission
Kubernetes v1.22 provides an alpha release for the successor of Pod Security Policy (PSP), called Pod Security Admission (PSA). This post took an initial look at PSA and will cover what you need to know about how it works, and how you can start playing with it.   #explain   #kubernetes


New Terraform Planning Options
Terraform introduced new planning options: "refresh=false", "-refresh-only", and "-replace".   #announcement   #explain   #terraform


Spoofing Azure AD sign-ins logs by imitating AD FS Hybrid Health Agent
How anyone with a local administrator access to AD FS server (or proxy), can create arbitrary sign-ins events to Azure AD sign-ins log.   #attack   #azure


Using the new Google Cloud Config Controller to provision and manage cloud services via the Kubernetes Resource Model
How to manually configure a GKE cluster, and how to use the new Config Controller to provision and configure services via automation.   #build   #gcp   #kubernetes


Mutating Kubernetes resources with Gatekeeper
Gatekeeper has recently introduced the ability to mutate resources. Mutation means that policy can change Kubernetes resources based on different criteria.   #explain   #kubernetes   #opa


A Deep Dive Into Kubernetes Schema Validation
How do you ensure the stability of your Kubernetes clusters? How do you know that your manifests are syntactically valid? Are you sure you don't have any invalid data types? Are any mandatory fields missing?   #build   #kubernetes


Spice up Your Kubernetes Environment with AWS Lambda
How to securely integrate AWS Lambda with an existing Kubernetes environment without codes changes.   #aws   #build   #kubernetes


Detect Malicious Behaviour on Kubernetes API Server through gathering Audit Logs by using FluentBit
How FluentBit can be useful to gather Kubernetes audit logs and forward them to some HTTP endpoint.   #build   #kubernetes   #monitor

Tools


gatekeeper-policy-manager
A simple to use web-based Gatekeeper policies manager. You can also refer to the companion blog post.


kubeview
KubeView displays what is happening inside a Kubernetes cluster (or single namespace), it maps out the API objects and how they are interconnected.


n8n
n8n is an extendable workflow automation tool.

From the cloud providers


#AWS   Introducing AWS Backup Audit Manager
AWS Backup announces AWS Backup Audit Manager, a new feature that allows you to audit and report on the compliance of your data protection policies to help you meet your business and regulatory needs.


#AWS   How to automate forensic disk collection in AWS
A hands-on solution you can use for automated disk collection across multiple AWS accounts. This solution will help your incident response team set up an automation workflow to capture the disk evidence they need to analyze to determine scope and impact of potential security incidents.


#AWS   Visualizing AWS Config data using Amazon Athena and Amazon QuickSight
By default, AWS Config stores data in an S3 bucket. Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. When configuration snapshots and configuration history data are aggregated in Amazon S3, you can use Athena to query the JSON data directly using SQL statements. You can then visualize your Athena SQL views and queries in Amazon QuickSight, which lets you easily create and publish interactive BI dashboards by creating data sets.


#AWS   Accreditation Models for Secure Cloud Adoption
This whitepaper provides cloud accreditation best practices to help you capitalize on the security benefits of commercial cloud computing while maximizing efficiency, scalability, and cost reduction.


#AWS   IAM Access Analyzer helps you generate IAM policies based on access activity found in your organization trail
IAM Access Analyzer extended policy generation allowing to generate policies based on access activity stored in a designated account.


#AWS   Access token security for microservice APIs on Amazon EKS
How to implement service-to-service authorization using OAuth 2.0 access tokens for microservice APIs hosted on Amazon EKS.


#GCP   What's the key to a more secure Cloud Function? It's a secret!
The Google Secret Manager native integration with Cloud Functions makes it easier to access secrets for authenticating to upstream APIs and services.


#GCP   Shift security left with on-demand vulnerability scanning
Google Cloud recently launched On-Demand Scanning to general availability. This new feature checks for vulnerabilities both in locally stored container images and images stored within GCP registries.


#GCP   Artifact Registry: the next generation of Container Registry
Compared with Container Registry, Artifact Registry lets you store non-container artifacts, and provides better security and more flexibility.


#GCP   Introducing security configuration for gRPC apps with Traffic Director
gRPC-based services can now be configured via the Traffic Director control plane to use TLS and mutual TLS to establish secure communications.


#GCP   Manage data exfiltration risks in Cloud Run with VPC Service Controls
The scalability and ease of use of fully managed compute now comes with enterprise-grade guardrails at the network level.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini