Release Date: 19/09/2021 | Issue: 105
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Is your startup SOC 2 compliant? πŸ¦™
Vanta restores trust in internet businesses by giving startups an easy-to-use platform to improve and prove their security. Over 1500 fast-growing companies rely on Vanta to automate their SOC 2, ISO 27001, or HIPAA compliance in weeks instead of months.
Check Vanta out!

This week's articles


Agent Exposes Azure Customers To Unauthorized Code Execution
Azure customers on Linux machines - which account for over half of all Azure instances according to Microsoft - are at risk if they use any of the services relying on OMI (Open Management Infrastructure), a Windows Management Infrastructure (WMI) for UNIX/Linux systems. The RCE is the simplest RCE you can ever imagine: simply remove the auth header and you are root. This Twitter thread is also useful to understand the impact of this flaw.   #attack   #azure


Bypassing GCP Org Policy with Custom Metadata
Google makes use of custom metadata to authorize access to AI Notebooks and their web UIs. Individuals granted access via custom metadata need not have any IAM permissions on the compute instance, on the service account running the Notebook or even be a member of the Organization. This kind of authorization bypasses a specific Organization Policy Constraint which restricts cross-domain resource sharing.   #attack   #gcp


Security Bulletin - Announcements - Travis CI Community
Between the 3rd and 10th of September, secure environment variables of all public repositories hosted on Travis were injected into PR builds. This Twitter thread can help put some perspective on this.   #attack   #ci/cd


NSA & CISA Kubernetes Security Guidance - A Critical Review
Last month, NSA and CISA released a report detailing the security hardening they recommend be applied to Kubernetes cluster. The guidance the document contains is generally reasonable, but there are several points which are either incorrect or do not provide sufficient context for administrators to make good security-focused decisions.   #explain   #kubernetes


Permissions Reference for AWS IAM
A website built in order to provide an alternate, community-driven source of truth for AWS identity.   #aws   #iam


IAM Vulnerable - An AWS IAM Privilege Escalation Playground
The IAM Vulnerable tool helps you learn how to identify and then exploit intentionally vulnerable IAM configurations that allow for privilege escalation.   #aws   #explain   #iam


AWS Authentication: Principals in AWS IAM
Newcomers to AWS can sometimes get confused by what it means to have AWS credentials. This article aims to explain the basics of AWS authentication, that is, the way you gain an identity that you can use to access AWS services.   #aws   #explain   #iam


AWS federation comes to GitHub Actions
GitHub Actions has a new functionality that can vend OpenID Connect credentials to jobs running on the platform. This is very exciting for AWS account administrators as it means that CI/CD jobs no longer need any long-term secrets to be stored in GitHub.   #aws   #ci/cd   #github   #iam


Threat Detection Maturity Framework
How do you measure the success or maturity of a Threat Detection program? What should a Threat Detection team roadmap look like? What is the north star for Threat Detection?   #defend   #monitor   #strategy


Keyless API - Launching GCP workloads from AWS
How to call Google Cloud APIs from AWS or Azure without managing secret keys impersonating a service account.   #aws   #azure   #build   #gcp   #iam


Terraform Cloud Run Tasks Beta Now Available
HashiCorp Terraform Cloud run tasks allow you to integrate third-party tools into the pre-apply stage of a Terraform Cloud run.   #announcement   #ci/cd   #terraform

Sponsor CloudSecList

If you want to get yourΒ productΒ or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
πŸ“¨ [email protected] πŸ“¨

Tools


ttl.sh
An anonymous & ephemeral (and free) Docker image registry.


approver-policy
approver-policy is a cert-manager approver that allows users to define policies that restrict what certificates can be requested.


ClusterSecret
ClusterSecret operator makes sure all the matching namespaces have the secret available. New namespaces, if they match the pattern, will also have the secret. Any change on the ClusterSecret will update all related secrets.


aws-requests-auth
This package allows you to authenticate to AWS with Amazon's signature version 4 signing process with the python requests library.

CloudSecDocs


Technical Leadership
I've spent some time overhauling and reorganising the "Culture & Engineering" section on CloudSecDocs, now with more resources on topics like engineering decisions, personal development, technical leadership, and management

From the cloud providers


#AWS   Protect your remote workforce by using a managed DNS firewall and network firewall
Amazon Route 53 Resolver DNS Firewall and AWS Network Firewall help you protect your VPC workloads by inspecting network traffic and applying deep packet inspection rules to block unwanted traffic.


#AWS   IAM Access Analyzer Update - Policy Validation
Use the CLI (aws accessanalyzer validate-policy) or the API (ValidatePolicy) in IAM Access Analyzer to perform programmatic validation as part of your CI/CD workflows, helping you construct correct & secure IAM policies & SCPs.


#AWS   Navigating Compliance with EU Data Transfer Requirements
How customers can continue to use AWS services in compliance with the evolving EU data protection landscape following the Schrems II ruling and recent EDPB recommendations.


#AWS   Aligning IAM policies to user personas for AWS Security Hub
How to deploy sample IAM policies for three personas: sysadmins, security analysts, and DevOps engineers or application builders.


#AWS   The three most important AWS WAF rate-based rules
What the three most important AWS WAF rate-based rules are for proactively protecting web applications against common HTTP flood events, and how to implement these rules.


#GCP   Leveraging Network Telemetry for Forensics in Google Cloud
Network Forensics and Telemetry solution to enable Threat Hunting; brings together Packet Mirroring, Open source and your choice of SIEM.


#GCP   New Detectors for Event Threat Detection
Event Threat Detection has launched new detectors in public preview: "Credential Access: Privileged Group Joinability Risk", "Persistence: IAM Anomalous Group Grant", "Credential Access: External Member In Privileged Group".


#GCP   Unattended project recommender
The unattended project recommender analyzes usage activity on projects in your organization and provides recommendations that help you discover, reclaim or remove unattended projects.


#AZURE   Boost your network security with new updates to Azure Firewall
Microsoft announced new Azure Firewall capabilities as well as updates for August 2021 including new Azure Firewall supported regions, auto-generated self-signed certificates for Azure Firewall Premium SKU, and more.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! πŸ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
Β© 2019-present CloudSecList Β· Marco Lancini