This week's articles
Revisiting Lambda Persistence
#attack, #aws
As an attacker, Serverless environments are a very different target when compared with their traditional server-based counterparts. Even gaining remote code execution, which would normally spur a race to escalate privileges, has a very different connotation.
IAM::PassRole Explained
#aws, #explain, #iam
Understanding the iam:PassRole permission is key to not only getting your applications working in AWS, but also doing it securely.
Group-based auth with AppSync Lambda authoriser
#aws, #build, #iam
How to implement group-based authorization with AppSync Lambda authoriser, which makes it easier to integrate with 3rd party identity services when you're building a multi-tenant system.
Distroless Builds Are Now SLSA 2
#build, #defend, #docker
Distroless builds have achieved SLSA 2. SLSA is a security framework for increasing supply chain security, and Level 2 ensures that the build service is tamper resistant.
|
|
Tools
kube-mgmt
Sidecar for managing OPA on top of Kubernetes.
gitoops
GitOops is a tool to help attackers and defenders identify lateral movement and privilege escalation paths in GitHub organizations by abusing CI/CD pipelines and GitHub access controls.
google-github-actions/auth
GitHub Action for authenticating to Google Cloud with GitHub Actions OIDC tokens and Workload Identity Federation.
|
|
CloudSecDocs
DevOps
I've completely overhauled the DevOps section of CloudSecDocs, among other little tweaks in other sections. Go check it out!
|
|
Sponsor CloudSecList
If you want to get yourΒ productΒ or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at π¨ [email protected] π¨
|
|
|
From the cloud providers
Customizing User Pool Workflows with Lambda Triggers
You can create an AWS Lambda function and then trigger that function during user pool operations such as user sign-up, confirmation, and sign-in (authentication) with a Lambda trigger. You can add authentication challenges, migrate users, and customize verification messages.
To serve and protect: New storage features help ensure data is never lost
Google added extensions to Cloud Storage, and introducing two new services, Filestore Enterprise, and Backup for Google Kubernetes Engine (GKE). Together, these new capabilities will make it easier for you to protect your data out-of-the box, across a wide variety of applications and use cases.
Announcing Backup for GKE: the easiest way to protect GKE workloads
Google announced the Preview for Backup for GKE, a simple, cloud-native way for you to protect, manage, and restore your containerized applications and data. With Backup for GKE, you can more easily meet your service-level objectives, automate common backup and recovery tasks, and show reporting for compliance and audit purposes.
|
|
Thanks for reading!
|
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! π If you have questions, comments, or feedback, let me know on Twitter ( @lancinimarco / @CloudSecList), or at feedback.cloudseclist.com! Thanks, Marco
|
|
|