Release Date: 17/10/2021 | Issue: 109
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Expel is a Leader in The Forrester Waveâ„¢: Managed Detection And Response, Q1 2021
Expel receives the highest possible score in 14 criteria.
Learn what makes Expel different.

This week's articles


Bypassing required reviews using GitHub Actions
A newly discovered security flaw in GitHub allows leveraging GitHub Actions to bypass the required reviews mechanism and push unreviewed code to a protected branch, potentially allowing malicious code to be used by other users or flow down the pipeline to production.   #attack   #ci/cd


AWS WAF's Dangerous Defaults
AWS WAF's defaults make bypassing trivial in POST requests, even when you enable the AWS Managed Rules.   #attack   #aws


Azure Privilege Escalation via Service Principal Abuse
Post explaining how to abuse Service Principals to escalate rights in Azure and how to protect yourself against it.   #attack   #azure   #iam


Deploy without credentials with GitHub Actions and OIDC
Did you know that OpenID Connect can be used to build trust between two different clouds? Learn how a new OIDC feature in GitHub Actions replaces passwords.   #build   #iac   #iam


Are Dockerfiles good enough?
There has been a major regression in many organizations, who now tolerate risks inside containers that never would have been allowed on virtual machines. A lot of the blame seems to rest with Dockerfiles: we need guardrails against common mistakes.   #defend   #docker


Designing Least Privilege AWS IAM Policies for People
Got engineers with AdministratorAccess? Here's how to deploy reduced privilege IAM roles for people without breaking their workflows.   #aws   #explain   #iam


VPC Service Controls in Plain English
GCP offers powerful security controls to mitigate API-based data exfiltration called VPC Service Controls. To execute a successful and secure cloud architecture with VPC Service Controls, it is important to understand exactly how they work.   #explain   #gcp


Understanding Azure Logs from a security perspective - Part 2
This blog is the second in a multi-part series to cover the available logs and telemetry of the Azure platform, discuss the security insights that we can obtain from them and also to highlight existing blind spots that can save you a few headaches down the line.   #azure   #monitor


Remotely Access your Kubernetes Lab with Cloudflare Tunnel
How to use Cloudflare Tunnel to connect my Kubernetes Lab to the Cloudflare network, and Auditable Terminal to connect to it using nothing more than a browser. Disclaimer: I did write this post.   #build   #kubernetes


16 things you didn't know about Kube APIs and CRDs
If you're familiar with Kubernetes, you're likely familiar with the Kubernetes API and the concept of controllers, but despite the seeming simplicity of the core ideas, there are plenty of details that may be surprising once you scratch the surface.   #explain   #kubernetes

Sponsor CloudSecList

If you want to get your product or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
📨 [email protected] 📨

Tools


Kubernetes YAML Generator
A handy generator of boilerplate YAML for Kubernetes resources.


snowcat
Snowcat gathers and analyzes the configuration of an Istio cluster and audits it for potential violations of security best practices. You can also check the companion blog post.


k8s-opa-boilerplate
Boilerplate example of managing OPA with kustomize.


minik8s-ctf
A beginner-friendly CTF about Kubernetes security.


kdigger
kdigger is a context discovery tool for Kubernetes penetration testing.

From the cloud providers


#AWS   Determining whether a request is allowed or denied within an account
The IAM docs on policy evaluation have been updated with a table that explains how resource policies can or can't grant access beyond a permissions boundary.


#AWS   AWS Network Firewall Adds New Configuration Options for Rule Ordering and Default Drop
AWS Network Firewall now offers new configuration options for rule ordering and default drop, making it easier to write and process rules to monitor your virtual private cloud (VPC) traffic.


#AWS   Introducing AWS Instance Scheduler v2.0
AWS Instance Scheduler is a solution that helps you control your AWS resource cost by configuring start and stop schedules for their Amazon Elastic Compute Cloud (Amazon EC2 On-Demand Instances) and Amazon Relational Database Service (Amazon RDS) instances.


#AWS   AWS Backup adds an additional layer for backup protection with the availability of AWS Backup Vault Lock
AWS Backup announced the availability of AWS Backup Vault Lock. This new feature enhances customers' ability to protect backups from inadvertent or malicious actions. It helps customers implement safeguards that ensure they are storing their backups using a Write-Once-Read-Many (WORM) model.


#AWS   Simplifying Kubernetes configurations using AWS Lambda
How to create a multi-stage Dockerfile that uses eksctl, kubectl, and aws-auth. This will allow you to call Kubernetes APIs to create and manage resources through a unified control plane.


#GCP   Centralised audit logs in GCP in a secure environment with VPC Service Controls
On paper, setting up GCP logging sinks is relatively easy. In reality, as soon as VPC Service Controls are involved, you suddenly find yourself locked out of every "how-to" tutorial; they likely won't work with your security setup.


#AZURE   Analyzing Endpoints Forensics - Azure Sentinel Connector
Analyzing Endpoints Forensics - Azure Sentinel Connector can enable more-powerful forensic analysis through techniques such as streaming a computer's EPP (Endpoint Protection) health status, policies, settings, and configuration in addition to IoT vulnerable assets, data events & vulnerabilities.


#AZURE   Azure Monitor container insights for Azure Arc enabled Kubernetes
Azure Monitor container insights for Azure Arc enabled Kubernetes is now generally available. You can now monitor all Kubernetes, AKS or non-AKS through container insights.


#AZURE   IP-based website protection for Azure Static Web Apps
Azure Static Web Apps adds support for access restrictions by IP addresses and service tags.


#AZURE   Customize Azure Static Web Apps authentication with a serverless function
Azure Static Web Apps adds support for programmatically assigning custom user roles using Azure Functions.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini