Release Date: 07/11/2021 | Issue: 112
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Cybersecurity, a daily task
As companies grow, so does their attack surface. Faraday offers an integral approach to scalability, to help businesses keep up with growing networks and security requirements. Scalability is about resource optimization. We developed a platform that allows us to automate vulnerability detection, summarizing results, and management of larger volumes of vulnerabilities. Faraday eases the integration of security tasks to regular workflow, and ultimately, of productivity with security. Including an integration with Jira which allows you to create time and automate your team resources.
Scale your security now

This week's articles


Streamline Fifteen SOC 2 Controls with AWS Config and AWS Security Hub
There are two services on AWS that can make SOC 2 easier for you and your company, AWS Config and AWS Security Hub. These two services have built-in rules (Config) and controls (Security Hub) that directly address SOC 2 criteria and controls.   #aws   #defend


Kubernetes API Access Security Hardening
Kubernetes is driven by an HTTP API server which allows complete configuration and control of Kubernetes runtime. Therefore, securing access to the API server is one of the most critical security controls to ensure resilient Kubernetes in production.   #defend   #kubernetes


Automating cloud governance at scale
Blog post from SkyScanner, introducing some recent improvements to CFRipper that have enabled them to detect issues more accurately, allow for increasing levels of customization, and facilitate dynamic stack exemptions for engineering squads.   #aws   #defend


The 2 limits of Google Cloud IAM
2 use cases where the GCP IAM model is limited, requiring some trickery to get right.   #explain   #gcp   #iam


Server-side Apply in Kubernetes
This new merging algorithm running on the Kubernetes API server replaces the client side apply feature with a server-side implementation, helping users and controllers manage their resources.   #announcement   #kubernetes


Using New S3 Features to Give CloudTrail Logs Service-Side Enrichment
Use the recent S3 Object Lambda functionality in AWS to enrich S3-based logs with valuable intelligence.   #aws   #monitor


Container CVE List
A page listing CVEs affecting Kubernetes/runc/ContainerD/Docker.   #attack   #docker   #kubernetes


Terraform support in Semgrep
Semgrep 0.70+ now supports scanning Terraform source files (HCL) for misconfigurations and security flaws.   #announcement   #defend   #terraform

Tools


driftctl
Detect, track and alert on infrastructure drift.


camp
CloudSplaining on AWS Managed Policies. It automatically downloads and keeps a local copy of all AWS IAM Managed Policies, and also runs Cloudsplaining on each.


helm-scanner
Open source IaC security scanner for public Helm charts.


ottr
Ottr is a serverless framework for Public Key Infrastructure (PKI) that aims to provide a robust and scalable method to manage end-to-end certificate rotations using an agentless approach.


terraform-validator
Terraform Validator can run pre-deployment checks on Terraform plans for policy compliance.

From the cloud providers


#AWS   Forensic investigation environment strategies in the AWS Cloud
This post provides strategies that you can use to prepare your organization to respond to secure baseline deviations. These strategies take the form of best practices around AWS account structure, OUs and SCPs, forensic VPC and network infrastructure, evidence artifacts to be collected, AWS services to be used, forensic analysis tool infrastructure, and user access and authorization to the above.


#AWS   Analyze Cross-Account AWS KMS Call Usage with AWS CloudTrail and Amazon Athena
How to use AWS CloudTrail and Amazon Athena to analyze AWS KMS API usage. In a hub and spoke account model, cross-account AWS KMS API quotas are applied to the spoke account when the spoke account accesses SSE-KMS encrypted S3 bucket in the hub account.


#AWS   Extending the Baseline in AWS Control Tower to Accelerate the Transition from AWS Landing Zone
This blog post explains how to modify and deploy the code to apply AWS Landing Zone specific baselines such as IamPasswordPolicy and EnableNotifications into AWS Control Tower using Customizations for the AWS Control Tower.


#AWS   AWS Control Tower Account vending through Amazon Lex ChatBot
Post describing a multi-environment solution that uses a cloud native CI/CD pipeline to build, test, and deploy a Serverless ChatOps bot that integrates with AWS Control Tower Account Factory for AWS account vending.


#GCP   Zero trust workload security with GKE, Traffic Director, and CA Service
Google announced the general availability of new security capabilities for Traffic Director which provide fully-managed workload credentials for Google Kubernetes Engine (GKE) via CA Service.


#GCP   Introducing GKE image streaming for fast application startup and autoscaling
New container image streaming in Google Kubernetes Engine slashes the time it takes to boot your applications.


#AZURE   Azure trusted launch for Virtual Machines now generally available
Azure offers trusted launch as a seamless way to bolster the security of Generation 2 VMs. Designed to protect against boot kits, rootkits, and kernel-level malware, trusted launch is comprised of secure boot, virtual trusted platform module (vTPM), and boot integrity monitoring.


#AZURE   Introducing Microsoft Defender for Cloud Apps
Defender for Cloud Apps helps you gain visibility of your deployed cloud apps, discovers shadow IT, and protects your sensitive information.


#AZURE   Introducing Azure Container Apps: a serverless container service for running modern apps at scale
Microsoft announced Azure Container Apps, an app centric hosting service for serverless containers. It is built with microservices in mind on the foundation of powerful open-source technology in the Kubernetes ecosystem.


#AZURE   OpenID Connect integration between Azure AD and GitHub Actions
Microsoft announced the public preview of capabilities that enable developers to secure their deployments to Azure through OpenID Connect's integration between Azure AD and GitHub Actions.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini