This week's articles
Kubernetes API Access Security Hardening
#defend, #kubernetes
Kubernetes is driven by an HTTP API server which allows complete configuration and control of Kubernetes runtime. Therefore, securing access to the API server is one of the most critical security controls to ensure resilient Kubernetes in production.
Automating cloud governance at scale
#aws, #defend
Blog post from SkyScanner, introducing some recent improvements to CFRipper that have enabled them to detect issues more accurately, allow for increasing levels of customization, and facilitate dynamic stack exemptions for engineering squads.
Server-side Apply in Kubernetes
#announcement, #kubernetes
This new merging algorithm running on the Kubernetes API server replaces the client side apply feature with a server-side implementation, helping users and controllers manage their resources.
Container CVE List
#attack, #docker, #kubernetes
A page listing CVEs affecting Kubernetes/runc/ContainerD/Docker.
Terraform support in Semgrep
#announcement, #defend, #terraform
Semgrep 0.70+ now supports scanning Terraform source files (HCL) for misconfigurations and security flaws.
|
|
Tools
driftctl
Detect, track and alert on infrastructure drift.
camp
CloudSplaining on AWS Managed Policies. It automatically downloads and keeps a local copy of all AWS IAM Managed Policies, and also runs Cloudsplaining on each.
helm-scanner
Open source IaC security scanner for public Helm charts.
ottr
Ottr is a serverless framework for Public Key Infrastructure (PKI) that aims to provide a robust and scalable method to manage end-to-end certificate rotations using an agentless approach.
terraform-validator
Terraform Validator can run pre-deployment checks on Terraform plans for policy compliance.
|
|
From the cloud providers
Forensic investigation environment strategies in the AWS Cloud
This post provides strategies that you can use to prepare your organization to respond to secure baseline deviations. These strategies take the form of best practices around AWS account structure, OUs and SCPs, forensic VPC and network infrastructure, evidence artifacts to be collected, AWS services to be used, forensic analysis tool infrastructure, and user access and authorization to the above.
Azure trusted launch for Virtual Machines now generally available
Azure offers trusted launch as a seamless way to bolster the security of Generation 2 VMs. Designed to protect against boot kits, rootkits, and kernel-level malware, trusted launch is comprised of secure boot, virtual trusted platform module (vTPM), and boot integrity monitoring.
|
|
Thanks for reading!
|
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌 If you have questions, comments, or feedback, let me know on Twitter ( @lancinimarco / @CloudSecList), or at feedback.cloudseclist.com! Thanks, Marco
|
|
|