Release Date: 14/11/2021 | Issue: 113
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Best Practices for CIEM Security
Did you know that over-permissioned accounts and roles is the most common cloud service misconfiguration security problem? To mitigate risks of data breaches and contain privilege escalation and lateral movement, implementing least privilege is a crucial best practice. To do this effectively, you need Cloud Infrastructure Entitlement Management (CIEM) security.
Read our blog to discover what CIEM Security is and how easy it is to implement with Sysdig Secure for cloud.

This week's articles


ChaosDB Explained: Azure's Cosmos DB Vulnerability Walkthrough
This is the full story of the Azure ChaosDB Vulnerability that was discovered and disclosed by the Wiz Research Team, where they were able to gain complete unrestricted access to the databases of several thousand Microsoft Azure customers.   #attack   #azure


Exploiting and defending anonymous access in Azure
Most of Azure services require some form of authentication for access. However, there are a few exceptions that allows the configuration of unauthenticated and unauthorized access. The most common ones are the Azure Blob Container and the Azure Container registry.   #attack   #azure   #defend   #iam


Everything you always wanted to know about VPC Peering (but were afraid to ask)
An overview of Google Cloud VPC network peerings, their anatomy, major misconceptions, and some watchpoints, so that users can learn how to use them wisely, while designing their infrastructures.   #explain   #gcp


Detection Engineering for Kubernetes clusters
A background on what logging in Kubernetes looks like, followed by novel detection rules created around how privilege escalation is achieved within a Kubernetes cluster.   #kubernetes   #monitor


Kubernetes Logging in Production
Learn about scalable logging patterns for your production Kubernetes clusters.   #explain   #kubernetes   #monitor


A Practical Guide to Continuous Compliance for Your Cloud Infrastructure
A 5-step journey to achieve continuous compliance without sacrificing speed.   #ci/cd   #strategy


Zero-friction keyless signing with Kubernetes
A new way of signing container images without needing to manage signing keys, including a demo of how easy it is to get started signing on Amazon EKS thanks to cosign.   #build   #containers   #kubernetes


How to Secure Containers with Cosign and Distroless Images
Post talking about the need of using Distroless container images and Cosign for safer production deployments.   #ci/cd   #containers   #kubernetes


Flux Security Audit has concluded
The engagement uncovered a privilege escalation vulnerability in Flux that could enable users to gain cluster admin privileges. The issue has been fixed and is assigned CVE 2021-41254. You can also take a look at the full report.   #announcement


Terraform Cloud Variable Sets Beta Now Available
The new variable sets in HashiCorp Terraform Cloud enable capabilities that help simplify use cases such as credential management, disaster recovery, tagging, and cost reduction.   #announcement   #terraform

Tools


cloudkey
No need for IAM users when we have Yubikeys.


dco
GitHub App that enforces the Developer Certificate of Origin (DCO) on Pull Requests.


yet-another-aws-exporter
A Prometheus metrics exporter for AWS that fills in gaps CloudWatch doesn't cover.


kubectl-cost
CLI for determining the cost of Kubernetes workloads.

CloudSecDocs


Vault
A collection of resources for HashiCorp Vault.

From the cloud providers


#AWS   Measure and Improve Your Application Resilience with AWS Resilience Hub
Amazon announced the availability of AWS Resilience Hub, a new AWS service designed to help you define, track, and manage the resilience of your applications.


#AWS   AWS CloudTrail announces ErrorRate Insights
AWS CloudTrail announces CloudTrail error rate Insights, a new feature of CloudTrail Insights that enables customers to identify unusual activity in their AWS account based on API error codes and their rate.


#GCP   Secure Software Supply Chain (S3C) in Serverless world
A no-ops method to build a S3C using Cloud Run, Cloud Build and Binary Authorization in Google Cloud.


#GCP   Enabling SRE best practices: new contextual traces in Cloud Logging
Developers can now view trace information for applications directly in Google Cloud Logging for faster debugging.


#AZURE   Protect workloads with inline DDoS protection from Gateway Load Balancer partners
Microsoft announced the preview of inline DDoS protection which will be offered through partner network virtual appliances (NVAs) that are deployed with Azure Gateway Load Balancer and integrated with Azure DDoS Protection Standard.


#AZURE   Public preview: Azure Bastion IP based connection
With the new Azure Bastion IP based connection capability, you can now connect to any target resource reachable from your Bastion using its private IP address.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini