Release Date: 05/12/2021 | Issue: 116
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up
The re:Invent edition
As you **might** have heard, AWS re:Invent happened this past week.
As a consequence, this issue of CloudSecList will be focused on the recent announcements that came out of it.

Gaining Full Visibility into the Security of Multi-Cloud Environments
Cloud security requires complete knowledge of your environment—and denying your adversaries discovery of that knowledge. Learn how Red Ventures (CNET; ZDNet; Bankrate) used Fugue to gain immediate and full visibility into the security posture of their environment that spans multiple clouds and hundreds of accounts. This session will cover using Open Policy Agent, the open source standard for policy as code, for cloud security from infrastructure as code through the runtime.
Register Here

This week's articles

Data Perimeter Workshop   #aws, #defend
This workshop takes you through some of the best practices and available AWS services and features for creating a boundary around your resources in AWS.

AWS Policy as Code Workshop   #aws, #opa
This workshop explores how to codify a set of rules that make up a policy, use a DevSecOps workflow to quickly address policy issues, and redeploy a policy compliant workload.

IAM roles for Kubernetes service accounts - deep dive   #aws, #iam, #kubernetes
How IAM and Kubernetes work together allowing you to call AWS services from your pods with no hussle.

Azure Privilege Escalation via Azure API Permissions Abuse   #attack, #azure
How Azure API Permissions can be abused to escalate to Global Admin.


Sloop monitors Kubernetes, recording histories of events and resource state changes, and providing visualizations to aid in debugging past events.

From the cloud providers

AWS Icon  AWS Control Tower Account Factory for Terraform
A new Terraform module that allows you to provision and customize AWS accounts through Terraform using a deployment pipeline.

AWS Icon  New for AWS Control Tower - Region Deny and Guardrails to Help You Meet Data Residency Requirements
You can now use AWS Control Tower to deploy data residency preventive and detective controls, referred to as guardrails. These guardrails will prevent provisioning resources in unwanted AWS Regions by restricting access to AWS APIs through service control policies (SCPs) built and managed by AWS Control Tower.

AWS Icon  New Amazon Inspector for continual vulnerability management
The new Amazon Inspector is a vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure.

AWS Icon  Announcing preview of AWS Backup for Amazon S3
AWS announced the public preview of AWS Backup for Amazon S3. You can now create a single policy in AWS Backup to automate the protection of application data stored in S3.

AWS Icon  Amazon S3 Object Ownership can now disable access control lists to simplify access management for data in S3
Amazon S3 introduces a new S3 Object Ownership setting that disables access control lists (ACLs), simplifying access management for data stored in S3.

AWS Icon  AWS Shield Advanced Update - Automatic Application Layer DDoS Mitigation
AWS announced a new set of capabilities automatically mitigates malicious web traffic that threatens to impact application availability.

AWS Icon  Amazon VPC Network Access Analyzer
The new Amazon VPC Network Access Analyzer helps you identify network configurations that lead to unintended network access.

AWS Icon  Amazon VPC announces IP Address Manager (IPAM) to help simplify IP address management on AWS
Amazon VPC IP Address Manager (IPAM) is a new feature that makes it easier for you to plan, track, and monitor IP addresses for your AWS workloads. With IPAM's automated workflows, network administrators can more efficiently manage IP addresses.

AWS Icon  How to enable secure seamless single sign-on to Amazon EC2 Windows instances with AWS SSO
You can now provide one-click login access to Amazon EC2 Windows instances using identities from AWS SSO, or AWS SSO supported identity providers such as Okta, Ping & OneLogin.

GCP Icon  Getting started with the Security Foundations Blueprint automation repo
The security foundations blueprint automation repo contains Terraform code that implements the best practices discussed in the security foundations guide.

Azure Icon  General availability: Audit Logs of Azure Monitor log queries
Azure Monitor logs is announcing a new capability to collect audit logs about query execution.

Azure Icon  General availability: Create AKS clusters without local user accounts
Disable local accounts for AKS cluster and use AAD only for more secure cluster access.

Azure Icon  Azure Key Vault secrets provider extension for Arc enabled Kubernetes clusters
Microsoft announced the public preview of a Microsoft managed service that lets you use AKV as secrets management solution for Azure Arc enabled Kubernetes cluster.

Azure Icon  Introducing Azure AD custom security attributes
Microsoft announced the public preview of Microsoft Azure Active Directory (Azure AD) custom security attributes and user attributes in ABAC (Attribute Based Access Control).

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.