Release Date: 23/01/2022 | Issue: 121
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up
Sponsor

The State of Cloud Native Security Report 2022
Prisma Cloud by Palo Alto Networks surveyed over 3,000 security and DevOps leaders about their cloud adoption strategies, budgets, experiences, and plans. The results are dissected in this yearly report, where readers can learn about the practices, tools, and technologies used to implement and secure cloud workloads.
Download your copy of the report today for the latest cloud adoption and security trends for 2022 and beyond!

This week's articles


Securing GitHub organizations   #ci/cd, #defend, #supply-chain
If your security team is concerned about supply chain risk, it's a good idea to look at your GitHub settings. GitHub describes several security features and best practices in their documentation for account security and organization security, but this post goes beyond the documentation. It's a step-by-step process for securing your GitHub organization.


Vulnerable AWS Lambda function - Initial access in cloud attacks   #attack, #aws
How a vulnerable AWS Lambda function could be used by attackers, and some best practices to mitigate these attacks.


10 real-world stories of how we've compromised CI/CD pipelines   #attack, #ci/cd
Some of war stories from NCC about what they have observed and been able to demonstrate on CI/CD pipeline security assessments, clearly showing why there is the saying, "they are execution engines"


Creating your first GCP Organization   #explain, #gcp
A walk-through for anyone who hasn't yet created their first Google Identity domain for experimentation in GCP.


Tracing the path of network traffic in Kubernetes   #explain, #kubernetes
Learn how packets flow inside and outside a Kubernetes cluster. Starting from the initial web request and down to the container hosting the application.


GitHub Actions - Update on OIDC based deployments to AWS   #aws, #build, #ci/cd
If you use OIDC to deploy from Github Action to AWS, update the trusted thumbprint!


Terraform Dynamic IAM Policy Construction   #explain, #iam, #terraform
An intuitive, easy way to build IAM policy docs in a "constructor" pattern using Terraform.

Tools


citizen
A Private Terraform Module Registry.


aws-root-account
Terraform for the UK Ministry of Justice AWS root account.


lobster-pot
Scans every git push to your Github organisations to find unwanted secrets.


RAUDI
A repo to automatically generate and keep updated a series of Docker images through GitHub Actions.


From the cloud providers


AWS Icon  Top 10 security best practices for securing backups in AWS
Implement a backup strategy, Incorporate backup in DR and BCP, Automate backup operations, Implement access control mechanisms, Encrypt backup data and vault, and more.


AWS Icon  Continuous compliance monitoring using custom audit controls and frameworks with AWS Audit Manager
How to leverage AWS Audit Manager to create a tailored audit framework to continuously evaluate your organization's AWS infrastructure against the relevant industry compliance requirements your organization needs to adhere to.


AWS Icon  AWS Trusted Advisor now integrates with AWS Security Hub
AWS Trusted Advisor adds 111 checks automatically ingested from AWS Security Hub's Foundational Security Best Practices.


GCP Icon  Cloud HSM architecture
Whitepaper providing an overview of Google's Cloud HSM architecture.


Azure Icon  Announcing Azure Active Directory (Azure AD) workload identity for Kubernetes
Microsoft announced an open-source project called Azure AD workload identity for Kubernetes. It leverages the public preview capability of Azure AD workload identity federation. With this project, developers can use native Kubernetes concepts of service accounts and federation to access Azure AD protected resources, such as Azure and Microsoft Graph, without needing secrets.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.