Release Date: 06/02/2022 | Issue: 123
CloudSecList is a weekly newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand curated by Marco Lancini.
Sponsor

The State of the Cloud Security Report:
Cloud security teams keep getting asked to do more with what they have. Environments are growing more complex and changing constantly. IaC and CI/CD introduced a development lifecycle that must be secured. And hackers are exploiting deeper design flaws to expand the blast radius of seemingly simple misconfigurations. Fugue can help.
How do your experiences compare with your peers in the industry? How are they meeting similar challenges? Get these insights and more. Download the State of Cloud Security Report.

This week's articles


Testing Infrastructure-as-Code Using Dynamic Tooling
#aws, #ci/cd, #defend, #terraform
NCC released a project called Aerides, which demonstrates how to integrate LocalStack and dynamic tools for assessing IaC. Aerides includes mock infrastructure for a web service that is written using Terraform's HCL. It is hosted on GitHub and uses GitHub Actions to perform automatic tests for pull requests.


Defense Against Novel Threats: Redesigning CI at Mercari
#build, #ci/cd, #strategy, #supply-chain
Article discussing the effort to build Mercari's next generation CI system and some of their engineering solutions towards this effort. It also explores supply chain security as an increasingly important area of focus for CI/CD engineers.


Attack trend alert: AWS-themed credential phishing technique
#attack, #aws
They're at it again. This time attackers are phishing for credentials by sending fake AWS log-in pages to unsuspecting users.


Ransomware-resistant backups with duplicity and AWS S3
#aws, #defend
Why you should care about ransomware attacks even for irrelevant internet-connected systems, and how to use duplicity with AWS S3 to create ransomware-resistant backups.


How To Verify Cosigned Container Images In Amazon ECS
#aws, #build, #containers
How to verify signed images in Amazon Elastic Container Service, with cosign.


AWS IAM: Best practices
#aws, #explain, #iam
Some approaches on how to manage IAM policies at scale, how these approaches/practices will affect access management and how to include these practices in an existing or new setup.


Bypassing the AWS WAF protection with an 8KB bullet
#attack, #aws
The AWS WAF and Shield service can be used to protect web applications against a lot of different types of attacks. However, it has a limitation on the size of the packet that it can inspect that could result in attackers being able to bypass its protection features.


GCP - Specifying an expiry time for user-managed keys
#gcp, #iam
It is now (finally!) possible to specify a default expiry for service account keys.


Falco 0.31.0 a.k.a. "the Gyrfalcon"
#announcement, #falco
Falco 0.31.0 got released, introducing a brand new plugin system, as well as drivers and libs improvements.

Tools


Identity Federation for CI on AWS
A small Terraform module which automates the setup of OIDC federation between AWS and Github Actions/Gitlab CI


kubelogin
kubectl plugin for Kubernetes OpenID Connect authentication (kubectl oidc-login).


kustomizegoat
Vulnerable Kustomize Kubernetes templates for training and education.


gcp_iam_update_bot
Tweets when new GCP IAM updates are found.

CloudSecDocs


Falco
A page covering its installation, Rules, Exceptions, Alerts, and Sidekick.

From the cloud providers


AWS Icon  Security practices in AWS multi-tenant SaaS environments
Post reviewing the challenges, opportunities and best practices for the unique security considerations associated with a multi-tenant SaaS application, and describes specific identity considerations, as well as tenant isolation methods.


AWS Icon  Creating Disaster Recovery Mechanisms Using Amazon Route 53
How to use updates to DNS for effective disaster recovery, and highlights principles and best practices you should adopt when following this approach.


AWS Icon  How to deploy AWS Network Firewall to help protect your network from malware
How to use custom Suricata Rules with AWS Network Firewall to add protections that prevent users from downloading malware.


AWS Icon  How to configure rotation windows for secrets stored in AWS Secrets Manager
Two ways with which you can specify a custom rotation window to rotate your secret, and how you can set up a custom rotation window for existing secrets.


GCP Icon  Introducing Certificate Manager to simplify SaaS scale TLS and certificate management
Cloud Certificate Manager lets GCP users acquire and manage TLS certificates for use with Cloud Load Balancing.


GCP Icon  Meet data sovereignty requirements with Assured Workloads for EU on Google Cloud
Assured Workloads for EU on Google Cloud is now generally available to help address customer requirements for data residency and data sovereignty.


GCP Icon  Google CloudSQL Auth Proxy - A resilient approach
Google Cloud SQL Auth proxy is a binary that provides IAM-based authorization and encryption when connecting to a Cloud SQL instance.


Azure Icon  Announcing the public preview of Microsoft Azure Payment HSM service
Microsoft announced Azure Payment HSM, a "BareMetal" service delivered using Thales payShield 10K payment HSMs to provide cryptographic key operations for real-time, critical payment transactions in the Azure cloud.


Azure Icon  Improve your security defenses for ransomware attacks with Azure Firewall
Azure Firewall Premium has hundreds of signatures that are designed to detect C&C connectivity and block it to prevent the attacker from encrypting customers' data.


Azure Icon  Enabling Zero Trust with Azure network security services
Post describing some Azure network security services that help organizations to address Zero Trust.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present, CloudSecList by Marco Lancini.