Release Date: 27/02/2022 | Issue: 126
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

Upgrade your CI/CD pipeline with Automated Secret Detection
Organizations pour a lot of resources efforts preventing external threats. In fact, the vast majority of security failures are caused by well-meaning employees or contractors making innocent mistakes. Harden security of the Software Development Lifecycle with an automated secrets detection and remediation solution.
  • 350+ supported types of secrets and sensitive files
  • Historical scanning & real-time monitoring for GitHub, GitLab, and Bitbucket repositories
  • CI/CD pipelines hardening
150k+ developers trust GitGuardian - #1 security app on the GitHub Marketplace.
Scan your repositories for secrets Now

This week's articles


Balancing Safety and Velocity in CI/CD at Slack
#ci/cd, #design
A story of evolving socio-technical workflows that increased developer velocity and redefined confident testing and deploy workflows at Slack.


The best free, open-source supply-chain security tool? The lockfile
#ci/cd, #defend, #supply-chain
Lockfiles: the best investment you can make for supply chain security.


Cloud 9: Top Cloud Penetration Testing Tools
#attack
Here are nine cloud pen testing tools use by pentesters in 2022, and additional resources for enhancing your cloud pentesting skills.


Exploiting Jenkins build authorization
#attack, #ci/cd
The default build authorization configuration in Jenkins, controlling the permissions allocated to pipelines, is insecure and is often left unmodified in production environments.


Fantastic Infrastructure as Code security attacks and how to find them
#attack, #ci/cd, #defend, #terraform
Learn about possible attack scenarios in Infrastructure as Code and GitOps environments, evaluate tools and scanners with Terraform, Kubernetes, etc., and more.


Container Security Checklist: From the image to the workload
#ci/cd, #defend
Checklist for container security and devsecops practices.


Are AWS account IDs sensitive information?
#aws, #explain
One of the often-debated questions in AWS is whether AWS account IDs are sensitive information or not and the question has been oddly-difficult to answer definitively.


Google Cloud: configuring workload identity federation with Azure
#azure, #build, #gcp, #iam
How to configure workload identity federation with Azure (OIDC-compliant IdP) so workloads running on an Azure VM can impersonate a service account to perform operations on a Google Cloud resource.

Tools


Whorf - Checkov implementation of a Kubernetes admission controller
A K8s admission controller for security and operational best practices (Based on Checkov). You can also refer to the companion blog post.


mizu
API traffic viewer for Kubernetes enabling you to view all API communication between microservices. Think TCPDump and Wireshark re-invented for Kubernetes.


aws-cloudsaga
AWS CloudSaga is for customers to test security controls and alerts within their AWS environment, using generated alerts based on security events seen by the AWS Customer Incident Response Team (CIRT).


granted
Granted is a command line interface (CLI) application which simplifies access to cloud roles and allows multiple cloud accounts to be opened in your web browser simultaneously.


amazon-where-services
Automated determination of which AWS services run where.

From the cloud providers


AWS Icon  Automate and centrally manage data protection for Amazon S3 with AWS Backup
With AWS Backup for Amazon S3 now being generally available, you can centralize data protection for your application data stored in Amazon S3 alongside other AWS services for storage, compute, and databases and meet your business continuity goals.


AWS Icon  AWS Organizations console now lets users centrally manage alternate contacts on AWS accounts
The AWS Organizations console now allows you to centrally view and update the alternate contacts for your AWS accounts.


AWS Icon  Let's Architect! Architecting for Security
Post collecting security content to help you protect data, manage access, protect networks and applications, detect and monitor threats, and ensure privacy and compliance.


AWS Icon  Managing IP pools across VPCs and Regions using Amazon VPC IP Address Manager
Amazon VPC IPAM help you plan, track & monitor IP addresses for your AWS workloads, in a single pane view, across AWS Regions & accounts in your organization.


GCP Icon  Strengthen protection for your GCE VMs with new FIDO security key support
FIDO security keys can be used to authenticate to Google Compute Engine (GCE) virtual machine (VM) instances that use OS Login service.


GCP Icon  Protecting customers against cryptomining threats with VM Threat Detection in Security Command Center
Extending threat detection in Security Command Center with Virtual Machine Threat Detection.


GCP Icon  Cloud SQL launches support for IAM Conditions and Tags
With IAM Conditions and Tags, you have powerful tools to institute finer-grained administrative and connection access control for your databases.


Azure Icon  Observability from cloud to edge in Azure
Some use cases for Azure Monitor.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.