Release Date: 27/03/2022 | Issue: 130
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
🔥 Okta's week in the spotlight 🔥
In the improbable case you missed this, here are some resources to get up to speed with the alleged breach of Okta:
Sponsor

The best lessons come from experience.
7 cybersecurity leaders share their tales

In this exclusive eBook from JupiterOne, seven cybersecurity leaders share their stories of failure and success, roadmaps you can use to improve your cybersecurity programs, and their visions for the future of cybersecurity.
Download your copy of the Modern Cybersecurity eBook

This week's articles


What to look for when reviewing a company's infrastructure
A comprehensive guide that provides a structured approach to reviewing the security architecture of a multi-cloud SaaS company and finding its most critical components.   #aws   #azure   #gcp   #kubernetes   #strategy


How We Discovered Vulnerabilities in CI/CD Pipelines of Popular Open-Source Projects
An analysis of several popular open-source projects highlighted a lack of proper input sanitization in GitHub Actions workflows, allowing malicious actors to inject code into the builds through issues and comments, and to access privileged tokens.   #attack   #ci/cd


NSA, CISA release Kubernetes Hardening Guidance
The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Technical Report, the Kubernetes Hardening Guidance.   #defend   #kubernetes


Automagically Auditing GitHub (Actions) Security using OpenSSF Scorecards
How to use the OpenSSF Scorecards GitHub Action to audit your GitHub and GitHub Actions configuration, and a breakdown of some of the issues raised by it.   #ci/cd   #defend


Fantastic AWS Hacks and Where to Find Them
Getting started in AWS security, and how companies are getting hacked on AWS. You can also check a nice interactive mindmap.   #attack   #aws   #defend


Malicious Rego: OPA Supply Chain Attacks
Rego is designed to be utilised for a very specific purpose, and thus its standard library is understandably not huge. Despite this, much like Terraform, there are still features which can be leveraged by an attacker for supply-chain attack vectors. If a consumer takes advantage of policies published by a third party, they should be aware of the following.   #attack   #opa


Google Cloud Storage Explorer: Enumerating Google Cloud's Bucket Access Permissions
The 'Google Cloud Platform Storage Explorer' tool crawls all of your Google Cloud projects and detects which have access to all storage data.   #attack   #gcp


Azure Dominance Paths
A comprehensive map of Azure and Azure AD attack paths.   #attack   #azure


OPA Rego + tfsec: Custom security policies for your infrastructure
Recently, tfsec added support for applying Rego policies to your Terraform code. Clear rules can be written against simple data structures, whilst providing the developer with a wealth of information in the event of a failure, such as path, line numbers, and highlighted code snippets.   #iac   #opa


HashiCorp Vault 1.10 Released
Vault 1.10 adds login MFA support, makes Vault an OIDC provider, adds support for PKI to use HSMs, and more.   #announcement   #vault

Tools


access-undenied-aws
Access Undenied parses AWS AccessDenied CloudTrail events, explains the reasons for them, and offers actionable remediation steps. You can also refer to the companion blog post.


gke-poc-toolkit
The GKE Proof of Concept (PoC) Toolkit is a demo generator for Google Kubernetes Engine.


crfs
CRFS is a read-only FUSE filesystem that lets you mount a container image, served directly from a container registry (such as gcr.io), without pulling it all locally first.


enterprise-azure-policy-as-code
Enterprise-ready Azure Policy-as-Code (PaC) solution (includes Az DevOps pipeline).

From the cloud providers


#AWS   How to Audit and Report S3 Prefix Level Access Using S3 Access Analyzer
To reduce risk and unintended access, you can use Access Analyzer for S3 to identify S3 buckets within your zone of trust (Account or Organization) that are shared with external identities.


#AWS   How to automate AWS Managed Microsoft AD scaling based on utilization metrics
How to automate scaling in AWS Managed Microsoft AD using utilization metrics from your directory, which can cost-effectively improve resilience & performance of your directory.


#AWS   How to use AWS Security Hub and Amazon OpenSearch Service for SIEM
How you can use Security Hub with a SIEM to store findings for longer than 90 days, aggregate findings across multiple administrator accounts, and correlate Security Hub findings with each other and other log sources.


#GCP   Federated workload identity at scale made easy with CA Service
Google Cloud Certificate Authority Service has a simple solution for your workload certificate needs across cloud and on-premises environments.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini