Release Date: 17/04/2022 | Issue: 133
CloudSecList is a weekly newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand curated by Marco Lancini.
Sponsor

The growing problem of secrets sprawling in corporate repositories
Credentials are a nightmare for security engineers because they can end up in so many places: build, monitoring, or runtime logs, stack traces, and … git history.
“Secrets detection is a very essential part of security. It’s one of the basics that you need to cover all the time. Otherwise, you’re going to expose your endpoints online and you’re going to suffer endless attacks. When it comes to application development, secrets detection is essential to a security program. You need to have it. Otherwise, you’ll fail.” — Abbas Haidar, Head of InfoSec
Download the Report, it’s Ungated!

This week's articles


The Principle of Ephemerality
#containers, #kubernetes, #supply-chain
TL;DR: Everything that can be ephemeral, should be ephemeral.


How to SLSA
#explain, #supply-chain
Three-part series exploring how three fictional organizations would apply SLSA to meet their different needs: Part 1 - The Basics, Part 2 - The Details, Part 3 - Putting it all together.


Cross-account role trust policies should trust AWS accounts, not roles
#aws, #explain, #iam
A role trust policy that trusts a specific principal suggests that only that source principal has access to it, but it does not control access to that source principal, and so makes it seem like it limits access when it may not.


AWS Security Fundamentals
#aws, #explain
Self-paced course to learn fundamental AWS cloud security concepts, including AWS access control, data encryption methods, and how network access to your AWS infrastructure can be secured.


Istio and OAuth2-Proxy in Kubernetes for microservice authentication
#build, #kubernetes
How to use Istio and OAuth2-Proxy to secure all your micro-service endpoints in a centralized and easily managed way on Kubernetes.


CVE-2022-25165: Privilege Escalation to SYSTEM in AWS VPN Client
#attack, #aws
The AWS VPN Client application is affected by an arbitrary file write as SYSTEM, which can lead to privilege escalation.


AWS RDS Vulnerability Leads to AWS Internal Service Credentials
#attack, #aws
Lightspin's Research Team obtained credentials to an internal AWS service by exploiting a local file read vulnerability on the RDS EC2 instance using the log_fdw extension.


Abusing Azure Hybrid Workers for Privilege Escalation - Part 2: An Azure PrivSec Story
#attack, #azure
The NetSPI team recently discovered a set of issues that allows any Azure user with the Subscription Reader role to dump saved credentials and certificates from Automation Accounts. In cases where Run As accounts were used, this allowed for a Reader to Contributor privilege escalation path.

Tools


cicd-goat
A deliberately vulnerable CI/CD environment. You can also refer to the companion blog post.


semgrep-rules
A collection of Semgrep rules to facilitate vulnerability research.


cf-lambda-public-url-prohibited
Detect publicly accessible Lambda Function URLs in your AWS account.


fireprox
AWS API Gateway management tool for creating on the fly HTTP pass-through proxies for unique IP rotation.


awesome-policy-as-code
A curated list of policy-as-code resources like blogs, videos, and tools to practice on for learning Policy-as-Code.

Sponsor

Securing Containers and Cloud for Dummies
Trying to Make Sense of Cloud and Container Security? To develop and operate securely in the cloud requires addressing blind spots across multi-cloud infrastructure. Read this comprehensive eBook to help demystify complex cloud topics to secure your cloud and containers.
Access Now

From the cloud providers


AWS Icon  Building SAML federation for Amazon OpenSearch Dashboards with Okta
Step-by-step guidance to enable SP-initiated single sign-on (SSO) into OpenSearch Dashboards using Okta.


AWS Icon  Enriching Amazon Cognito features with an Amazon API Gateway proxy
How to pass calls to Amazon Cognito through a lightweight proxy. This pattern allows you to augment identity flows in your system with additional processing without having to change the client or the backend.


AWS Icon  Automatically resolve Security Hub findings for resources that no longer exist
How to automatically resolve AWS Security Hub findings for previously deleted AWS resources. By using an event-driven solution, you can automatically resolve findings for AWS and third-party service integrations.


GCP Icon  Automatic data risk management for BigQuery using DLP
Automatic DLP for BigQuery, a fully managed service that continuously scans your data to give visibility of data risk, is now generally available.


GCP Icon  What's new with Cloud EKM
A roundup of major functionality that has been added to Cloud EKM since it was first launched to GA.


GCP Icon  Workload Identity Federation for On-Premise Workloads with SPIFFE
How SPIFFE solves interoperability by combining SPIFFE and Google Workload Identity, to allow on-premise workloads to communicate with GCP APIs.


Azure Icon  Generally available: Azure Static Web Apps support for private endpoints
Private endpoints enable clients on an Azure virtual network to securely access Azure Static Web Apps through an IP address in the virtual network's address space over a private link.


Azure Icon  Public preview: Azure Monitoring Agent supports custom and IIS logs
Azure Monitoring Agent (AMA) is a native way to collect log files for Log Analytics. This new custom and IIS log capability is designed for you to collect text-based logs generated in your service or application.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present, CloudSecList by Marco Lancini.