Release Date: 08/05/2022 | Issue: 136
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Interested in beta testing a new Cloudflare security product?
Cloudflare is excited to share a new opportunity to try out one of our latest platform additions, Cloudflare CASB. This new product gives IT and security teams a ridiculously easy way to connect their SaaS apps - like Google Workspace and Microsoft 365 - and scan them for critical security issues and risks, like misconfigurations, insecure file sharing, and shadow IT.
Sound like something that could help at your organization?
Please visit and submit our beta access form to get started!

This week's articles


Old Services, New Tricks: Cloud Metadata Abuse by UNC2903
Mandiant identified exploitation of public-facing web applications by threat actors (UNC2903) to harvest credentials using Amazon's Instance Metadata Service (IMDS).   #attack   #aws


Compromising Read-Only Containers with Fileless Malware
Post exploring the mechanics and prevalence of malware fileless execution in attacking read-only containerized environments.   #attack   #containers


CloudFlare Pages, part 1: The fellowship of the secret
A 3-part serie (see also Part 2 and Part 3) uncovering issues like: command injection, container escapes, Github tokens, Cloudflare's Github tokens, Cloudflare API Keys to Cloudflare Organisation, and Cloudflare's Azure API tokens amongst other things. You can also read Cloudflare's own writeup.   #attack   #cloudflare


SBOM + SLSA: Accelerating SBOM success with the help of SLSA
Post explaining the strengths of SBOMs and SLSA and how they fundamentally differ, and shows how SLSA principles can both support the generation of high-quality SBOMs and help consumers respond to supply chain attacks.   #defend   #supply-chain


Kubernetes signals massive adoption of Sigstore for protecting open source ecosystem
Kubernetes 1.24 will be the first release officially using Sigstore, enabling seamless verification of signatures to protect against supply chain attacks across the 5.6m developer community. This marks a huge shift toward verifiable infra.   #containers   #defend   #kubernetes   #supply-chain


Increasing the security bar in Ingress-NGINX v1.2.0
The Ingress may be one of the most targeted components of Kubernetes. While its risks are well understood, it's not an easy process to tackle them, so the Kubernetes community took another approach to reduce (but not remove!) them in the current (v1.2.0) release: by isolating the NGINX service as a container inside the controller container.   #defend   #kubernetes


Bottlerocket Security Guidance
Recommendations, details, and examples to help you create a configuration that meets your security and compliance requirements.   #aws   #build


Limiting access to Kubernetes resources with RBAC
How to recreate the Kubernetes RBAC authorization model from scratch and practice the relationships between Roles, ServiceAccounts, RoleBindings, etc.   #explain   #iam   #kubernetes


Intro to OCI Reference Types
What is OCI? OCI stands for Open Container Initiative. This is a group which oversees a collection of open specifications relating to containers. If you have ever run an application on Kubernetes, then you have leveraged OCI.   #containers   #explain


Gaining Unlimited access to graph AuditLogs endpoint using complex filters with non-privileged user account
Another Azure vulnerability, this time allowing an unprivileged user to modify graph search filters so that user could access logs which would normally require admin roles.   #attack   #azure

Job Advert

Doyensec is an independent security research and development company focused on vulnerability discovery and remediation. We love what we do and we routinely take on difficult engineering challenges to help our customers build with security.
We are looking for a Cloud Security Engineer to join our team. We need someone who has a strong interest in auditing and researching cloud platforms and containerized environments.
More details: https://www.careers-page.com/doyensec-llc/job/L8X354RV

Tools


pre-commit-opa
Pre-commit git hooks for Open Policy Agent (OPA) and Rego development.


cloud-forensics-utils
Python library to carry out DFIR analysis on the Cloud.


ChopChop
ChopChop is a CLI to help developers scanning endpoints and identifying exposition of sensitive services/files/folders.


GitGoat
GitGoat enables DevOps and Engineering teams to test security products intending to integrate with GitHub. GitGoat is a learning and training project that demonstrates common configuration errors that can potentially allow adversaries to introduce code to production.

From the cloud providers


#AWS   AWS Well-Architected Labs - Security
Hands on labs and real world design scenarios for Well-Architected workloads.


#AWS   Authenticate AWS Client VPN users with AWS Single Sign-On
How to integrate Client VPN with an existing AWS Single Sign-On via a custom SAML 2.0 application to authenticate and authorize Client VPN connections and traffic.


#AWS   Disabling Security Hub controls in a multi-account environment
An automated process for disabling or enabling selected AWS Security Hub controls across multiple accounts and multiple regions.


#AWS   Implement OAuth 2.0 device grant flow by using Amazon Cognito and AWS Lambda
How to implement the OAuth 2.0 device authorization grant flow for Amazon Cognito by using AWS Lambda and Amazon DynamoDB.


#GCP   Introducing SWIFT on Google Cloud
Introducing SWIFT on Google Cloud - modernize your payments by bringing them to the cloud.


#GCP   CIS hardening support in Container-Optimized OS from Google
Google's latest Container-Optimized OS release supports CIS benchmark compliance and can provide continuous CIS scanning capabilities.


#AZURE   Customize your secure VM session experience with native client support on Azure Bastion
Azure Bastion is a fully managed jumpbox-as-a-service that provides secure and seamless Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) access to your VMs in local or peered virtual networks. With native client support available on the Standard SKU for Azure Bastion, you now unlock customizable features and added functionality in your VM sessions.


#AZURE   Intelligent application protection from edge to cloud with Azure Web Application Firewall
Microsoft has been evolving Azure Web Application Firewall (Azure WAF), a cloud-native, self-managed security service to protect your applications and APIs running in Azure or anywhere else, from the network edge to the cloud.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini