Release Date: 12/06/2022 | Issue: 141

CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:

It's official: I'm writing a book! 📖
"The CloudSec Engineer" will be a book on how to enter, establish yourself, and thrive in the cloud security industry as an individual contributor.
You can sign up to get updates and free samples of the book as I write it at: cloudsecbooks.com

Sponsor

JupiterOne: Cyber asset context and visibility for the cloud
As companies expand to the cloud, asset visibility worsens. The JupiterOne Cyber Asset Management Platform helps you get it back.
Answer complex security and infrastructure questions, understand the contextual relationships between assets, and build the foundation for your security program with JupiterOne. Get started with your free account today

This week's articles

A Deep Dive into Temporal's Access Control Strategy in AWS #aws, #iam

Some insights into Temporal's strategy for securing their cloud environment, as well as a call for attention to an unexpected facet of AWS access policies encountered along the way.

Guide to Digital Forensics Incident Response in the Cloud #defend, #strategy

Post covering the differences between cloud forensics and forensics in on-premises systems.

The Philosophy of Prevention #aws, #defend, #design

An interesting post covering some limitations and use-cases for SCPs and auto-remediation tools.

Introducing Entitlements: GitHub's open source Identity and Access Management solution #announcement, #ci/cd, #iam

Github open sourced their Identity and Access Management solution (called "Entitlements"), which uses a Git repository for the source-of-truth, declarative authorizations, and seamless integration with GitHub.com for approvals and audits.

MongoDB Field Level Encryption with HashiCorp Vault KMIP Secrets Engine #announcement, #build, #vault

With MongoDB releasing client-side field level encryption with KMIP support, Vault users can now use its KMIP secrets engine to supply the encryption keys. This allows to be in full control of the keys.

cloud-middleware-dataset #aws, #azure, #explain, #gcp

This project contains cloud middleware (i.e. agents installed by cloud security providers) used across the major cloud service providers (Azure, AWS and GCP).

Awesome-Azure-Pentest #attack, #azure

A collection of resources, tools and more for penetration testing and securing Microsoft's cloud platform.

Managed Identity Attack Paths #attack, #azure

A three part blog series exploring attack paths that emerge out of Managed Identity assignments in three Azure services.

Bypassing eBPF-based Security Enforcement Tools #attack, #containers

Post explaining the limitations of eBPF security enforcement tools and demonstrates bypass techniques with Tetragon.

Use CloudTrail to Pivot to AWS Accounts #attack, #aws

How to utilize the AWS CloudTrail service to discover other AWS accounts that you could pivot to.

An Easy Misconfiguration to Make: Hidden Dangers in the Cloud Control Plane #attack, #gcp

The biggest risk in cloud development is not recognizing the differences between cloud and traditional definitions of common architecture terms.

Enumeration and lateral movement in GCP environments #attack, #gcp

A pentest write up describing how it was possible to compromise a hybrid GCP hosted infrastructure using native GCP tools.

Tools

ggshield

Detect secrets in source code, scan git repos, and use pre commit hooks to prevent API key leaks.

cloud-foundation-fabric

End-to-end modular samples for Terraform on GCP.

trdl

An universal solution for delivering your software updates securely from a trusted The Update Framework (TUF) repository.

kubectl-tree

kubectl plugin to browse Kubernetes object hierarchies as a tree.

From the cloud providers

Get more out of service control policies in a multi-account environment

Walkthrough of different techniques that you can use to get more out of AWS Organizations service control policies (SCPs) in a multi-account environment.

Let's Architect! Architecting for governance and management

Content to help software architects and tech leaders explore new ideas, case studies, and technical approaches to help you support production implementations for large-scale migrations.

Correlate IAM Access Analyzer findings with Amazon Macie

How to detect when unintended access has been granted to sensitive data in S3 buckets.

AWS Security Hub now receives AWS Config managed and custom rule evaluation results

AWS Security Hub now automatically receives AWS Config managed and custom rule evaluation results as security findings.

Updates coming for Authorized Networks and Cloud Run/Functions on GKE

After a reported vulnerability, Google will soon limit access to GKE-related services and block access from Cloud Run and Cloud Functions.

Group membership in a dynamic group (preview) in Azure Active Directory

How to create a dynamic membership group that can contain members of other groups in Azure Active Directory.

Virtual desktop infrastructure security best practices

One of the most popular options for organizations who want to offer remote work options is virtual desktop infrastructure or VDI. In this blog, get an overview of VDI and learn security best practices.

General availability: Azure Bastion IP based connection

You can now use Azure Bastion to connect to on-premises resources over ExpressRoute and Site-to-Site VPN.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco

Forward

This week's articles

Tools

From the cloud providers

Thanks for reading!

How did you like this issue of CloudSecList?

1 2 3 4 5