Release Date: 12/06/2022 | Issue: 141
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
It's official: I'm writing a book! ๐Ÿ“–
"The CloudSec Engineer" will be a book on how to enter, establish yourself, and thrive in the cloud security industry as an individual contributor.
You can sign up to get updates and free samples of the book as I write it at: cloudsecbooks.com
Sponsor

JupiterOne: Cyber asset context and visibility for the cloud
As companies expand to the cloud, asset visibility worsens. The JupiterOne Cyber Asset Management Platform helps you get it back.
Answer complex security and infrastructure questions, understand the contextual relationships between assets, and build the foundation for your security program with JupiterOne. Get started with your free account today

This week's articles


A Deep Dive into Temporal's Access Control Strategy in AWS
Some insights into Temporal's strategy for securing their cloud environment, as well as a call for attention to an unexpected facet of AWS access policies encountered along the way.   #aws   #iam


Guide to Digital Forensics Incident Response in the Cloud
Post covering the differences between cloud forensics and forensics in on-premises systems.   #defend   #strategy


The Philosophy of Prevention
An interesting post covering some limitations and use-cases for SCPs and auto-remediation tools.   #aws   #defend   #design


Introducing Entitlements: GitHub's open source Identity and Access Management solution
Github open sourced their Identity and Access Management solution (called "Entitlements"), which uses a Git repository for the source-of-truth, declarative authorizations, and seamless integration with GitHub.com for approvals and audits.   #announcement   #ci/cd   #iam


MongoDB Field Level Encryption with HashiCorp Vault KMIP Secrets Engine
With MongoDB releasing client-side field level encryption with KMIP support, Vault users can now use its KMIP secrets engine to supply the encryption keys. This allows to be in full control of the keys.   #announcement   #build   #vault


cloud-middleware-dataset
This project contains cloud middleware (i.e. agents installed by cloud security providers) used across the major cloud service providers (Azure, AWS and GCP).   #aws   #azure   #explain   #gcp


Awesome-Azure-Pentest
A collection of resources, tools and more for penetration testing and securing Microsoft's cloud platform.   #attack   #azure


Managed Identity Attack Paths
A three part blog series exploring attack paths that emerge out of Managed Identity assignments in three Azure services.   #attack   #azure


Bypassing eBPF-based Security Enforcement Tools
Post explaining the limitations of eBPF security enforcement tools and demonstrates bypass techniques with Tetragon.   #attack   #containers


Use CloudTrail to Pivot to AWS Accounts
How to utilize the AWS CloudTrail service to discover other AWS accounts that you could pivot to.   #attack   #aws


An Easy Misconfiguration to Make: Hidden Dangers in the Cloud Control Plane
The biggest risk in cloud development is not recognizing the differences between cloud and traditional definitions of common architecture terms.   #attack   #gcp


Enumeration and lateral movement in GCP environments
A pentest write up describing how it was possible to compromise a hybrid GCP hosted infrastructure using native GCP tools.   #attack   #gcp

Tools


ggshield
Detect secrets in source code, scan git repos, and use pre commit hooks to prevent API key leaks.


cloud-foundation-fabric
End-to-end modular samples for Terraform on GCP.


trdl
An universal solution for delivering your software updates securely from a trusted The Update Framework (TUF) repository.


kubectl-tree
kubectl plugin to browse Kubernetes object hierarchies as a tree.

From the cloud providers


#AWS   Get more out of service control policies in a multi-account environment
Walkthrough of different techniques that you can use to get more out of AWS Organizations service control policies (SCPs) in a multi-account environment.


#AWS   Let's Architect! Architecting for governance and management
Content to help software architects and tech leaders explore new ideas, case studies, and technical approaches to help you support production implementations for large-scale migrations.


#AWS   Correlate IAM Access Analyzer findings with Amazon Macie
How to detect when unintended access has been granted to sensitive data in S3 buckets.


#AWS   AWS Security Hub now receives AWS Config managed and custom rule evaluation results
AWS Security Hub now automatically receives AWS Config managed and custom rule evaluation results as security findings.


#GCP   Updates coming for Authorized Networks and Cloud Run/Functions on GKE
After a reported vulnerability, Google will soon limit access to GKE-related services and block access from Cloud Run and Cloud Functions.


#AZURE   Group membership in a dynamic group (preview) in Azure Active Directory
How to create a dynamic membership group that can contain members of other groups in Azure Active Directory.


#AZURE   Virtual desktop infrastructure security best practices
One of the most popular options for organizations who want to offer remote work options is virtual desktop infrastructure or VDI. In this blog, get an overview of VDI and learn security best practices.


#AZURE   General availability: Azure Bastion IP based connection
You can now use Azure Bastion to connect to on-premises resources over ExpressRoute and Site-to-Site VPN.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini