Release Date: 24/07/2022 | Issue: 147
CloudSecList is a weekly newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand curated by Marco Lancini.
Sponsor

Like a search engine for your cloud configurations
With JupiterOne, you can search for answers about your cloud configurations in a single place, and save any query in a dashboard or as an alert. There are an endless number of queries you can make in JupiterOne, and you can start anytime with a free account.
Click here to set up your free JupiterOne account today

This week's articles


The Kubernetes Networking Guide
#explain, #kubernetes
The purpose of this website is to provide an overview of various Kubernetes networking components with a specific focus on exactly how they implement the required functionality.


Azure's Security Vulnerabilities Are Out of Control
#attack, #azure
Azure's multiple security vulnerabilities are highly concerning, for both customer data and the cloud's reputation. It's time we put public pressure on Azure.


Abusing the Replicator: Silently Exfiltrating Data
#attack, #aws
A comprehensive backup strategy is a cornerstone of any DR plan. But how would you distinguish between legitimate backup activity and malicious data exfiltration?


User and workload identities in Kubernetes
#explain, #iam, #kubernetes
Article explaining how users and workloads can authenticate with the Kubernetes API server.


Minimal Container Images: Towards a More Secure Future
#build, #containers
This post walks through the typical approaches in this space: minimal distributions, scratch and distroless.


2022 Argo external security audit: Lessons learned
#attack, #ci/cd, #containers
Twenty-six issues were identified: seven in Argo CD, six in Argo Workflows, and thirteen in Argo Events. If you are curious, you can read the full report.

Tools


Build, sign, and compute the SBOM of a container image
A reusable Github Action workflow that: builds a container image, scans it with Trivy, pushes it to ECR, signs it with cosign, and computes its SBOM with Syft.


PingCastleCloud
Ping Castle Cloud is a tool designed to assess quickly the AzureAD security level with a methodology based on risk assessment and a maturity framework.


setup-opa
Sets up Open Policy Agent CLI in your GitHub Actions workflow.


cert-controller
The purpose of the Certificate Controller library is to provide an easy way for controller authors to bootstrap webhooks while making it possible for users to use more customizable projects like cert-manager.

CloudSecDocs


Sigstore
A cheatsheet describing Sigstore's components, use cases, functioning, and implementation.

CloudSecBooks

I'm writing a book! 📖
The CloudSec Engineer will be a book on how to enter, establish yourself, and thrive in the cloud security industry as an individual contributor.
You can sign up to get updates and free samples of the book as I write it at: cloudsecbooks.com

From the cloud providers


AWS Icon  Best Practices for AWS Organizations Service Control Policies in a Multi-Account Environment
How you can plan your organization based on AWS best practices with recommended SCPs.


AWS Icon  Automatically block suspicious DNS activity with Amazon GuardDuty and Route 53 Resolver DNS Firewall
How to use Amazon Route 53 Resolver DNS Firewall to automatically respond to suspicious DNS queries that are detected by Amazon GuardDuty within your AWS environment.


AWS Icon  AWS Lambda announces support for Attribute-Based Access Control (ABAC)
AWS Lambda announces support for attribute-based access control (ABAC) for API actions that use Lambda function as the required resource.




GCP Icon  Using Cloud Bigtable with IAM Conditions and Tags
Learn about limiting team members' access to Bigtable resources including more advanced techniques like conditional permissions.


GCP Icon  How to overcome 5 common SecOps challenges
Here are 5 common issues that many SecOps teams struggle with, and how to fix them.


Azure Icon  Microsoft open sources its software bill of materials (SBOM) generation tool
Salus is a general purpose, enterprise-proven, build-time SBOM generator. It works across platforms including Windows, Linux, and Mac, and uses the standard Software Package Data Exchange (SPDX) format.

Thanks for reading!
If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present, CloudSecList by Marco Lancini.