Release Date: 14/08/2022 | Issue: 150
CloudSecList is a weekly newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand curated by Marco Lancini.
Sponsor

Eliminate passwords and other static credentials like SSH keys from your infrastructure, making it more secure, scalable, and easier to use. Stolen credentials are the #1 cause of data breaches — open-source Teleport makes it easy to ditch secrets and embrace identity. Teleport is an open-source secure access plane that consolidates connectivity, authentication, authorization, and audit into a single platform improving security, agility, and engineering productivity.
Try Teleport today at goteleport.com

This week's articles


Open Cybersecurity Schema Framework
#announcement, #defend
A number of organizations (like AWS) announced the release of the Open Cybersecurity Schema Framework (OCSF) project, which includes an open specification for the normalization of security telemetry across a wide range of security products and services, as well as open-source tools that support and accelerate the use of the OCSF schema.


The cloud has an isolation problem: PostgreSQL vulnerabilities affect multiple cloud vendors
#attack, #azure, #gcp
How Wiz Research uncovered multiple related vulnerabilities in PostgreSQL-as-a-Service offerings from GCP, Azure, and others.


Controlling the Source: Abusing Source Code Management Systems
#attack, #ci/cd
Post detailing a few ways to abuse some of the most popular source code management systems to perform various attack scenarios, like: reconnaissance, manipulation of user roles, repository takeover, pivoting to other DevOps systems, user impersonation, and maintaining persistent access.


How to manage Route53 hosted zones in a multi-account environment
#aws, #build
How to manage Route53 hosted zones in a multi-account environment so each account has full authority over its subdomain.


AWS Account Setup and Root User
#aws, #build
A guide through the introductory steps to configure contacts for an AWS account & secure the root user.


Scaling our security detection pipeline with Sigma
#iac, #monitor
This post explains how Monzo scaled their detection rules using Sigma.


Load external data into OPA: The Good, The Bad, and The Ugly
#build, #opa
There are several ways to create a data fetching mechanism for OPA - each of them has its pros and cons.


Security Considerations For Hosting Domain Controllers In Cloud
#defend, #design
While Domain Controllers might not be something that new organizations, those born in the cloud, would rely on today, it seems common for most existing organizations that seek to migrate.


Introducing Sentinel Policies to the Terraform Registry (Beta)
#announcement, #terraform
Terraform Sentinel policies are now available in the Terraform Registry so you can publish policies you want to share and search the Registry for policies you need.

Tools


postee
Simple message routing system that receives input messages through a webhook interface and can enforce actions using predefined outputs via integrations.


k8s-digester
Add digests to container and init container images in Kubernetes pod and pod template specs. Use either as a mutating admission webhook, or as a client-side KRM function with kpt or kustomize.


assisted-log-enabler-for-aws
Find AWS resources that are not logging, and turn them on.


monkey365
Monkey365 provides a tool for security consultants to easily conduct Microsoft 365, Azure subscriptions and Azure Active Directory security configuration reviews.

Sponsor

Build vs Buy: 3 Key Criteria for DNS Security
DNS is critical for your application and business strategy on the Internet and Intranet. When using DNS in the Cloud, security cannot be overlooked. This blog arms cloud architects and security practitioners with recommendations and best practices for DNS security in the cloud.
Read the Blog

From the cloud providers


AWS Icon  Field Notes: Enroll Existing AWS Accounts into AWS Control Tower
How to enroll your existing AWS accounts and accounts within the unregistered OUs in your AWS organization under AWS Control Tower programmatically.


AWS Icon  Now programmatically manage primary contact information on AWS accounts
It is now possible to view and update primary contact information on their AWS accounts using AWS CLI and AWS SDK.


AWS Icon  Web application access control patterns using AWS services
Three solution architecture patterns that prevent unauthorized clients from gaining access to web application backend servers.


AWS Icon  Codify your best practices using service control policies
SCP examples that relate to three well-architected pillars: operational excellence, security, & cost management.


AWS Icon  Delegate account factory creation to parts of your organization with AWS Control Tower
How to delegate AWS Control Tower's Account Factory to a specific part of your AWS estate. This enables and empowers local teams to create accounts while providing assurances that best practices and foundational baselines are adhered to.


GCP Icon  Identity & Access management: Authentication with Cloud Identity
A bird's eye view of authentication options in Google Cloud.


Azure Icon  Public preview: Manage your Log Analytics data export rules in Azure portal
Data export rules in Azure Monitor log analytics can now be configured and managed directly via Azure Portal with ease.


Azure Icon  General availability: AKS support for Secrets Store CSI driver
Easily integrate secrets stores into your Azure Kubernetes Service (AKS) so you can securely access your secrets via the container's file system.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present, CloudSecList by Marco Lancini.