Release Date: 28/08/2022 | Issue: 152
CloudSecList is a weekly newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand curated by Marco Lancini.
Sponsor

Stolen credentials are the #1 cause of data breaches.
Teleport makes your infrastructure more secure, scalable and easier to use by eliminating static credentials like SSH keys and passwords and replacing them with biometric-based access.
The Teleport platform supports modern DevOps workflows so engineers love it. And with fewer credentials to steal, security teams can improve security and compliance.
Try Teleport Passwordless Infrastructure Access today at goteleport.com

This week's articles


OWASP Kubernetes Top 10
#defend, #kubernetes
The OWASP Kubernetes Top 10 is aimed at helping security practitioners, system admistrators, and software developers prioroitze risks around the Kubernetes ecosystem. The Top Ten is a prioritized list of these risks backed by data collected from organizations varying in maturity and complexity.


A Kubernetes User's Guide to HashiCorp Nomad Secret Management
#build, #kubernetes, #vault
A comparison of the native secrets management functionality of Kubernetes to HashiCorp Vault and how it is possible for HashiCorp Nomad to integrate with Vault vs Kubernetes+Vault integration.


Using nginx-ingress controller to restrict access by IP (ip whitelisting) for a service deployed to a Kubernetes (AKS) cluster
#build, #kubernetes
How to restrict access to certain client source IPs for a service deployed to an AKS cluster.


Crawl, walk, run: Operationalizing your IaC security program
#build, #iac
Learn how to operationalize your infrastructure as code security program with our rollout timeline and guidance for your first ninety days.


GitHub - SSH commit verification now supported
#announcement, #ci/cd
GitHub now supports SSH commit verification, so you can sign commits and tags locally using a self-generated SSH public key, which will give others confidence about the origin of a change you have made.


Kubernetes v1.25: Pod Security Admission Controller in Stable
#announcement, #kubernetes
The release of Kubernetes v1.25 marks a major milestone for Kubernetes out-of-the-box pod security controls: Pod Security admission (PSA) graduated to stable, and Pod Security Policy (PSP) has been removed.

Tools


popeye
Popeye is a utility that scans live Kubernetes cluster and reports potential issues with deployed resources and configurations. It sanitizes your cluster based on what's deployed and not what's sitting on disk.


lazytrivy
LazyTrivy lets you scan all your local images at once from the comfort of an OK UI using Trivy.


bomber
Scans SBoMs for security vulnerabilities.


kubelogin
A Kubernetes credential (exec) plugin implementing azure authentication.

I'm writing a book! 📖
The CloudSec Engineer will be a book on how to enter, establish yourself, and thrive in the cloud security industry as an individual contributor.
You can sign up to get updates and free samples of the book as I write it at: cloudsecbooks.com

From the cloud providers


AWS Icon  AWS WAF Fraud Control - Account takeover prevention for Amazon CloudFront
AWS WAF Fraud Control - Account Takeover Prevention protects your application's login page against credential stuffing attacks, brute force attempts, and other anomalous login activities.


AWS Icon  Identifying publicly accessible resources with Amazon VPC Network Access Analyzer
VPC Network Access Analyzer helps you understand potential network paths to and from your resources without having to build automation or manually review security groups, network access control lists (network ACLs), route tables, and Elastic Load Balancing (ELB) configurations.


AWS Icon  How to centralize findings and automate deletion for unused IAM roles
How to apply resource tags on IAM roles and deploy serverless technologies on AWS to detect unused IAM roles and to require the owner of the IAM role (identified through tags) to take action.


AWS Icon  Amazon CloudFront launches Origin Access Control (OAC)
Amazon CloudFront now offers Origin Access Control, a new feature that enables CloudFront customers to easily secure their S3 origins by permitting only designated CloudFront distributions to access their S3 buckets.


GCP Icon  Announcing Virtual Machine Threat Detection now generally available to Cloud customers
Google announced that Virtual Machine Threat Detection (VMTD) in Security Command Center is now generally available for all Google Cloud customers.


GCP Icon  Introducing general availability of Google Cloud Certificate Manager
Google Cloud Certificate Manager can help users acquire and manage TLS certificates at scale for use with Cloud Load Balancing. Now in general availability, it includes Terraform automation and self-service ACME certificate enrollment.


GCP Icon  Controls to restrict access to individually approved APIs
How to restrict access to individually approved Google APIs using the Organization Policy Service and other network controls.


Azure Icon  Hunt for compromised Azure subscriptions using Microsoft Defender for Cloud Apps
How Microsoft Defender for Cloud Apps data can help hunt and mitigate the risk of compromised subscriptions.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present, CloudSecList by Marco Lancini.