Release Date: 28/08/2022 | Issue: 152
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Stolen credentials are the #1 cause of data breaches.
Teleport makes your infrastructure more secure, scalable and easier to use by eliminating static credentials like SSH keys and passwords and replacing them with biometric-based access.
The Teleport platform supports modern DevOps workflows so engineers love it. And with fewer credentials to steal, security teams can improve security and compliance.
Try Teleport Passwordless Infrastructure Access today at goteleport.com

This week's articles


OWASP Kubernetes Top 10
The OWASP Kubernetes Top 10 is aimed at helping security practitioners, system admistrators, and software developers prioroitze risks around the Kubernetes ecosystem. The Top Ten is a prioritized list of these risks backed by data collected from organizations varying in maturity and complexity.   #defend   #kubernetes


A Kubernetes User's Guide to HashiCorp Nomad Secret Management
A comparison of the native secrets management functionality of Kubernetes to HashiCorp Vault and how it is possible for HashiCorp Nomad to integrate with Vault vs Kubernetes+Vault integration.   #build   #kubernetes   #vault


Using nginx-ingress controller to restrict access by IP (ip whitelisting) for a service deployed to a Kubernetes (AKS) cluster
How to restrict access to certain client source IPs for a service deployed to an AKS cluster.   #build   #kubernetes


Crawl, walk, run: Operationalizing your IaC security program
Learn how to operationalize your infrastructure as code security program with our rollout timeline and guidance for your first ninety days.   #build   #iac


GitHub - SSH commit verification now supported
GitHub now supports SSH commit verification, so you can sign commits and tags locally using a self-generated SSH public key, which will give others confidence about the origin of a change you have made.   #announcement   #ci/cd


Kubernetes v1.25: Pod Security Admission Controller in Stable
The release of Kubernetes v1.25 marks a major milestone for Kubernetes out-of-the-box pod security controls: Pod Security admission (PSA) graduated to stable, and Pod Security Policy (PSP) has been removed.   #announcement   #kubernetes

I'm writing a book! ๐Ÿ“–
The CloudSec Engineer will be a book on how to enter, establish yourself, and thrive in the cloud security industry as an individual contributor.
You can sign up to get updates and free samples of the book as I write it at: cloudsecbooks.com

Tools


popeye
Popeye is a utility that scans live Kubernetes cluster and reports potential issues with deployed resources and configurations. It sanitizes your cluster based on what's deployed and not what's sitting on disk.


lazytrivy
LazyTrivy lets you scan all your local images at once from the comfort of an OK UI using Trivy.


bomber
Scans SBoMs for security vulnerabilities.


kubelogin
A Kubernetes credential (exec) plugin implementing azure authentication.

From the cloud providers


#AWS   AWS WAF Fraud Control - Account takeover prevention for Amazon CloudFront
AWS WAF Fraud Control - Account Takeover Prevention protects your application's login page against credential stuffing attacks, brute force attempts, and other anomalous login activities.


#AWS   Identifying publicly accessible resources with Amazon VPC Network Access Analyzer
VPC Network Access Analyzer helps you understand potential network paths to and from your resources without having to build automation or manually review security groups, network access control lists (network ACLs), route tables, and Elastic Load Balancing (ELB) configurations.


#AWS   How to centralize findings and automate deletion for unused IAM roles
How to apply resource tags on IAM roles and deploy serverless technologies on AWS to detect unused IAM roles and to require the owner of the IAM role (identified through tags) to take action.


#AWS   Amazon CloudFront launches Origin Access Control (OAC)
Amazon CloudFront now offers Origin Access Control, a new feature that enables CloudFront customers to easily secure their S3 origins by permitting only designated CloudFront distributions to access their S3 buckets.


#GCP   Announcing Virtual Machine Threat Detection now generally available to Cloud customers
Google announced that Virtual Machine Threat Detection (VMTD) in Security Command Center is now generally available for all Google Cloud customers.


#GCP   Introducing general availability of Google Cloud Certificate Manager
Google Cloud Certificate Manager can help users acquire and manage TLS certificates at scale for use with Cloud Load Balancing. Now in general availability, it includes Terraform automation and self-service ACME certificate enrollment.


#GCP   Controls to restrict access to individually approved APIs
How to restrict access to individually approved Google APIs using the Organization Policy Service and other network controls.


#AZURE   Hunt for compromised Azure subscriptions using Microsoft Defender for Cloud Apps
How Microsoft Defender for Cloud Apps data can help hunt and mitigate the risk of compromised subscriptions.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini