Release Date: 11/09/2022 | Issue: 154
CloudSecList is a weekly newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand curated by Marco Lancini.
Sponsor

Teleport is an identity-aware and context-aware proxy designed to work seamlessly with AWS. Its access plane becomes the centralized window to consume various AWS managed services by internal and external users of an organization.
Learn about the 5 advantages of using Teleport to centralize AWS access control

This week's articles


PCI Guidance for Containers and Container Orchestration Tools
#defend, #kubernetes
The PCI Council has published their best practice guidance for containers and container orchestration tools, super useful if you're using Kubernetes in PCI environments. On this topic, @raesene released a blog post which looks at some of the implications.


Attacking Firecracker: AWS' microVM Monitor Written in Rust
#attack, #aws
Firecracker is a microVM manager in Rust that powers AWS services like Lambda and Fargate. Here's how a red team team attacked a vulnerability in Firecracker.


Zuckerpunch - Abusing self hosted github runners at Facebook
#attack, #ci/cd
How a security researcher abused Github Actions to get full root into the PyTorch CI runners.


A Federated Approach To Providing User Privacy Rights
#aws, #strategy
How Lyft approaches managing user privacy in order to seamlessly handle compliance, data export, and deletion.


Istio - Introducing Ambient Mesh
#announcement, #istio
The Istio team announced Istio ambient mesh, a new dataplane mode for Istio without sidecars.


Kubernetes API Server Bypass Risks
#defend, #kubernetes
This page describes the ways in which the security controls built into the Kubernetes API server can be bypassed, so that cluster operators and security architects can ensure that these bypasses are appropriately restricted.


5 tools for generating SBOM - Which is the best tool?
#build, #supply-chain
Post comparing CycloneDX, Syft (by Anchore), Microsoft.Sbom.Tool, Fossa, and Snyk (snyk2spdx).


Fun with Windows Containers - Popping Calc
#attack, #kubernetes
Popping calc.exe on a Kubernetes Windows cluster node with hostprocess containers.


The Complete Guide to AWS KMS
#aws, #explain
An intro guide to AWS Key Management Service (AWS KMS), its different key types, and access (IAM) best practices.


Falco Driverkit with Docker on Debian
#explain, #falco
First of a series of posts where explaining how Falco generates its much needed driver and how to make it available to deployments.


Vault, Kubernetes, and the Graduation of vault-k8s to Version 1.0
#announcement, #kubernetes, #vault
HashiCorp announced the graduation of vault-k8s to version 1.0.

Tools


matano
Matano is an open source security lake platform for AWS. It lets you ingest petabytes of security and log data from various sources, store and query them in an open Apache Iceberg data lake, and create Python detections as code for realtime alerting.


magic-github-proxy
A stateless GitHub API proxy that allows creation and use of access-limited GitHub API tokens. Basically, it's identity and access management for GitHub API tokens.


aws-security-assessment-solution
An AWS tool to help you create a point in time assessment of your AWS account using Prowler and Scout as well as optional AWS developed ransomware checks.


plumber
plumber is a CLI devtool for inspecting, piping, massaging and redirecting data in message systems like Kafka, RabbitMQ , GCP PubSub and many more.

CloudSecDocs


AWS Audit Considerations
A summary of Audit Considerations from the AWS Cloud Audit Academy.

From the cloud providers


AWS Icon  Scaling cross-account AWS KMS-encrypted Amazon S3 bucket access using ABAC
How to share encrypted S3 buckets across accounts on a multi-tenant data lake.


AWS Icon  Announcing new AWS IAM Identity Center APIs to manage users and groups at scale
How to use IAM Identity Center APIs to automate managing users and groups in a scalable manner and gain better visibility into users and groups in the Identity Center directory.


AWS Icon  Use AWS RAM and AWS MGN to Govern your Migration at scale in AWS
How to migrate at scale with AWS Application Migration Service (AWS MGN), using a multi-account strategy.


AWS Icon  Transitioning to multiple AWS accounts
Transition from a single-account environment to a multi-account environment, including best practices for migrating accounts, managing users, networking, and security.


GCP Icon  Understanding basic networking in GKE - Networking basics
Post exploring the networking components of GKE and the various options that exist.


Azure Icon  Public preview: Encrypt storage account with cross-tenant customer-managed key
Azure Storage now supports customer-managed keys using a key vault on a different Azure Active Directory tenant.

Sponsor CloudSecList

If you want to get your product or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
📨 [email protected] 📨

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present, CloudSecList by Marco Lancini.