Release Date: 11/09/2022 | Issue: 154
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Teleport is an identity-aware and context-aware proxy designed to work seamlessly with AWS. Its access plane becomes the centralized window to consume various AWS managed services by internal and external users of an organization.
Learn about the 5 advantages of using Teleport to centralize AWS access control

This week's articles


PCI Guidance for Containers and Container Orchestration Tools
The PCI Council has published their best practice guidance for containers and container orchestration tools, super useful if you're using Kubernetes in PCI environments. On this topic, @raesene released a blog post which looks at some of the implications.   #defend   #kubernetes


Attacking Firecracker: AWS' microVM Monitor Written in Rust
Firecracker is a microVM manager in Rust that powers AWS services like Lambda and Fargate. Here's how a red team team attacked a vulnerability in Firecracker.   #attack   #aws


Zuckerpunch - Abusing self hosted github runners at Facebook
How a security researcher abused Github Actions to get full root into the PyTorch CI runners.   #attack   #ci/cd


A Federated Approach To Providing User Privacy Rights
How Lyft approaches managing user privacy in order to seamlessly handle compliance, data export, and deletion.   #aws   #strategy


Istio - Introducing Ambient Mesh
The Istio team announced Istio ambient mesh, a new dataplane mode for Istio without sidecars.   #announcement   #istio


Kubernetes API Server Bypass Risks
This page describes the ways in which the security controls built into the Kubernetes API server can be bypassed, so that cluster operators and security architects can ensure that these bypasses are appropriately restricted.   #defend   #kubernetes


5 tools for generating SBOM - Which is the best tool?
Post comparing CycloneDX, Syft (by Anchore), Microsoft.Sbom.Tool, Fossa, and Snyk (snyk2spdx).   #build   #supply-chain


Fun with Windows Containers - Popping Calc
Popping calc.exe on a Kubernetes Windows cluster node with hostprocess containers.   #attack   #kubernetes


The Complete Guide to AWS KMS
An intro guide to AWS Key Management Service (AWS KMS), its different key types, and access (IAM) best practices.   #aws   #explain


Falco Driverkit with Docker on Debian
First of a series of posts where explaining how Falco generates its much needed driver and how to make it available to deployments.   #explain   #falco


Vault, Kubernetes, and the Graduation of vault-k8s to Version 1.0
HashiCorp announced the graduation of vault-k8s to version 1.0.   #announcement   #kubernetes   #vault

Tools


matano
Matano is an open source security lake platform for AWS. It lets you ingest petabytes of security and log data from various sources, store and query them in an open Apache Iceberg data lake, and create Python detections as code for realtime alerting.


magic-github-proxy
A stateless GitHub API proxy that allows creation and use of access-limited GitHub API tokens. Basically, it's identity and access management for GitHub API tokens.


aws-security-assessment-solution
An AWS tool to help you create a point in time assessment of your AWS account using Prowler and Scout as well as optional AWS developed ransomware checks.


plumber
plumber is a CLI devtool for inspecting, piping, massaging and redirecting data in message systems like Kafka, RabbitMQ , GCP PubSub and many more.

CloudSecDocs


AWS Audit Considerations
A summary of Audit Considerations from the AWS Cloud Audit Academy.

From the cloud providers


#AWS   Scaling cross-account AWS KMS-encrypted Amazon S3 bucket access using ABAC
How to share encrypted S3 buckets across accounts on a multi-tenant data lake.


#AWS   Announcing new AWS IAM Identity Center APIs to manage users and groups at scale
How to use IAM Identity Center APIs to automate managing users and groups in a scalable manner and gain better visibility into users and groups in the Identity Center directory.


#AWS   Use AWS RAM and AWS MGN to Govern your Migration at scale in AWS
How to migrate at scale with AWS Application Migration Service (AWS MGN), using a multi-account strategy.


#AWS   Transitioning to multiple AWS accounts
Transition from a single-account environment to a multi-account environment, including best practices for migrating accounts, managing users, networking, and security.


#GCP   Understanding basic networking in GKE - Networking basics
Post exploring the networking components of GKE and the various options that exist.


#AZURE   Public preview: Encrypt storage account with cross-tenant customer-managed key
Azure Storage now supports customer-managed keys using a key vault on a different Azure Active Directory tenant.

Sponsor CloudSecList

If you want to get your product or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
๐Ÿ“จ [email protected] ๐Ÿ“จ

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini