Release Date: 18/09/2022 | Issue: 155
CloudSecList is a weekly newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand curated by Marco Lancini.
Sponsor

IaC Security Refcard
Learn Cloud DevOps best practices that are essential to securing your infrastructure as code in this DZone Refcard. Inside, you’ll see what makes some IaC practices more secure than others and find out how you can address security issues across the development lifecycle. The experts at DZone also cover:
  • The basics of infrastructure as code (IaC)
  • Key components of IaC security
  • How to secure IaC for multicloud
Get the IaC Security Refcard for free!

This week's articles


AWS Ramp-Up Guide: Security
#aws, #explain
A guide that can help you prepare for the "AWS Certified Security - Specialty" certification exam.


What's Inside Of a Distroless Container Image: Taking a Deeper Look
#containers, #explain
What are these distroless images, really? Why are they needed? What's the difference between a container started from a distroless base and a container started from scratch? Let's take a deeper look.


Kubernetes Security For CISOs
#defend, #kubernetes
The top five security measures that CISOs should be thinking about for any Kubernetes implementation.


SBOMs are just a means to an end
#strategy, #supply-chain
The industry movement towards SBOMs needs material interventions to be usable at scale for exceedingly basic use cases. This post hopes to begins a discussion at the industry level that brings us closer to our desired state and to challenge the notion of what that desired state even is.


Announcing the Auto-refreshing Official Kubernetes CVE Feed
#announcement, #kubernetes
A long-standing request from the Kubernetes community has been to have a programmatic way for end users to keep track of Kubernetes security issues (CVEs). Accompanying the release of Kubernetes v1.25, such feed is now an alpha feature.


Open Source Software (OSS) Secure Supply Chain (SSC) Framework
#strategy, #supply-chain
This guide outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer's workflow. This paper is split into two parts: a solution-agonistic set of practices and a maturity model-based implementation guide.


Falco Threat Detection Extends to gVisor to Monitor Highly Sensitive Workloads
#announcement, #containers, #falco
The Falco-gVisor integration means that gVisor users now only need to instrument each host for monitoring, rather than every application, enabling Falco to monitor both containers and nodes.


Azure Active Directory Pass-Through Authentication Flaws
#attack, #azure
Secureworks researchers analyzed how the protocols used by Pass-Through Authentication (PTA) could be exploited. The result? A compromised PTA agent certificate gives threat actors persistent and undetectable access to a target organization.


What's New for Security in Kubernetes 1.25
#explain, #kubernetes
A recap of some of the interesting new security changes in Kubernetes 1.25.


Shifting (even further) Left on Kubernetes Resource Compliance
#build, #kubernetes, #opa
An example on how to use OPA and Gatekeeper to automate security and compliance in Kubernetes.

Tools


cloudfox
CloudFox helps you gain situational awareness in unfamiliar cloud environments. It's an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure. You can also refer to the companion blog post.


constellation
Constellation is a Kubernetes engine that aims to provide the best possible data security. It wraps your K8s cluster into a single confidential context that is shielded from the underlying cloud infrastructure. Everything inside is always encrypted, including at runtime in memory.


eraser
Eraser helps Kubernetes admins remove a list of non-running images from all Kubernetes nodes in a cluster.


tree-view-cfn
Force CloudFormation to generate a tree view for any stack.

Sponsor

Cloud Security "Alert Fatigue": How to avoid it and prioritize what matters.
It's near impossible to address the volume of potential sources for security alerts or findings. Everything from cloud threats, runtime events, compliance violations, pipeline or registry vulnerabilities - the list goes on. Where should you focus resources?
Read this blog from Sysdig to learn how you can prioritize security alerts and focus on the ones that really matter.

From the cloud providers


AWS Icon  AWS Enterprise Support launches AWS Incident Detection and Response
AWS announced the general availability of AWS Incident Detection and Response, that offers AWS Enterprise Support customers proactive monitoring and incident management for their selected workloads.


AWS Icon  AWS Security Hub launches a new security best practice control
AWS Security Hub has launched a new control for its Foundational Security Best Practice standard (FSBP) to enhance your Cloud Security Posture Management (CSPM).


AWS Icon  Amazon SNS introduces the public preview of message data protection to help discover and protect sensitive data in motion
SNS is launching a public preview of message data protection, a new set of capabilities for Amazon SNS Standard Topics that leverage pattern matching, machine learning models, and data protection policies to help security and engineering teams facilitate real-time data protection in their applications that use Amazon SNS to exchange high volumes of data.


AWS Icon  Amazon introduces dynamic intermediate certificate authorities
Starting October 11, 2022, at 9:00 AM Pacific Time, public certificates obtained through ACM will be issued from one of the multiple intermediate certificate authorities (CAs) that Amazon manages.


AWS Icon  Using AWS Shield Advanced protection groups to improve DDoS detection and mitigation
With protection groups, users can customize the scope of DDoS detection for application layer events & accelerate mitigation for infrastructure layer events.


AWS Icon  Use AWS Network Firewall to filter outbound HTTPS traffic from applications hosted on Amazon EKS and collect hostnames provided by SNI
How to set up an Amazon Elastic Kubernetes Service (Amazon EKS) cluster such that the applications hosted on the cluster can have their outbound internet access restricted to a set of hostnames provided by the Server Name Indication (SNI) in the allow list in the AWS Network Firewall rules.


GCP Icon  Introducing Google Cloud Backup and DR
A managed backup and disaster recovery (DR) service for centralized, application-consistent data protection. Protect workloads running in Google Cloud and on-premises.


GCP Icon  The Cloud Run documentation now provides Terraform instructions!
The Cloud Run documentation now captures Terraform instructions alongside Console, Command Line and YAML. Samples come from the terraform-docs-samples repo.


GCP Icon  Introducing Kubernetes control plane metrics in GKE
Metrics from Kubernetes control plane components, including the API server, scheduler, and controller manager, are now Generally Available in GKE.


GCP Icon  Google + Mandiant: Transforming Security Operations and Incident Response
Google announced the completion of its acquisition of Mandiant. Mandiant will join Google Cloud and retain the Mandiant brand.


Azure Icon  Public preview: Encrypt managed disks with cross-tenant customer-managed key
Encrypting managed disks with cross-tenant customer-managed keys (CMK) enables you to encrypt managed disks with cross-tenant customer-managed keys using Azure Key Vault hosted in a different Azure Active Directory (AD) tenant.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present, CloudSecList by Marco Lancini.