CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
IaC Security Refcard Learn Cloud DevOps best practices that are essential to securing your infrastructure as code in this DZone Refcard. Inside, you’ll see what makes some IaC practices more secure than others and find out how you can address security issues across the development lifecycle. The experts at DZone also cover:
What are these distroless images, really? Why are they needed? What's the difference between a container started from a distroless base and a container started from scratch? Let's take a deeper look.
The industry movement towards SBOMs needs material interventions to be usable at scale for exceedingly basic use cases. This post hopes to begins a discussion at the industry level that brings us closer to our desired state and to challenge the notion of what that desired state even is.
A long-standing request from the Kubernetes community has been to have a programmatic way for end users to keep track of Kubernetes security issues (CVEs). Accompanying the release of Kubernetes v1.25, such feed is now an alpha feature.
This guide outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer's workflow. This paper is split into two parts: a solution-agonistic set of practices and a maturity model-based implementation guide.
The Falco-gVisor integration means that gVisor users now only need to instrument each host for monitoring, rather than every application, enabling Falco to monitor both containers and nodes.
Secureworks researchers analyzed how the protocols used by Pass-Through Authentication (PTA) could be exploited. The result? A compromised PTA agent certificate gives threat actors persistent and undetectable access to a target organization.
CloudFox helps you gain situational awareness in unfamiliar cloud environments. It's an open source command line tool created to help penetration testers and other offensive security professionals find exploitable attack paths in cloud infrastructure. You can also refer to the companion blog post.
Constellation is a Kubernetes engine that aims to provide the best possible data security. It wraps your K8s cluster into a single confidential context that is shielded from the underlying cloud infrastructure. Everything inside is always encrypted, including at runtime in memory.
Force CloudFormation to generate a tree view for any stack.
Sponsor
Cloud Security "Alert Fatigue": How to avoid it and prioritize what matters. It's near impossible to address the volume of potential sources for security alerts or findings. Everything from cloud threats, runtime events, compliance violations, pipeline or registry vulnerabilities - the list goes on. Where should you focus resources? Read this blog from Sysdig to learn how you can prioritize security alerts and focus on the ones that really matter.
AWS announced the general availability of AWS Incident Detection and Response, that offers AWS Enterprise Support customers proactive monitoring and incident management for their selected workloads.
AWS Security Hub has launched a new control for its Foundational Security Best Practice standard (FSBP) to enhance your Cloud Security Posture Management (CSPM).
SNS is launching a public preview of message data protection, a new set of capabilities for Amazon SNS Standard Topics that leverage pattern matching, machine learning models, and data protection policies to help security and engineering teams facilitate real-time data protection in their applications that use Amazon SNS to exchange high volumes of data.
Starting October 11, 2022, at 9:00 AM Pacific Time, public certificates obtained through ACM will be issued from one of the multiple intermediate certificate authorities (CAs) that Amazon manages.
With protection groups, users can customize the scope of DDoS detection for application layer events & accelerate mitigation for infrastructure layer events.
How to set up an Amazon Elastic Kubernetes Service (Amazon EKS) cluster such that the applications hosted on the cluster can have their outbound internet access restricted to a set of hostnames provided by the Server Name Indication (SNI) in the allow list in the AWS Network Firewall rules.
A managed backup and disaster recovery (DR) service for centralized, application-consistent data protection. Protect workloads running in Google Cloud and on-premises.
The Cloud Run documentation now captures Terraform instructions alongside Console, Command Line and YAML. Samples come from the terraform-docs-samples repo.
Encrypting managed disks with cross-tenant customer-managed keys (CMK) enables you to encrypt managed disks with cross-tenant customer-managed keys using Azure Key Vault hosted in a different Azure Active Directory (AD) tenant.
Thanks for reading!
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌