Release Date: 23/10/2022 | Issue: 160
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

๐Ÿ“„ Software Composition Analysis Checklist ๐Ÿ“„
Learn the 6 key components of any complete, robust software composition analysis (SCA) solution in this SCA checklist. Inside, youโ€™ll see why not all SCA solutions are created equal, and youโ€™ll learn how your organization can maintain holistic cloud-native security and compliance. Plus, youโ€™ll get insights into:
  • Key SCA features you should look out for while evaluating solutions
  • Tips for mitigating common security and compliance risks
  • The benefits of a context-aware, developer-first approach to SCA
  • And more!
Get the SCA Checklist for free!

This week's articles


The Danger of Falling to System Role in AWS SDK Client
Writeup of a vulnerability identified in a web application that was using the AWS SDK for Go (v1) to implement an "Import Data From S3" functionality.   #attack   #aws


How to list all resources in your AWS account
You may have been there before: you got access to an AWS account and just want to list which resources are configured in it. The seemingly simple task of listing all resources quickly turns out to be complicated.   #aws   #defend


Untangling Azure Active Directory Principals & Access Permissions
Post untangling the question of 'who has access to what' in an Azure Active Directory environment. A PowerShell tool was also released to automatically enumerate this.   #azure   #iam


Azure Active Directory - Security Overview
A nice diagram providing an overview of the endpoints/integrations/connections/features in the Azure AD ecosystem.   #azure   #explain


PCI Compliance for Kubernetes in detail - Part 3 - Workload Security
This is the 3rd part of an in-depth look at how companies running Kubernetes can approach implementing the recommendation of PCIโ€™s guidance for container orchestration.   #kubernetes   #defend


Guide to AWS Lambda Function URLs
Post explaining AWS Lambda Function URLs - a new feature in AWS Lambda that allows you to call a Lambda function without an API Gateway.   #aws   #build   #explain


FabriXss: How We Managed to Abuse a Custom Role User Using CSTI and Stored XSS in Azure Fabric Explorer
The Orca Research Pod has discovered FabriXss a vulnerability in Azure Service Fabric Explorer that allows attackers to gain full Administrator permissions.   #attack   #azure


Enrich AWS account data in Microsoft Sentinel
As organisations are integrating Amazon Web Services data sources with Microsoft Sentinel, many are facing a common problem: how to identify AWS resources and handle contextual data such as AWS account information for alerts and incidents?   #aws   #azure   #monitor


Pod Security Policies are dead, long live Pod Security Admission!
How can we enforce security best-practices at cluster or namespace level?   #defend   #kubernetes

I'm writing a book! ๐Ÿ“–
The CloudSec Engineer will be a book on how to enter, establish yourself, and thrive in the cloud security industry as an individual contributor.
You can sign up to get updates and free samples of the book as I write it at: cloudsecbooks.com

Tools


Paranoia
Inspect a container image's root CAs. You can also refer to the companion blog post.


ScubaGear
Automation to assess the state of your M365 tenant against CISA's baselines.


oidc-ssrf
Evil OIDC server: the OpenID Configuration URL returns a 307 to cause SSRF.


terraform-google-workload-identity
A Terraform module for configuring Workload Identity for GKE clusters.

From the cloud providers


#AWS   Announcing AWS Parameters and Secrets Lambda Extension
AWS launched the AWS Parameters and Secrets Lambda Extension, a convenient method for AWS Lambda users to retrieve parameters from AWS Systems Manager Parameter Store and secrets from AWS Secrets Manager.


#AWS   Amazon Detective helps reduce time to investigate Amazon GuardDuty findings by grouping related findings
Detective now uses machine learning (ML) to group related GuardDuty findings that, in isolation, may have been ignored but show the lifecycle of an attack, which can help security analysts identify advanced threats more efficiently.


#AWS   Analyze Amazon Cognito advanced security intelligence to improve visibility and protection
How to analyze security intelligence from Amazon Cognito advanced security features logs by using AWS native services.


#GCP   Best kept security secrets: How Cloud EKM can help resolve the cloud trust paradox
Cloud EKM can help protect data at rest with encryption keys which are stored and managed in a third-party key management system that's outside Google Cloud's infrastructure, and ultimately outside Google's control.


#GCP   Backup for GKE
Backup for GKE is a service for backing up and restoring workloads in GKE clusters.


#AZURE   Overview of the Microsoft cloud security benchmark
The Microsoft cloud security benchmark (MCSB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure and your multi-cloud environment.


#AZURE   Announcing Azure DNS Private Resolver general availability
Azure DNS Private Resolver now provides a fully managed recursive resolution and conditional forwarding service for Azure virtual networks.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini