Release Date: 06/11/2022 | Issue: 162
CloudSecList is a weekly newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand curated by Marco Lancini.
Sponsor

5 Best Practices for Securing Workloads on AWS
Ever wondered how you could build applications across your AWS application stack rapidly and securely? Check out the 5 Best Practices for Securing Workloads on AWS cheat sheet and get useful insights on how to:
  • Detect and remediate security vulnerabilities early on
  • Reduce open source attack vector for serverless deployments
  • And also, prevent misconfigured IaC resources from introducing risk
Download Now!

This week's articles


Internet Egress Filtering of Services at Lyft
#aws, #defend
How the Security team of Lyft achieved egress network traffic filtering for all their services.


Exploiting Static Site Generators: When Static Is Not Actually Static
#attack, #aws, #gcp
The Assetnote security research team found vulnerabilities in static site generators (such as GatsbyJS and NextJS) and associated platforms (Netlify and GatsbyJS Cloud), which enabled SSRF.


How We Use Terraform At Slack
#design, #terraform
Post looking at how the Slack team uses Terraform to build their infrastructure.


CosMiss: Azure Cosmos DB Vulnerability
#attack, #azure
The Orca Research team has discovered CosMiss, a vulnerability in Microsoft Azure Cosmos DB where authentication checks were missing from Cosmos DB Notebooks.


Kubernetes: Securing a Cluster
#defend, #kubernetes
This document covers topics related to protecting a cluster from accidental or malicious access and provides recommendations on overall security.


Vault DR with AWS Lambda for Sub-Minute Recovery
#aws, #build, #vault
How YNAP used AWS Lambda functions to reduce the disaster recovery time for HashiCorp Vault to mere seconds.


Learning by auditing Kubernetes manifests
#explain, #kubernetes
An example of how you could learn about Kubernetes security and architecture by reviewing reports from Chekov.


Announcing GUAC, a great pairing with SLSA (and SBOM)
#defend, #supply-chain
Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high fidelity graph database, normalizing entity identities and mapping standard relationships between them.

Tools


get-secretmanager-secrets
This action fetches secrets from Secret Manager and makes them available to later build steps via outputs.


actionlint
Static checker for GitHub Actions workflow files.


kubediff
A tool for Kubernetes to show differences between running state and version controlled configuration.


helm-backup
Helm plugin which performs backup/restore of releases in a namespace to/from a file.

📢 We are now taking bookings for 2023 sponsorships! 📢

If you want to get your product or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, check out:
https://cloudseclist.com/sponsor/

From the cloud providers


AWS Icon  How USAA built an Amazon S3 malware scanning solution
How USAA's Public Cloud Security team facilitated collaboration and interactions with external vendors and AWS workloads securely by creating a scalable solution to scan S3 objects for virus and malware prior to releasing objects downstream.


AWS Icon  How Wego secured developer connectivity to Amazon Relational Database Service instances
How developers can get access to allow-listed resources in their virtual private cloud (VPC) directly from their workstation, by tunnelling VPN over SSH, which, in turn, is tunneled over Session Manager.


AWS Icon  How to control non-HTTP and non-HTTPS traffic to a DNS domain with AWS Network Firewall and AWS Lambda
How to control outbound access to a given domain in a granular way, by resolving the domain name inside of an AWS Lambda function, and updating a Network Firewall rule variable with the results of the DNS query.


AWS Icon  Use Amazon Cognito to add claims to an identity token for fine-grained authorization
How to use Amazon Cognito to perform fine-grained authorization, which provides additional details about an authenticated user by using claims that are added to the identity token.


GCP Icon  Practicing the principle of least privilege with Cloud Build and Artifact Registry
How to use Cloud Build's support for per-trigger service accounts to apply the principle of least privilege to builds that push images to Artifact Registry.


GCP Icon  Introducing Cloud Workstations: Managed and Secure Development environments in the cloud
Cloud Workstations is a remote, managed, and secure IDE solution for developers entering Public Preview.


Azure Icon  Secure your digital payment system in the cloud with Azure Payment HSM - now generally available
Microsoft announced the general availability of Azure Payment HSM, a BareMetal Infrastructure as a service (IaaS) that enables customers to have native access to payment HSM in the Azure cloud.


Azure Icon  General availability: Ephemeral OS disk support for confidential virtual machines
Create confidential VMs using Ephemeral OS disks for your stateless workloads.


Azure Icon  Generally available: Encrypt storage account with cross-tenant customer-managed key
Azure Storage now supports customer-managed keys using a key vault on a different Azure Active Directory tenant.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.