Release Date: 06/11/2022 | Issue: 162
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

5 Best Practices for Securing Workloads on AWS
Ever wondered how you could build applications across your AWS application stack rapidly and securely? Check out the 5 Best Practices for Securing Workloads on AWS cheat sheet and get useful insights on how to:
  • Detect and remediate security vulnerabilities early on
  • Reduce open source attack vector for serverless deployments
  • And also, prevent misconfigured IaC resources from introducing risk
Download Now!

This week's articles


Internet Egress Filtering of Services at Lyft
How the Security team of Lyft achieved egress network traffic filtering for all their services.   #aws   #defend


Exploiting Static Site Generators: When Static Is Not Actually Static
The Assetnote security research team found vulnerabilities in static site generators (such as GatsbyJS and NextJS) and associated platforms (Netlify and GatsbyJS Cloud), which enabled SSRF.   #attack   #aws   #gcp


How We Use Terraform At Slack
Post looking at how the Slack team uses Terraform to build their infrastructure.   #design   #terraform


CosMiss: Azure Cosmos DB Vulnerability
The Orca Research team has discovered CosMiss, a vulnerability in Microsoft Azure Cosmos DB where authentication checks were missing from Cosmos DB Notebooks.   #attack   #azure


Kubernetes: Securing a Cluster
This document covers topics related to protecting a cluster from accidental or malicious access and provides recommendations on overall security.   #defend   #kubernetes


Vault DR with AWS Lambda for Sub-Minute Recovery
How YNAP used AWS Lambda functions to reduce the disaster recovery time for HashiCorp Vault to mere seconds.   #aws   #build   #vault


Learning by auditing Kubernetes manifests
An example of how you could learn about Kubernetes security and architecture by reviewing reports from Chekov.   #explain   #kubernetes


Announcing GUAC, a great pairing with SLSA (and SBOM)
Graph for Understanding Artifact Composition (GUAC) aggregates software security metadata into a high fidelity graph database, normalizing entity identities and mapping standard relationships between them.   #defend   #supply-chain

๐Ÿ“ข We are now taking bookings for 2023 sponsorships! ๐Ÿ“ข

If you want to get your product or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, check out:
https://cloudseclist.com/sponsor/

Tools


get-secretmanager-secrets
This action fetches secrets from Secret Manager and makes them available to later build steps via outputs.


actionlint
Static checker for GitHub Actions workflow files.


kubediff
A tool for Kubernetes to show differences between running state and version controlled configuration.


helm-backup
Helm plugin which performs backup/restore of releases in a namespace to/from a file.

From the cloud providers


#AWS   How USAA built an Amazon S3 malware scanning solution
How USAA's Public Cloud Security team facilitated collaboration and interactions with external vendors and AWS workloads securely by creating a scalable solution to scan S3 objects for virus and malware prior to releasing objects downstream.


#AWS   How Wego secured developer connectivity to Amazon Relational Database Service instances
How developers can get access to allow-listed resources in their virtual private cloud (VPC) directly from their workstation, by tunnelling VPN over SSH, which, in turn, is tunneled over Session Manager.


#AWS   How to control non-HTTP and non-HTTPS traffic to a DNS domain with AWS Network Firewall and AWS Lambda
How to control outbound access to a given domain in a granular way, by resolving the domain name inside of an AWS Lambda function, and updating a Network Firewall rule variable with the results of the DNS query.


#AWS   Use Amazon Cognito to add claims to an identity token for fine-grained authorization
How to use Amazon Cognito to perform fine-grained authorization, which provides additional details about an authenticated user by using claims that are added to the identity token.


#GCP   Practicing the principle of least privilege with Cloud Build and Artifact Registry
How to use Cloud Build's support for per-trigger service accounts to apply the principle of least privilege to builds that push images to Artifact Registry.


#GCP   Introducing Cloud Workstations: Managed and Secure Development environments in the cloud
Cloud Workstations is a remote, managed, and secure IDE solution for developers entering Public Preview.


#AZURE   Secure your digital payment system in the cloud with Azure Payment HSM - now generally available
Microsoft announced the general availability of Azure Payment HSM, a BareMetal Infrastructure as a service (IaaS) that enables customers to have native access to payment HSM in the Azure cloud.


#AZURE   General availability: Ephemeral OS disk support for confidential virtual machines
Create confidential VMs using Ephemeral OS disks for your stateless workloads.


#AZURE   Generally available: Encrypt storage account with cross-tenant customer-managed key
Azure Storage now supports customer-managed keys using a key vault on a different Azure Active Directory tenant.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini