This week's articles
Threat Modelling Cloud Platform Services by Example: Google Cloud Storage
#gcp, #explain
A threat modelling exercise from NCC which demonstrated that user/tenant configuration choices matter when evaluating the overall security posture of an instance of Google Cloud Storage, and that a number of relative weaknesses can be improved through deliberate choices on behalf of the user.
Data exfiltration with native AWS S3 features
#attack, #aws, #monitor
A deep dive on different options for abuse of legitimate S3 features with the end goal of data exfiltration, so to better understand the shortcomings of native AWS logging and monitoring tooling, and to offer some suggestions for how to go about detecting their use and abuse.
General availability of SLSA 3 Container Generator for GitHub Actions
#announcement, #supply-chain
The SLSA project announced the general availability of the SLSA 3 Container Generator for GitHub Actions, which allows any GitHub project to produce SLSA level 3 compliant provenance statements so users can verify the origin of container images they use.
|
|
Tools
CloudGPT
Use ChatGPT to analyze AWS policies for vulnerabilities.
gato
An enumeration and attack tool that allows both blue teamers and offensive security practitioners to evaluate the blast radius of a compromised personal access token within a GitHub organization.
justtrustme
A demo/testing OIDC token issuer. It will accept any claims as query parameters and mint valid OIDC tokens with them.
sbom-scorecard
Generate a score for your sbom to understand if it will actually be useful.
caretta
Instant K8s service dependency map, right to your Grafana.
|
|
Sponsor
SecureFlag - Secure Coding Training The SecureFlag training platform teaches secure coding through hands-on labs that run in virtualized desktop environments available through the browser. Developers, DevOps, and QA engineers learn using the same tools and technologies they use at work. Participants learn defensive programming via a gamified, adaptive training platform that includes learning paths, tournaments, assessments, & powerful metrics, enabling organizations to build highly effective, secure coding training programs. SecureFlag now supports hands-on cloud labs targeting Terraform!
|
|
|
Thanks for reading!
|
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌 If you have questions, comments, or feedback, let me know on Twitter ( @lancinimarco / @CloudSecList), or at feedback.cloudseclist.com! Thanks, Marco
|
|
|