Release Date: 19/03/2023 | Issue: 179
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

BeyondCorp, Zero Trust Architecture Strategy, and Teleport
BeyondCorp comes from a realization that VPN perimeter network security is obsolete. As soon as an attacker breaches the perimeter, they have unrestricted access to the resources. Zero trust has been hyped up in recent years. With the release of a memorandum discussing federal Zero Trust Architecture (ZTA) strategies, zero trust has entered the mainstream at the government level. Although the memo focuses on government agencies, it has a clear structure and strong foundations for any modern company...
Keep reading the Teleport blog.

This week's articles


Intro to Kubernetes - Containers at Scale Containerized Adventures
Kubernetes is all about containers at scale. But what does that mean? Learn more with this illustrated intro to Kubernetes!   #explain   #kubernetes


Building ClickHouse Cloud From Scratch in a Year
Have you ever wondered what it takes to build a serverless software as a service (SaaS) offering in under a year? In this blog post, ClickHouse describes how they built ClickHouse Cloud from the ground up.   #build   #strategy


The Many Ways to Access DynamoDB
Post discussing the many ways to restrict access to a DynamoDB instance at both a framework and implementation level, utilizing patterns and tools such as RBAC, IAM, Terraform.   #aws   #explain   #iam


Container security fundamentals part 2: Isolation & namespaces
A look at how Docker containers use namespaces for isolation.   #containers   #explain


Monitoring Kubernetes Clusters on GKE
A hands-on guide to monitoring and logging at different layers in the GKE stack.   #explain   #gcp   #monitor


Forensic container analysis in Kubernetes
With the help of container checkpointing, it is possible to create a checkpoint of a running container without stopping the container and without the container knowing that it was checkpointed.   #kubernetes   #monitor


awesome-detection-rules
A collection of threat detection rules / rules engines.   #monitor


Service meshes: an in-depth introduction
An overview of service meshes that clarifies the benefits they offer as well as the extra complexity.   #containers   #explain


Passwordless Authentication made easy with Cognito
A Step-by-Step Guide, including working demo and complete source code for both frontend and backend.   #aws   #build

Sponsor

AlphaSOC: Free Adversary Simulation Utility
Want to test your threat detection stack? AlphaSOC has published Network Flight Simulator (*flightsim*) which is a free, open source utility that synthesizes malicious traffic patterns including C2 beacons, DGA traffic, DNS tunneling, SSH exfiltration, network scanning, and cryptomining. Use *flightsim* to instantly uncover detection blindspots and improve your SIEM / SOAR configuration.
Network Flight Simulator on GitHub

Tools


action-github-app-token
Fetch a GitHub auth token for a GitHub App installation.


bearer
Code security scanning tool (SAST) that discover, filter and prioritize security risks and vulnerabilities leading to sensitive data exposures (PII, PHI, PD).


ec2-former2
Provisions EC2 web instance running former2 for generating IaC scripts from existing AWS resources.


nix-bootstrap
Easily generate reproducible infrastructure.


saml2aws
CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP.

From the cloud providers


#AWS   How to use Google Workspace as an external identity provider for AWS IAM Identity Center
How to set up Google Workspace as an external identity provider (IdP) for AWS IAM Identity Center, how to configure permissions for your users and the roles that they will assume, and how they can access different accounts.


#AWS   Amazon Linux 2023, a Cloud-Optimized Linux Distribution with Long-Term Support
AWS announced the general availability of Amazon Linux 2023 (AL2023), a cloud-optimized Linux distribution.


#AWS   Establishing a data perimeter on AWS: Allow only trusted resources from my organization
On AWS, a resource perimeter is a set of AWS Identity and Access Management (IAM) features and capabilities that you can use to build your defense-in-depth protection against unintended data transfers.


#AWS   Introducing Mountpoint for Amazon S3, a high performance open source file client
AWS announced the alpha release of Mountpoint for S3, a new open source file client that delivers high throughput access, lowering compute costs for data lakes on Amazon S3.


#GCP   Service Account Key Expiry is now GA
GCP announced the general availability of service account key expiry via a constraint in organization policy. You can easily configure an expiration time at the org/folder/project level and all new service account keys created will have that expiration time.


#GCP   Improve security posture with time bound session length
Session length is a configuration parameter that administrators can set to control how long users can access Google Cloud without having to reauthenticate.


#GCP   How to implement VPC Service Control using Terraform
Tutorial explaining how to deploy and test VPC service controls in GCP using Terraform.


#GCP   TLS inspection overview
Google Cloud Secure Web Proxy now supports TLS inspection. Security and network admins can set policy-based rules to allow or block HTTPS traffic leveraging the full URL path.


#AZURE   Generally available: Immutable vaults for Azure Backup
Immutable vaults help you protect your backups against threats like ransomware attacks and malicious actors by ensuring that your backup data cannot be deleted before its intended expiry time.


#AZURE   Protect against cyberattacks with the new Azure Firewall Basic
Azure announced the general availability of Azure Firewall Basic, a new SKU of Azure Firewall built for SMBs.


#AZURE   Public Preview - Backup for Azure Kubernetes Service (AKS)
Azure Backup is announcing public preview of Backup for AKS allowing customers to protect their applications by providing ability to backup and restore AKS clusters.


#AZURE   Public Preview: Collect Syslog from AKS nodes using Azure Monitor container insights
Customers can now collect Syslog from their AKS Clusters using Azure Monitor container insights.


#AZURE   Generally available: Azure Monitor integration with Azure Container Apps
You can now choose different destinations for your Azure Container Apps logs.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini