Release Date: 19/03/2023 | Issue: 179
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up
Sponsor

BeyondCorp, Zero Trust Architecture Strategy, and Teleport
BeyondCorp comes from a realization that VPN perimeter network security is obsolete. As soon as an attacker breaches the perimeter, they have unrestricted access to the resources. Zero trust has been hyped up in recent years. With the release of a memorandum discussing federal Zero Trust Architecture (ZTA) strategies, zero trust has entered the mainstream at the government level. Although the memo focuses on government agencies, it has a clear structure and strong foundations for any modern company...
Keep reading the Teleport blog.

This week's articles


Intro to Kubernetes - Containers at Scale Containerized Adventures   #explain, #kubernetes
Kubernetes is all about containers at scale. But what does that mean? Learn more with this illustrated intro to Kubernetes!


Building ClickHouse Cloud From Scratch in a Year   #build, #strategy
Have you ever wondered what it takes to build a serverless software as a service (SaaS) offering in under a year? In this blog post, ClickHouse describes how they built ClickHouse Cloud from the ground up.


The Many Ways to Access DynamoDB   #aws, #explain, #iam
Post discussing the many ways to restrict access to a DynamoDB instance at both a framework and implementation level, utilizing patterns and tools such as RBAC, IAM, Terraform.


Container security fundamentals part 2: Isolation & namespaces   #containers, #explain
A look at how Docker containers use namespaces for isolation.


Monitoring Kubernetes Clusters on GKE   #explain, #gcp, #monitor
A hands-on guide to monitoring and logging at different layers in the GKE stack.


Forensic container analysis in Kubernetes   #kubernetes, #monitor
With the help of container checkpointing, it is possible to create a checkpoint of a running container without stopping the container and without the container knowing that it was checkpointed.


awesome-detection-rules   #monitor
A collection of threat detection rules / rules engines.


Service meshes: an in-depth introduction   #containers, #explain
An overview of service meshes that clarifies the benefits they offer as well as the extra complexity.


Passwordless Authentication made easy with Cognito   #aws, #build
A Step-by-Step Guide, including working demo and complete source code for both frontend and backend.

Tools


action-github-app-token
Fetch a GitHub auth token for a GitHub App installation.


bearer
Code security scanning tool (SAST) that discover, filter and prioritize security risks and vulnerabilities leading to sensitive data exposures (PII, PHI, PD).


ec2-former2
Provisions EC2 web instance running former2 for generating IaC scripts from existing AWS resources.


nix-bootstrap
Easily generate reproducible infrastructure.


saml2aws
CLI tool which enables you to login and retrieve AWS temporary credentials using a SAML IDP.

Sponsor

AlphaSOC: Free Adversary Simulation Utility
Want to test your threat detection stack? AlphaSOC has published Network Flight Simulator (*flightsim*) which is a free, open source utility that synthesizes malicious traffic patterns including C2 beacons, DGA traffic, DNS tunneling, SSH exfiltration, network scanning, and cryptomining. Use *flightsim* to instantly uncover detection blindspots and improve your SIEM / SOAR configuration.
Network Flight Simulator on GitHub

From the cloud providers


AWS Icon  How to use Google Workspace as an external identity provider for AWS IAM Identity Center
How to set up Google Workspace as an external identity provider (IdP) for AWS IAM Identity Center, how to configure permissions for your users and the roles that they will assume, and how they can access different accounts.


AWS Icon  Amazon Linux 2023, a Cloud-Optimized Linux Distribution with Long-Term Support
AWS announced the general availability of Amazon Linux 2023 (AL2023), a cloud-optimized Linux distribution.


AWS Icon  Establishing a data perimeter on AWS: Allow only trusted resources from my organization
On AWS, a resource perimeter is a set of AWS Identity and Access Management (IAM) features and capabilities that you can use to build your defense-in-depth protection against unintended data transfers.


AWS Icon  Introducing Mountpoint for Amazon S3, a high performance open source file client
AWS announced the alpha release of Mountpoint for S3, a new open source file client that delivers high throughput access, lowering compute costs for data lakes on Amazon S3.


GCP Icon  Service Account Key Expiry is now GA
GCP announced the general availability of service account key expiry via a constraint in organization policy. You can easily configure an expiration time at the org/folder/project level and all new service account keys created will have that expiration time.


GCP Icon  Improve security posture with time bound session length
Session length is a configuration parameter that administrators can set to control how long users can access Google Cloud without having to reauthenticate.


GCP Icon  How to implement VPC Service Control using Terraform
Tutorial explaining how to deploy and test VPC service controls in GCP using Terraform.


GCP Icon  TLS inspection overview
Google Cloud Secure Web Proxy now supports TLS inspection. Security and network admins can set policy-based rules to allow or block HTTPS traffic leveraging the full URL path.


Azure Icon  Generally available: Immutable vaults for Azure Backup
Immutable vaults help you protect your backups against threats like ransomware attacks and malicious actors by ensuring that your backup data cannot be deleted before its intended expiry time.


Azure Icon  Protect against cyberattacks with the new Azure Firewall Basic
Azure announced the general availability of Azure Firewall Basic, a new SKU of Azure Firewall built for SMBs.


Azure Icon  Public Preview - Backup for Azure Kubernetes Service (AKS)
Azure Backup is announcing public preview of Backup for AKS allowing customers to protect their applications by providing ability to backup and restore AKS clusters.


Azure Icon  Public Preview: Collect Syslog from AKS nodes using Azure Monitor container insights
Customers can now collect Syslog from their AKS Clusters using Azure Monitor container insights.


Azure Icon  Generally available: Azure Monitor integration with Azure Container Apps
You can now choose different destinations for your Azure Container Apps logs.

Thanks for reading!
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.