Release Date: 26/03/2023 | Issue: 180
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Do you love spending time on security questionnaires?
Didn’t think so.
That’s why we at TrustCloud wrote this guide to answering the most commonly asked questions, from our analysis of hundreds of questionnaires from Fortune 500 companies like Google, Amazon, 3M, Visa, and Verizon in our TrustShare platform.
We cover topics including policy management, pen testing, security incident management plans, and more. Read the guide to learn what enterprises are looking for during security reviews, so you can pass them faster.

This week's articles


How we built DMARC Management using Cloudflare Workers
How Cloudflare built their new DMARC Management solution entirely on top of the Workers platform.   #build   #cloudflare


A Guide to Delegated Administrator in AWS Organizations and Multi-Account Management
A guide to managing multiple AWS Accounts using AWS Organizations and how to reduce blast radius by leveraging Delegated Administrator capabilities to avoid usage of the management root account.   #aws   #explain   #iam


Using Service Control Policies to protect security baselines
Post illustrating a specific use case of SCPs that protects the security baseline, or landing zone, configuration you've created for accounts.   #aws   #defend


Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research
Public disclosure of a CloudTrail bypass in AWS Service Catalog and other logging research.   #attack   #aws


Mitigating SSRF in 2023
Article reviewing the different ways of triggering SSRF and discussing which mitigation techniques are most effective.   #attack   #aws   #defend


Implementing Magic Links with Amazon Cognito: A Step-by-Step Guide
A popular passwordless authentication method is magic links. Although this is not something that Cognito supports out of the box, it can be implemented using its Lambda hooks.   #aws   #build   #iam


The illustrated guide to S3 pre-signed URLs
Article discussing in great detail what pre-signed URLs are, how to use them, and some best practices to keep in mind.   #aws   #build


Network policies are not the right abstraction (for developers)
Post examining multiple flaws that prevent network policies, on their own, from being an effective solution for a real-world use case.   #explain   #kubernetes


The 4 Kubernetes policy types
Post introducing the four types of policies available in Kubernetes (API Objects, Admission Controllers, ValidatingAdmissionPolicy, and Dynamic Admission Controls) and provide guidance on how they should be used.   #explain   #kubernetes


Top 15 Kubectl plugins for security engineers
This article aims to address the most common or useful Kubernetes plugins for improving your security posture.   #defend   #kubernetes


Kubernetes Removals and Major Changes In v1.27
Article identifying and describing some of the planned (breaking) changes for the Kubernetes v1.27 release.   #build   #kubernetes


Escalating Privileges with Azure Function Apps
Undocumented APIs used by the Azure Function Apps Portal menu allowed for arbitrary file reads on the Function App containers.   #attack   #azure

Sponsor

Exclusive Research: The State of Cloud-Native Security Report 2023
Life Moves Fast in the Cloud.
If it feels like it’s getting harder to keep your organization secure, you’re not alone. Based on a survey of 2,500 InfoSec pros, Prisma Cloud’s 3rd annual report helps cybersecurity leaders gain insights into the top challenges facing their peers in cloud-native development and security. Key Findings:
  • 90% of orgs can’t detect, contain, and resolve cyber threats within an hour
  • 77% of orgs say aligning security tools with security goals is challenging
Read the findings now!

Tools


copacetic
CLI tool for directly patching container images using reports from vulnerability scanners.


untitledgoosetool
An incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer's Azure Active Directory (AzureAD), Azure, and M365 environments.


aws-cost-cli
CLI tool to perform cost analysis on your AWS account with Slack integration.


shield-advanced
Scripts and Lambdas to help with automated deployment of AWS Shield Advanced.


amazon-cognito-passwordless-auth
Passwordless authentication with Amazon Cognito: FIDO2 (WebAuthn), Magic Link, SMS OTP Step Up.

From the cloud providers


#AWS   Simplify management of Network Firewall rule groups with VPC managed prefix lists
How to use managed prefix lists to simplify management of AWS Network Firewall rules and policies across a VPC.


#AWS   How to use Amazon Macie to reduce the cost of discovering sensitive data
Macie offers several capabilities to help reduce the cost of discovering sensitive data, including automated data discovery, which can reduce your spend with new data sampling techniques that are custom-built for S3.


#AWS   AWS Clean Rooms Now Generally Available: Collaborate with Your Partners without Sharing Raw Data
Clean Rooms is an analytics service that helps companies and their partners more easily and securely analyze and collaborate on their collective datasets without sharing or copying each other's data.


#AWS   Use backups to recover from security incidents
Key AWS services and features that provide backup and recovery solutions to restore your data based upon the lessons the AWS CIRT has learned when supporting customers experiencing security events.


#GCP   Your cloud, your way: Google Distributed Cloud Hosted is generally available
Google Distributed Cloud (GDC) Hosted is an air-gapped cloud solution for customers with stringent data management and sovereignty requirements.


#AZURE   General availability: Azure Virtual Network Manager
Azure Virtual Network Manager (AVNM) is now generally available. AVNM is a one-stop shop for managing the connectivity and security of your network resources at scale.


#AZURE   Generally available: Encryption scopes on hierarchical namespace enabled storage accounts
You can now use separate encryption keys for each customer in a single hierarchical namespace enabled storage account.


#AZURE   Public preview: Listener TLS certificates management available in the Azure portal
You can now manage the TLS certificates associated with Listeners through Azure portal.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini