Release Date: 21/05/2023 | Issue: 188
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Unit 42 Unveils Most 'Expansive' Cloud Threat Research Yet
The Unit 42 Cloud Threat Report addresses how threat actors have become adept at exploiting common, everyday issues in the cloud. Learn about the greatest risks to your cloud environment and how to manage them effectively. You’ll also:
  • Learn lessons from real cloud breach incidents.
  • Get tips to stay ahead of cloud threat actors.
  • Address the most common cloud security issues.
  • Discover the impacts and risks of open-source software in the cloud.
Get the report now

This week's articles


The Art of the Security Double Play: How Mercari Combines Internal Audits and Custom CodeQL Queries to Keep Systems Safe
Mercari combines internal audits and custom CodeQL queries to keep their systems safe. They use CodeQL to write custom queries that identify vulnerabilities in their code. These queries are then run regularly as part of their internal audit process.   #ci/cd   #defend


Connecting Block Business Units with AWS API Gateway
How Block enables backend services to securely connect across business unit boundaries using AWS API Gateway.   #aws   #build


Attacking and securing cloud identities in managed Kubernetes part 1: Amazon EKS
This post provides a deep dive into how Amazon EKS IAM works, and several attack vectors to pivot from an EKS cluster to an AWS environment.   #attack   #aws   #kubernetes


Securing Cloud Native Microservices with Role-Based Access Control using Keycloak
This article takes developers through how to integrate Keycloak's RBAC capabilities into cloud-native microservices for security with a step-by-step tutorial.   #build   #kubernetes


Understanding Azure logging capabilities in depth
Azure includes lots of great technologies, which can be used for logging purpose. Currently, Microsoft is transitioning from v1-method (MMA) to v2-method using DCRs.   #azure   #monitor


Building a Kubernetes purple teaming lab
An how-to article from Sumo Logic explaining how to build and create a home lab for Kubernetes threat detection engineering and purple teaming.   #kubernetes   #monitor


Fun with container images - Bypassing vulnerability scanners
An example of how it would be possible for a malicious container image to bypass container vulnerability scanners.   #attack   #containers


An OPA Gatekeeper gotcha when enforcing policy on all resource kinds
Documenting and providing potential solutions for a beginner OPA Gatekeeper gotcha that people could ran into.   #build   #opa


Kubernetes 1.27: KMS V2 Moves to Beta
KMS provides an interface for a provider to utilize a key stored in an external key service to encrypt etcd data. With Kubernetes 1.27, KMS is moving to beta.   #announcement   #kubernetes

Sponsor

The CSPM Buyer’s Guide (Free PDF)
Security risks grow exponentially as your cloud footprint increases. That’s why picking the right Cloud Security Posture Management (CSPM) solution is critical to building your security strategy. In this free resource, Wiz breaks down market trends to help you understand how to find the right solution for your org.
Download the CSPM Buyer’s Guide here

Tools


smokescreen
A simple HTTP proxy that fogs over naughty URLs.


github-oidc-checker
Tools that checks for misconfigured access to Github OIDC from AWS roles and GCP service accounts. You can also refer to the companion blog post.


gitlab-watchman
Monitoring GitLab for sensitive data shared publicly.


watchtower
A process for automating Docker container base image updates.


specctl
CLI to convert Kubernetes specifications to ECS Fargate and vice-versa.

CloudSecDocs


Supply Chain Security
A summary of the "Software Supply Chain Security Best Practices" Paper, which provides a holistic approach to supply chain security by highlighting the importance of layered defensive practices.

From the cloud providers


#AWS   AWS WAF enhances rate-based rules to support request headers and composite keys
AWS WAF now supports additional request parameters for rate-based rules, including cookies and other HTTP headers. Additionally, you can now create composite keys based on up to 5 request parameters, providing more granular options for managing and securing web application traffic.


#AWS   Simplify the Investigation of AWS Security Findings with Amazon Detective
Detective now offers investigation support for findings in AWS Security Hub in addition to those detected by GuardDuty.


#GCP   Introducing Duet AI for developers: The next frontier in AI-powered developer productivity
How Duet AI can help provide developers with real-time code suggestions, chat assistance, and enterprise-focused customization.


#GCP   Policy Controller dashboard: Now available for all Anthos and GKE environments
Policy Controller enforces programmable policies for Anthos clusters, which you can manage through the enhanced Policy Controller dashboard.


#GCP   How to solve customer challenges when security patching Google Kubernetes Engine
Cloud customers are increasingly running workloads in Kubernetes clusters. Applying security patches can be fraught - but it doesn't have to be.


#GCP   Cloud Data Loss Prevention's sensitive data intelligence service is now available in Security Command Center
Cloud DLP can monitor your data warehouse to show where sensitive data is stored and processed. You now can use Security Command Center to prioritize findings that drive the greatest risks.


#GCP   Google Cloud Learning Courses and Certifications
Google introduced the Google Cloud learning hub, to help organizations grow critical cloud skills.


#AZURE   Azure Backup Reports now includes support for more workloads
Azure Backup Reports now includes support for more workloads: Azure Database for PostgreSQL Servers, Azure Blobs and Azure Disks.


#AZURE   Private preview: Azure Backup support for confidential VMs using Customer Managed Keys
Azure Backup support for confidential VMs using Customer Managed Keys.


#AZURE   Public preview: Azure Container Storage
Azure Container Storage is a new Azure service built natively for containers that enables customers to create and manage volumes for running production scale stateful container applications.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini