Release Date: 12/01/2020 | Issue: 19
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

This week's articles

Adopting AWS VPC Endpoints at Square
Super interesting write-up on how Square uses VPC endpoints to access AWS services without giving VPC resources direct Internet connectivity.

Container Forensics: When your cluster becomes a cluster
Talk from KubeCon EU 2019 which provides useful insights on where to get information about what's happening in your cluster, common mitigation options (such as how to alert, isolate, pause, restart, or kill a container), common types of container attacks, and how to restore services after an incident.

Pull-based CD Pipelines for Security
A blog post that advocates for the adoption of gitops and of a pull-based devops pipeline not just for Kubernetes deployments but also around building and pushing container images.

Automating Least Privilege in AWS IAM with Policy Sentry
In this post, the Salesforce team walks through the principles of least privilege IAM policies, the general steps that one would use to write them by hand, and how Policy Sentry automates this process.

Effective Actions for IAM
Ever wonder what that "*" in your AWS IAM Policy Action statement is going to turn in to? After you have input your policy JSON into this service, you will see a list of allowed actions by resource.

Pentesting Kubernetes with Kube-Hunter
Introductory post on how to use kube-hunter in a Kubernetes cluster for the identification of security vulnerabilities that an attacker could exploit, either from outside or inside the network.

12 Kubernetes configuration best practices
Deep dive into key Kubernetes security configurations and recommended best practices you should follow.

tf-parliament: Run Parliament AWS IAM Checker on Terraform Files
By default, Parliament runs only on JSON IAM policies, not Terraform files. This utility parses your Terraform, finds aws_iam_policy_document elements, generates resulting IAM policy document strings, and runs Parliament on them.

Developers: How we use SRP, and you can too
1Password open sourced their Go implementation of the Secure Remote Password (SRP) protocol, the same they use in 1Password Teams.

From the cloud providers

AWS Icon  AWS Nitro Enclaves
AWS Nitro Enclaves are little "sidecar", isolated VMs, with no network access or storage that you can create and communicate to only from an EC2 Instance (for example for storing secrets and keys).

GCP Icon  gke-security-scenarios-demo
This project demonstrates a series of best practices for improving the security of containerized applications deployed to Kubernetes Engine, by providing 3 examples of securing applications in GKE.

Azure Icon  Azure Security Controls Benchmark (ASCB)
First Azure-related news in CloudSecList! Microsoft released the Azure security benchmarks documentation, with best practices and guidance on how to secure your cloud solutions on Azure.

Azure Icon  Introducing Security Defaults
Secure default settings that Microsoft manages on organization's behalf to keep customers safe until they are ready to manage their own identity security story.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.