Release Date: 11/06/2023 | Issue: 191
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

JupiterOne: Know What You’re Defending
Perhaps the biggest problem in cybersecurity today is that companies don’t have a good understanding of what they’re defending. JupiterOne solves this foundational issue by collecting everything you own into a single system of record that includes cloud infrastructure, endpoints, DNS, SaaS apps, and more.
It connects the dots using graph-based technologies, allowing you to ask complex Attack Surface Questions, like “Show me all VMware-based systems associated with our crown jewels and that have something facing the internet.”
Learn more

This week's articles


The Big IAM Challenge
A CTF challenge created to boost your AWS IAM knowledge.   #aws   #iam


Practical Dependency Management for Developers
Some useful tips on wrangling dependencies from someone who worked on large-scale projects, CI/CD, build tools, and more.   #build   #ci/cd   #defend   #supply-chain


7 lesser-known AWS SSM Document techniques for code execution
A deep dive into AWS SSM Run Command shows that there are multiple documents attackers can use for executing code remotely on EC2 instances.   #attack   #aws


Scaling Authorization with Cedar and OPAL
A practical tutorial to build a comprehensive Cedar-based application authorization system.   #aws   #build   #iam


OneDrive to Enum Them All
TrustedSec researchers have discovered a OneDrive enumeration vulnerability that could allow an attacker to discover the email addresses of OneDrive users. You can also refer to the companion tool.   #attack   #azure   #microsoft


Confused Deputy Vulnerability in Cloudflare CASB
A vulnerability in Cloudflare CASB that enabled to view sensitive information about other customers' Microsoft and GitHub organizations. This included employee names/emails, links to SharePoint files, repository names/descriptions and more.   #attack   #cloudflare


Implementing machine-to-machine authentication for services behind an AWS ALB with OIDC
Post delving into the possibilities of enforcing machine-to-machine (m2m) authentication using OIDC (OpenID Connect) at a high level when utilizing an AWS ALB.   #aws   #build


We reported a security issue in AWS CDK's eks.Cluster component
Two sleuthing SREs uncovered an AWS security issue. Here's how they found it, why it matters, and what you need to do to resolve it.   #attack   #aws


Using Cloud Securely: The Config Doom Question
Customers do not know how to configure cloud services securely.   #defend   #strategy

Sponsor

If you had one hour, how would you improve your cloud security?
Prioritization and alert fatigue are the industry's two leading problems. CloudDefense.AI is able to reduce false alerts by 90-95% by building a code-to-cloud attack path map. CloudDefense provides personalized vulnerability prioritization based on your cloud deployment (just like Amazon provides you personalized recommendations) so you can get up to 5X the value over other security tools.
Learn More, get the FREE white paper today!

Tools


regal
Regal is a linter for Rego.


azure-iac-workshop-content
Labs to help people learn how to write and work with infrastructure as code in Azure.


jupyter-notebook-for-incident-response
A library of Incident Response notebooks using Jupyter.


sensitive-data-protection-on-aws
A reference implementation that allows to create data catalogs, discover, protect, and visualize sensitive data across multiple AWS accounts.


freedata
A project for free (maybe) egress from EC2 instances using Tailscale and Session Manager.


aws-api-models
A collection of documented and undocumented AWS API models.

From the cloud providers




#AWS   Amazon Route 53 now integrates with Amazon GuardDuty threat intelligence
You can now enable a new Managed Domain List on Amazon Route 53 Resolver DNS Firewall, to block domains identified as low-reputation or that are known or suspected to be malicious by Amazon GuardDuty's threat intelligence.


#AWS   Announcing Container Image Signing with AWS Signer and Amazon EKS
Amazon announced the launch of AWS Signer Container Image Signing, a new capability that gives customers native AWS support for signing and verifying container images stored in container registries like ECR.


#AWS   Temporary elevated access management with IAM Identity Center
A temporary elevated access management solution that integrates with AWS IAM Identity Center and allows you to manage temporary elevated access to your multi-account AWS environment.


#AWS   Amazon CloudWatch Logs data protection account level policy configuration
Amazon CloudWatch Logs announce support for account level data protection policy configuration: you can now create a data protection policy that will be applied to all existing and future log groups within your AWS account.


#GCP   Google Cloud offers customers financial help for cryptomining attacks
Google Cloud now offers Security Command Center Premium customers $1 million of protection against cryptomining attacks.


#GCP   Announcing general availability of Cloud Firewall threat intelligence and geo-location features
Four new Cloud Firewall features are now generally available, including threat intelligence, geo-location objects, address groups, and local IP ranges.


#GCP   Introducing Google's Secure AI Framework
Google released released the Secure AI Framework to help collaboratively secure AI technology.


#GCP   Google Workspace Updates: Simplify and strengthen sign-in by enabling passkeys for your users, available now in open beta
Google Workspace is enabling the use of passkeys as a simpler and safer alternative to passwords to sign-in to Google Accounts.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini