Release Date: 16/07/2023 | Issue: 196
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Cloud misconfiguration is the third highest cause of security breaches. Misconfigurations are easier to prevent than to fix. Developers report it can take days to weeks to provision, and it shouldn't!

Creating a win-win is possible. Where developers get the cloud infrastructure they need faster than they can get a coffee break. The best part โ€“ it's built on a library of golden patterns and protected by guardrails. Netflix Infrastructure Security teams call these solutions paved roads. Resourcely offers cloud infrastructure paved roads as a service.
https://www.resourcely.io/#contact

This week's articles


Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email
Microsoft has mitigated an attack by a China-based threat actor Microsoft tracks as Storm-0558 which targeted customer emails. Storm-0558 primarily targets government agencies in Western Europe and focuses on espionage, data theft, and credential access.   #attack   #azure


Secrets Revealed in Container Images: An Internet-wide Study on Occurrence and Impact
In this paper, researchers analyzed 337,171 images from Docker Hub and 8,076 other private registries unveiling that 8.5% of images indeed include secrets.   #containers   #defend


PCI/DSS Controls with Falco
Learn how Falco detects failed/misconfigured PCI/DSS Controls.   #containers   #monitor


Enforcing Secure and Cost-Effective Infrastructure as Code with Terraform, OPA, and Infracost
Post exploring the implementation of OPA and Infracost in a Terraform project, featuring a basic AWS setup with EC2 and RDS resources.   #build   #opa   #terraform


detection-and-response-pipeline
A compilation of suggested tools/services for each component in a detection and response pipeline, along with real-world examples.   #monitor


Summary of Upcoming Changes in OCI Image and Distribution Specs v1.1
Article which highlights improvements in areas such as image layout, content addressability, and distribution manifests, aiming to enhance security, interoperability, and performance in container image management.   #announcement   #containers


PodSecurityPolicy migration with Kyverno
The article discusses how to migrate from PodSecurityPolicy (PSP) to Kyverno, a Kubernetes policy engine. It explains the challenges of migrating and provides step-by-step instructions on how to perform the migration.   #defend   #kubernetes


Terraform apply as code: The multispace pattern
How to use the Terraform Cloud/Enterprise provider to coordinate applies and destroys on downstream workspaces in Terraform Cloud.   #explain   #terraform


Introducing passwordless authentication on GitHub.com
Passkeys are now available in public beta. Opting in lets you upgrade security keys to passkeys, and use those in place of both your password and your 2FA method.   #announcement   #ci/cd

Sponsor

US Data Privacy (USDP) is an exclusive consumer data privacy framework available only from Vanta. It's the one-stop solution for complying with consumer data privacy laws throughout the US.
USDP provides one comprehensive set of controls that gets you compliant with all current US state-level privacy laws: CCPA/CPRA, CPA, CTDPA, UCPA, and VCDPA.
The framework is constantly being updated to keep up with new and evolving regulations.
Download the USDP checklist to learn more

Tools


cedar-py
Python bindings for the Cedar Policy project.


IAMActionHunter
An IAM policy statement parser and query tool aims to simplify the process of collecting and understanding permission policy statements for users and roles in AWS IAM. You can also refer to the companion blog post.


AWS IAM Data
A dashboard that shows AWS IAM data per service.


chartmuseum
Host your own Helm Chart Repository.


docker-compose v2.20.0 Released
This version introduce include keyword which allow you to use an existing Compose configuration as part of your Compose stack.

From the cloud providers


#AWS   Running GitHub Actions in a private Subnet with AWS CodeBuild
You can now define GitHub Actions steps directly in the BuildSpec and run them alongside CodeBuild commands.


#AWS   Refining IAM Permissions Like A Pro
How to detect unused IAM permissions and update them to move safely toward a least privilege environment.


#AWS   Consolidating controls in Security Hub: The new controls view and consolidated findings
You can use these features to manage controls across standards and to consolidate findings, which can help you significantly reduce finding noise and administrative overhead.


#AZURE   Azure AD is Becoming Microsoft Entra ID
Microsoft is rebranding Azure AD to Microsoft Entra ID.


#AZURE   KMS v2 on Azure Kubernetes Service now Supporting Encryption of Secrets Beyond the 2k Limit
You can now encrypt more than 2000 secrets when running your AKS cluster with KMS v2 enabled.


#AZURE   General availability: ExpressRoute private peering support for BGP communities
Set BGP community tags on traffic sent from Azure to on-premises over ExpressRoute, enabling a greater variety of hybrid network designs.

Jobs

Hiring? Feature your listings below - reach out now at [email protected]

Offensive Security Engineer - AWS Bug Bounty
AWS is looking for an experienced Security Engineer to assess and holistically test incoming submissions while driving resolution of overarching trends.


Senior Infrastructure Security Engineer - Chime
Chime is hiring for Senior Infrastructure Security Engineers in San Francisco.


Threat Intelligence Engineer - Amazon
The role will support the daily operation of our threat intelligence program, specifically focused around automation and building out systems like the threat intelligence platform and malware analysis pipeline.


Application and Infrastructure Security Engineer - Netflix
The Application and Infrastructure Security (AIS) team conducts risk discovery, security strategy development and execution, identification and execution of high impact security initiatives across Netflix applications and infrastructure.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini