Release Date: 23/07/2023 | Issue: 197
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up
Sponsor

Snyk has been named a Leader in the 2023 Gartner®️ Magic Quadrant™️ for Application Security Testing.
Evaluate the recognized vendors and see why Snyk was recognized in the full report.

This week's articles


Levels.fyi 2023 Mid-Year Compensation Report   #strategy
Levels.fyi has released their 2023 Mid-Year Report, which provides insights into tech industry salaries and trends.


Bad.Build: PE & RCE Vulnerabilities in Google Cloud Build   #attack, #gcp
The Orca Research Pod discovered Bad.Build, a vulnerability in the Google Cloud Build service that enables attackers to escalate privileges and gain unauthorized access to code repositories and images in Artifact Registry.


Abusing Amazon VPC CNI plugin for Kubernetes   #attack, #aws, #kubernetes
The article discusses a security vulnerability in the Amazon VPC CNI plugin, used by Amazon EKS. The flaw allows an attacker to move laterally to other VPCs in the AWS account.


Refuting AWS Chain Attack - Digging Deeper into EKS Zero Day claims   #attack, #aws
An analysis of the findings published by a security researcher last month, claiming to have uncovered zero days in thousands of EKS cluster.


Guide to Istio's Authentication and Authorization Policies   #explain, #kubernetes
Learn how Istio's authentication and authorization policies enhance security in microservices. Get a comprehensive guide to implementing robust access control.


How to get rid of AWS access keys - Part 3: Replacing the authentication   #aws, #defend, #iam
Post discussing alternative solutions to using access keys.


Kubernetes Security Basics Series: Part III - Container Deployment   #explain, #kubernetes
Post explaining how to see container deployments as a precursor to building secure production infrastructure using Kubernetes.


Kubernetes API limitations in finding non-standard pods and containers   #kubernetes, #monitor
Why it's essential to monitor non-standard pods and containers, including static pods, mirror pods, init containers, pause containers, and ephemeral containers within your Kubernetes environment.


Orca Security's journey to a petabyte-scale data lake with Apache Iceberg and AWS Analytics   #aws, #build, #strategy
Orca Security shares their experience in building a petabyte-scale data lake using Apache Iceberg and AWS services.

Tools


Cloudflare Pages Terraform Module
A small module that creates a Cloudflare Pages application with Zero Trust Authentication, where only the "allowed_emails" are allowed to access the application.


Forager
Monitors public commits on Github and package releases on NPM, looking for leaked secrets. You can also refer to the companion blog post.


BadZure
A PowerShell script that leverages the Microsoft Graph SDK to orchestrate the setup of Azure Active Directory tenants, populating them with diverse entities while also introducing common security misconfigurations to create vulnerable tenants with multiple attack paths.


yatas
A simple tool to audit your AWS/GCP infrastructure for misconfiguration or potential security issues with plugins integration.


gh-actions-importer
GitHub Actions Importer helps you plan and automate the migration of Azure DevOps, CircleCI, GitLab, Jenkins, and Travis CI pipelines to GitHub Actions.

Sponsor

Prevent cyberattacks from hurting your business with NordPass, a password manager designed by the team behind NordVPN. It's the only password manager using the XChaCha20 encryption algorithm, considered the future of encryption. NordPass Business has been audited by Cure53 and is ISO 27001 and SOC 2 Type 1 certified.
NordPass is an intuitive tool that your employees will actually use. And that's ideal because password managers work their best magic when everyone in the company uses them. But if your team needs help, NordPass offers tech support 24/7.
Get started with a 14-day free trial

From the cloud providers


AWS Icon  Amazon S3 Inventory can include ACLs as object metadata in inventory reports
With Amazon S3 Inventory, you can now easily review your access control lists (ACLs) on all of your objects to simplify review of access permissions.


AWS Icon  How to scan EC2 AMIs using Amazon Inspector
How to use EventBridge, Lambda, Step Functions, SNS, and S3 to scan AMIs and generate Amazon Inspector finding reports to help ensure that your AMIs are scanned for known vulnerabilities and updated prior to deployment.


AWS Icon  Optimize AWS Config for AWS Security Hub to effectively manage your cloud security posture
How to set up and optimize the AWS Config recorder when it is used for controls in Security Hub.


AWS Icon  Protect APIs with Amazon API Gateway and perimeter protection services
Post discussing how to protect APIs by building a perimeter protection layer with CloudFront, WAF, and Shield and putting it in front of API Gateway endpoints.


AWS Icon  How to manage certificate lifecycles using ACM event-driven workflows
With AWS Certificate Manager (ACM), you can simplify certificate lifecycle management by using event-driven workflows to notify or take action on expiring TLS certificates in your organization.


GCP Icon  Nuts and bolts of NEGs (Network Endpoint groups) in GCP
Blog explaining the different types of NEGs in GCP, and their support for GCP Load Balancers.


GCP Icon  Securing Cloud Run Deployments with Binary Authorization
How Google Cloud Users can Secure their Cloud Run Deployments using Approved Artifact Registry repositories and Binary Authorization.


Azure Icon  New Extended Security Updates (ESUs) enabled by Azure Arc
Customers will be able to purchase and seamlessly deploy ESUs through Azure Arc in on-premises or multicloud environments, right from the Azure portal.


Azure Icon  Public preview: Bring your own key on Ephemeral OS disk for AKS
You can now use your own keys to encrypt your ephemeral OS disks.


Azure Icon  Expanding cloud logging to give customers deeper security visibility
Microsoft will include access to wider cloud security logs at no additional cost.

Jobs

Hiring? Feature your listings below - reach out now at [email protected]

Engineering Manager - AWS Security
The Product Security team at AWS is looking for an engineering manager in California.


Engineering Manager - Figma
The Security team at Figma is looking for an Engineering Manager to lead a group of engineers to build systems and solutions to protect Figma and their users.


Senior Security Engineer - ITV
ITV is looking for Cloud Security Engineers to join their Security Engineering team in London.


Cloud Security Engineer - FNZ Group
FNZ Group is looking for a Cloud Security Engineer to support their growing public cloud footprint.

Thanks for reading!
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.