Release Date: 27/08/2023 | Issue: 202
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Tines's Essential Guide to No-Code Automation for Security Teams serves as the ultimate resource on no-code automation for security practitioners. It provides an overview of what no-code automation is, why it is a critical skill for those at the forefront of security operations, and how to bring the power of no-code automation to your security team. In addition, the playbook includes a variety of resources, from customer case studies and success stories to tips to prepare for the future and best practices for implementation.
View the full guide

This week's articles


The building blocks of modern enterprise identity
The article discusses the importance of modern enterprise identity in the context of cloud-native technologies. It highlights the key building blocks of identity, including authentication, authorization, and identity governance, and emphasizes the need for a comprehensive and scalable identity solution to ensure security and compliance in the cloud.   #strategy


Risk in AWS SSM Port Forwarding
A surprising AWS Systems Manager Session Manager (SSM) default that can introduce risk, especially for customers using SSM's Port Forwarding features.   #attack   #aws


Shipping RDS IAM Authentication (with a bastion host & SSM)
A basic guide to getting RDS IAM Authentication set up when you're using a Private Endpoint.   #aws   #build   #iam


Methods to Backdoor an AWS Account
Post exploring some methods that an adversary can use to create backdoors in your AWS account: access keys, AssumeRole, changing Security Groups, UserData scripts, and SSM Send-Command.   #attack   #aws


Container security fundamentals part 5: AppArmor and SELinux
A look at how AppArmor and SELinux are used in Linux and container systems.   #containers   #explain


Kubernetes Security Ultimate Checklist
A security checklist to understand the basics of authentication, authorization, audit logging, and admission control of Kubernetes.   #explain   #kubernetes


Building Docker Images Smaller, Rootless and Non-Shell for Kubernetes
The article discusses how to build smaller Docker images for Kubernetes by using rootless and non-shell configurations. It provides step-by-step instructions and code examples to help optimize container images.   #build   #containers


Pivoting Clouds in AWS Organizations: Examining AWS Security Features and Tools for Enumeration
The architecture and considerable number of enabled/delegated service possibilities in AWS Organizations presents a serious vector for lateral movement within corporate environments. This could easily turn a single AWS account takeover into a multiple account takeover.   #attack   #aws


Kubernetes Validating Admission Policies: A Practical Example
An example showing how to use the new Common Expression Language (CEL) to declare validation rules.   #explain   #kubernetes

Sponsor

Prevent cyberattacks from hurting your business with NordPass, a password manager designed by the team behind NordVPN. NordPass Business has been audited by Cure53 and is ISO 27001 and SOC 2 Type 1 certified.
NordPass is an intuitive tool that your employees will actually use. And that's ideal because password managers work their best magic when everyone in the company uses them. But if your team needs help, NordPass offers tech support 24/7.
Get started with a 14-day free trial

Tools


Integration with Kubernetes Validating Admission Policy
Gatekeeper can now integrate with Kubernetes Validating Admission Policy based on Common Expression Language (CEL).


workload-security-evaluator
Tooling to simulate runtime attacks and test default runtime detections from Datadog Cloud Security Management. You can also refer to the companion blog post.


semgrep-rules
HashiCorp-relevant rules for the Semgrep code analysis tool.


aws_url_signer
POC tool to create signed AWS API GET requests to bypass Guard Duty alerting of off-instance credential use via SSRF.


basti
Securely connect to RDS and other AWS resources in a VPC with no idle cost.

From the cloud providers


#AWS   How we designed Cedar to be intuitive to use, fast, and safe
This post is a deep dive into the design of Cedar, an open source language for writing and evaluating authorization policies.


#AWS   How AWS built the Security Guardians program, a mechanism to distribute security ownership
How AWS developed a mechanism to scale security processes and expertise by distributing security ownership between security teams and development teams.


#AWS   AWS Digital Sovereignty Pledge: Announcing new dedicated infrastructure options
AWS announced further control over the location of your data.


#AWS   AWS Certificate Manager introduces Enterprise Controls to help govern certificate issuance
You can now use IAM condition context keys with AWS Certificate Manager (ACM) to help ensure that users are issuing certificates that conform to your organization's public key infrastructure (PKI) guidelines.


#GCP   New zero trust and digital sovereignty controls in Workspace, powered by AI
Google announced new zero trust, digital sovereignty, and threat defense controls powered by Google AI to help organizations keep their data safe.

Jobs

Hiring? Feature your listings below - reach out now at [email protected]

Lead Cybersecurity Engineer - Visa
Visa is looking for a Security Engineer to serve as a subject matter expert and technical lead in the IAM team for various Cloud Security deployments.


Senior Cloud Security Engineer - Snowflake
Snowflake is looking for new members for their Cloud Security Assurance team, responsible for maintaining (and raising) the security bar across their production cloud environments.


Cloud Security Engineer - Vanguard
Vanguard is looking for security engineers with Azure experience.


Principal Cloud Security Engineer - LastPass
The LastPass Product Security team is looking for a Staff/Principal Cloud Security Engineer candidate to join their team and help them ensure the privacy and security of their company and user's data.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini