Release Date: 08/10/2023 | Issue: 208
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

JupiterOne: Know What You’re Defending
Perhaps the biggest problem in cybersecurity today is that companies don’t have a good understanding of what they’re defending. JupiterOne solves this foundational issue by collecting everything you own into a single system of record that includes cloud infrastructure, endpoints, DNS, SaaS apps, and more.
It connects the dots using graph-based technologies, allowing you to ask complex Attack Surface Questions, like “Show me all VMware-based systems associated with our crown jewels and that have something facing the internet.”
Learn more

This week's articles


Overhauling AWS account access with Terraform, Granted, and GitOps
Duckbill breaks down their method of accessing thousands of client AWS accounts in a way that preserves ease-of-access, maintains data confidentiality, and still providing all the permissions needed.   #aws   #build   #iam


Security Hub gives me imposter syndrome
Chris Farris' take on AWS Security Hub, what's wrong, what's good, and why it's a dangerous service for smaller companies.   #aws   #explain


Meeting the FedRAMP FIPS 140-2 requirement on AWS
Some ideas for implementing encryption that uses FIPS modules on AWS.   #aws   #build


Threat Modeling the Supply Chain for Software Consumers
From a software consumer perspective, how do we know where to start to address the real supply chain threats? Which risks are more critical than others? What framework or standard should be adopted quickly?   #strategy   #supply-chain


5 things you may not know about AWS IAM
SCPs are not inherited like you would expect them to be, resource policies can give permissions by themselves, NotPrincipal evaluation may not do what you expect, a permission can be granted by a combination of statements, KMS grants are like detached resource policy statements.   #aws   #iam


Introduction to AWS Attribute-Based Access Control
The article provides an introduction to Attribute-Based Access Control (ABAC) in AWS. It explains how ABAC differs from traditional Role-Based Access Control (RBAC) and how to use tags to implement ABAC.   #aws   #explain   #iam


PCI v4 is coming. Are you ready?
With Version 4.0, businesses gain the flexibility to define and deploy personalized security measures aligned with their specific cardholder data environment (CDE) setup.   #strategy


How to traceroute Kubernetes pod-to-pod traffic
Post delving into Kubernetes networking within the context of VirtualBox, providing command-line examples and illustrations that shed light on pod-to-pod communication.   #explain   #kubernetes


ZAP is Joining the Software Security Project
ZAP (Zed Attack Proxy) has decided to leave OWASP and join the Linux Foundation.   #announcement


Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement
Microsoft's analysis of an attempt to steal the cloud identity in a SQL Server instance for lateral movement highlights the importance of securing cloud identities and implementing least privilege practices when deploying cloud-based and on-premises solutions.   #attack   #azure


CVE-2023-22515 - Privilege Escalation Vulnerability in Confluence Data Center and Server
Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.   #attack   #saas


Terraform 1.6 adds a test framework for enhanced code validation
Terraform 1.6 is now generally available, highlighted by a powerful new testing framework to help authors systematically validate the functionality of their code.   #announcement   #terraform

Sponsor

BeyondCorp, Zero Trust Architecture Strategy, and Teleport
BeyondCorp comes from a realization that VPN perimeter network security is obsolete. As soon as an attacker breaches the perimeter, they have unrestricted access to the resources. With the release of a memorandum discussing federal Zero Trust Architecture (ZTA) strategies[3], zero trust has entered the mainstream at the government level. Although the memo focuses on government agencies, it has a clear structure and strong foundations for any modern company...
Keep reading the Teleport blog.

Tools


KubeHound
A Kubernetes attack graph tool allowing automated calculation of attack paths between assets in a cluster. You can also refer to the companion blog post.


R2-Explorer
A Google Drive Interface for your Cloudflare R2 Buckets.


cloudgrep
Cloudgrep is grep for cloud storage.


git-alerts
A Public Git repository and misconfiguration detection tool.


nord-stream
Nord Stream is a tool that allows you to extract secrets stored inside CI/CD environments by deploying malicious pipelines. It currently supports Azure DevOps, GitHub and GitLab.

From the cloud providers


#AWS   Announcing updates to the AWS Well-Architected Framework guidance
In this release, Amazon made the implementation guidance for the new and updated best practices more prescriptive, including enhanced recommendations and steps on reusable architecture patterns targeting specific business outcomes in AWS.


#AWS   Get the full benefits of IMDSv2 and disable IMDSv1 across your AWS infrastructure
How to identify IMDSv1-enabled EC2 instances and how to determine if and when your software is making IMDSv1 calls.


#AWS   Secure by Design: AWS to enhance MFA requirements in 2024
Beginning in mid-2024, customers signing in to the AWS Management Console with the root user of an AWS Organizations management account will be required to enable MFA to proceed.


#AWS   Validate IAM policies with Access Analyzer using AWS Config rules
How to set up and continuously validate and report on compliance of the IAM policies in your environment using AWS Config.


#AWS   Use AWS Secrets Manager to store and manage secrets in on-premises or multicloud workloads
Recommended practices to securely fetch secrets from Secrets Manager from your on-premises or hybrid workload.


#GCP   Introducing Advanced Vulnerability Insights for GKE
Artifact Analysis in partnership with Google Kubernetes Engine has introduced a new vulnerability scanning offering called Advanced Vulnerability Insights.


#GCP   New custom security posture controls and threat detections in Security Command Center
Security Command Center now allows organizations to design their own customized security controls and threat detectors for their Google Cloud environment.


#GCP   Introducing Google Cloud Firewall Plus with intrusion prevention
The updated Cloud Firewall Plus provides protection against malware, spyware, and command-and-control attacks on a customer's network.


#GCP   Deliver and secure your internet-facing application in less than an hour using Dev(Sec)Ops Toolkit
The Dev(Sec)Ops toolkit helps customers accelerate the delivery of internet-facing applications with Cloud Load Balancing, Cloud Armor, and Cloud CDN.


#GCP   Policy Intelligence update
After January 15, 2024, some Policy Intelligence features will only be available for customers with organization-level activations of Security Command Center.


#AZURE   New expanded visibility into multicloud data security in Microsoft Defender for Cloud
A new data security dashboard in Defender for Cloud, boosting security team effectiveness to reduce the risk of data breaches and detect threats to data in the cloud.

Business News

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini