Release Date: 07/01/2024 | Issue: 219
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Looking to protect your workloads and APIs?
SlashID Gate is an authorizer service to add authentication, authorization, and rate limiting to your APIs and workloads without deploying heavy service meshes like Istio or custom-built middleware.
With Gate, you can enforce OPA policies for your workloads, add fine-grained authorization through OAuth 2.0 scopes to your APIs, and implement distributed rate limiting. Additionally, Gate can tokenize API keys and access tokens for third-party services, preventing the leakage of key material at runtime.

Check out the Gate documentation to learn more.

This week's articles


Google OAuth is broken (sort of)
A Google Oauth vulnerability that allows employees to maintain access to services after they're offboarded.   #attack   #gsuite


Why did 1 GitHub Repo leak 5,000 Live GCP Keys?
More GCP Keys leaked on GitHub in 2022 than any other key type. Why? Turns out one repository played a major role.   #attack   #gcp


Deep dive into the new Amazon EKS Cluster Access Management features
Post deep diving into the newly released Amazon EKS cluster access management features, as well as discussing threat detection opportunities based on the newly available CloudTrail events associated with this feature.   #aws   #explain   #iam


Setting secure AWS defaults and avoiding misconfigurations
Wiz cloud security researcher, Scott Piper, suggests measures organizations can adopt to ensure secure defaults on AWS and improve their security posture.   #aws   #defend


Exploiting Monitoring and Service Mesh Configurations in GKE to Gain Unauthorized Access
The article exposes a privilege escalation vulnerability in Google Kubernetes Engine, involving misuse of FluentBit and Anthos Service Mesh, allowing attackers to gain full cluster control.   #attack   #gcp   #kubernetes


How we organize and get things done with SERVICEOWNERS
How GitHub engineering solves the age old problem of who owns what.   #build   #ci/cd


How to use Dockerfiles with wolfi-base images
Post explaining how to use wolfi-base with Docker tooling by looking at using Chainguard base images, including "static" and "wolfi-base".   #build   #containers

Sponsor CloudSecList in 2024

If you want to get your product in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, take a look at:
๐Ÿ”— cloudseclist.com/sponsor

Tools


osqtool
Automated generation & manipulation of osquery packs.


awsaccountcreds
An AWS credential_process credential provider that sources credentials from AWS Systems Manager's Default Host Management Configuration. It allows an EC2 instance to assume a role without an associated instance profile.


vscode-terraform-live-graph
The Terraform Live Graph Extension for Visual Studio Code is a plugin that allows you to generate a live Terraform graph as you code.


aws2tf
Automates the importing of existing AWS resources into Terraform and outputs the Terraform HCL code.

From the cloud providers


#AWS   Four use cases for GuardDuty Malware Protection On-demand malware scan
This post outlines four use cases you can use with the On-demand malware scan feature: Scan based on tag, scan on a schedule, scan as part of an investigation, and scan in a deployment pipeline.


#AWS   Access AWS using a Google Cloud Platform native workload identity
How to assume an IAM role in your AWS accounts to securely issue temporary credentials for applications that run on GCP.


#AWS   Best Practices to help secure your container image build pipeline by using AWS Signer
AWS Signer is a fully managed code-signing service to help ensure the trust and integrity of your code. It helps you verify that the code comes from a trusted source and that an unauthorized party has not accessed it.


#GCP   Securing Google Cloud Super Admins
Some practical tips for securing Super Admins in GCP.


#GCP   Introducing automated credential discovery to help secure your cloud environment
Google Cloud is launching, at no cost, a secret discovery tool in Sensitive Data Protection that can find and monitor for stored plaintext credentials.

Business News

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini