Release Date: 14/07/2024 | Issue: 246
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
๐Ÿ“™ The CloudSec Engineer is out now!

The CloudSec Engineer is a practical guide on how to enter, establish yourself, and thrive in the Cloud Security industry as an individual contributor.

You can head over to engineer.cloudsecbooks.com to find more information about the book, its contents, and where to buy it.

This week's articles


A Race to the Bottom - Database Transactions Undermining Your AppSec
This post aims shed light on a particular aspect of the complexity databases introduce which is often overlooked by developers, namely concurrency control.   #attack


Common SAML vulnerabilities and how to remediate them
This blog aims to give a short overview of popular SAML vulnerabilities and how they can be remediated with some examples.   #attack   #iam


Moving AWS Accounts and OUs Within An Organization - Not So Simple!
This post explores the potential implications of moving an AWS account or OU to another OU within the same Organization, including impacts to SCP policy inheritance, CloudFormation StackSet deployments, IAM policy conditions, RAM shares, and Control Tower enrollments.   #aws   #explain   #iam


Sneaky write hook: git clone to root on k8s node
This blog post focuses on the gitRepo volume driver, and a yet-unpatched security vulnerability that was just recently disclosed publicly.   #attack   #ci/cd


Let's talk about anonymous access to Kubernetes
Article looking at exactly how and why anonymous access is possible to Kubernetes.   #explain   #kubernetes


Delete unused AMIs using the new 'LastLaunchedTime' attribute
Reduce your AWS costs by (more) safely deleting unused AMIs.   #aws   #build


How to create a multi clusters secure supply chain (SLSA 3) in 10min (OSS edition)
A step-by-step guide on how to create your own secure supply chain with Argo, Kpack, Syft, and Cosign.   #build   #kubernetes   #supply-chain

Sponsor

Cloud Tales ft. Will Bengtson (VP of Security Engineering at HashiCorp)
Cloud Tales is a monthly series focusing on cloud heroes. No slides, no agenda โ€“ just tales from security leaders in their cloud journey to securing cloud environments.
  • Hear about Willโ€™s journey to securing some of the largest environments in the cloud during this time at Netflix, Capital One and HashiCorp
  • Learn about his career growth from a Technical Lead at Hewlett-Packard to VP of Security Engineering at HashiCorp
  • Post questions to Will about challenges you or your team might be facing and how to overcome them

Tools


acjs
A Kubernetes admission controller that allows inspecting the requests with policies written in JavaScript. You can also refer to the companion blog post.


ctrdac
Admission control for Containerd/Docker. You can also refer to the companion blog post.


secured-bastion-host-terraform
Use the combination of AWS Systems Manager Session Manager and Amazon EC2 Instance Connect for Amazon EC2 bastion host access.


gravy-overflow
A GitHub Actions Supply Chain CTF / Goat.

From the cloud providers


#AWS   Strategies for achieving least privilege at scale - Part 1
This blog post walked through the first five (of nine) strategies for achieving least privilege at scale.


#AWS   Strategies for achieving least privilege at scale - Part 2
This second post continues to look at the remaining four strategies and related mental models for scaling least privilege across your organization.


#AWS   Centrally manage VPC network ACL rules to block unwanted traffic using AWS Firewall Manager
How to use network ACL policies in a variety of scenarios, such as blocking ingress from malicious sources and blocking egress to destinations used by malware and exploits.


#AWS   Monitor data events in Amazon S3 Express One Zone with AWS CloudTrail
S3 Express One Zone now supports AWS CloudTrail data event logging, allowing you to monitor all object-level operations like PutObject, GetObject, and DeleteObject, in addition to bucket-level actions like CreateBucket and DeleteBucket that were already supported.


#AWS   Top four ways to improve your Security Hub security score
The top four mechanisms that you can use to improve your security score, review the five controls in Security Hub that most often fail, and provide recommendations on how to remediate them.


#GCP   IAM so lost: A guide to identity in Google Cloud
An entry-level post demystifying two foundational IAM access control principles: the concepts of least privilege and separation of duties.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini