Release Date: 21/07/2024 | Issue: 247
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Gartner predicts that by 2025, lack of talent or human failure will cause more than 50% of significant cyber incidents.
The solution? Workflow automation.
Get the Essential Guide to Workflow Automation from Tines for an in-depth look into:
  • The evolution of workflow automation and AI
  • Common misconceptions about automation (and debunking them)
  • Best practices for finding success with automation - with insights from Mars and Elastic
Get the guide today to learn how your security team can use AI-powered workflow automation to its full potential.

This week's articles


Secure Workload Identity with SPIRE and OIDC: A Guide for Kubernetes and Istio Users
This blog is for engineering teams responsible for defining and implementing a workload identity platform and access controls rooted in Zero Trust principles to mitigate the risks from compromised services.   #build   #kubernetes


Container Breakouts: Escape Techniques in Cloud Environments
Unit 42 researchers test container escape methods and possible impacts within a Kubernetes cluster using a containerd container runtime.   #attack   #containers   #kubernetes


Leaky Labels: Bypassing Traefik Proxy Leveraging cAdvisor Metrics
Post discussing the risks of exposed container labels in cAdvisor metrics with a case study of a widely used cloud native application proxy known as Traefik proxy.   #attack   #containers


A Five Year Retrospective on Detection as Code
Post discussing the evolution of Detection as Code over the past five years, sharing insights from client implementations, and exploring current best practices in this approach.   #monitor


Building the foundations: A defender's guide to AWS Bedrock
This blog focuses on AWS Bedrock and its relevant telemetry streams: CloudTrail management and data events, model invocation telemetry and endpoint telemetry.   #aws   #monitor


Thwacking DDOS with AWS WAF
AWS WAF is definitely not the best DDOS prevention tech on the market. But if you're ever in the seat and it's the tool you have, here's your guide.   #aws   #defend


Poor mans MFA for AWS Client VPN
The AWS Client VPN service is a common way to seamlessly connect users into internal networks. This post describes a low-tech, low-cost solution to better authenticate users using a second factor.   #aws   #build


A hard look at GuardDuty shortcomings
Is GuardDuty all you need for AWS threat detection? This post offers some results of adversarial simulation, a review of detection latency, and an analysis of projected S3 ransomware timing.   #aws   #defend   #explain


Using S3 as a container registry
You can use S3 as a container registry. All it takes is to expose an S3 bucket through HTTP and to upload the image's files to specific paths.   #aws   #build

๐Ÿ“™ The CloudSec Engineer is out now!

The CloudSec Engineer is a practical guide on how to enter, establish yourself, and thrive in the Cloud Security industry as an individual contributor.

You can head over to engineer.cloudsecbooks.com to find more information about the book, its contents, and where to buy it.

Tools


container-structure-test
The Container Structure Tests provide a powerful framework to validate the structure of a container image. These tests can be used to check the output of commands in an image, as well as verify metadata and contents of the filesystem.


kluctl
The missing glue to put together large Kubernetes deployments, composed of multiple smaller parts (Helm/Kustomize/...) in a manageable and unified way.


vals-operator
Kubernetes Operator to sync secrets between different secret backends and Kubernetes.


aws-secretsmanager-agent
A client-side HTTP service that you can use to standardize consumption of secrets from Secrets Manager across environments such as Lambda, ECS, EKS, and EC2.

From the cloud providers


#AWS   Patterns for consuming custom log sources in Amazon Security Lake
Three patterns to centralize the ingestion of log data into Amazon Security Lake, regardless of the source.


#GCP   Safeguard your SAP environments with Workload Manager's evaluation service
The Workload Manager evaluation service can assess SAP systems against best practices from Google Cloud, SAP, and operating system vendors.


#GCP   Bringing cloud and AI capabilities to the tactical edge: Google Distributed Cloud air-gapped appliance is generally available
The Google Distributed Cloud air-gapped appliance is an integrated hardware and software solution that lets you run workloads at the tactical edge.


#AZURE   Simplified Zero Trust security with the Microsoft Entra Suite and unified security operations platform
New capabilities to help accelerate your transition to a Zero Trust security model with the general availability of the Microsoft Entra Suite.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini