Release Date: 17/11/2024 | Issue: 264
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

In today's digital landscape, a new class of identities has emerged alongside traditional human users: non-human identities (NHIs). These NHIs are created and managed by human actions to enable automated processes, system-to-system communication, and cloud services. Permiso Security's new eBook details everything you need to know about creating, managing and securing non-human identities.
Download it now

This week's articles


How Palantir Enables a Secure, Rapid Software Development Environment
This post provides background on why and how Palantir initiated their Software Supply Chain Security (SSCS) program, and focuses on the threat model behind our security controls and posture.   #process   #strategy   #supply-chain


How AWS enforcement code logic evaluates requests to allow or deny access
AWS updated the IAM policy evaluation chart.   #aws   #explain   #iam


Analysis Tools and Linters to Improve Code Quality and Avoid Bugs
A site listing the best static analysis tools and linters that can help you improve code quality.   #process


Making Sense of Kubernetes Initial Access Vectors Part 1: Control Plane
Explore Kubernetes control plane access vectors, risks, and security strategies to prevent unauthorized access and protect your clusters from potential threats.   #attack   #defend   #kubernetes


Kubernetes Initial Access Vectors Part 2: Data Plane
Learn about Kubernetes data plane access, including applications running on the cluster, container images, and execution-as-a-service workload types.   #attack   #defend   #kubernetes


GitFlops: The Dangers of Terraform Automation Platforms
How systems designed to automate Terraform lifecycle management can be exploited to compromise entire cloud environments.   #attack   #ci/cd   #iac   #terraform


When is read-only not read-only?
Kubernetes RBAC has some tricky areas where the behaviour you get might not be exactly what you expect.   #iam   #kubernetes


Abusing FIDO2 passkeys to take over Global Administrators in Entra ID
Microsoft has recently published a Graph API that allows administrators to pre-provision passkeys for users. From an offensive security point of view this raises the question whether this functionality can be abused to take over accounts.   #attack   #azure

๐Ÿ“™ [The CloudSec Engineer]

The CloudSec Engineer is discounted for a limited time!
You can get a 30% discount by entering the following discount code at checkout: CYBERNOVEMBER24

Checkout the book

Tools


am-i-isolated
Validate the isolation posture of your container environment.


cloudranger
Go library for mapping IP address ranges to cloud provider regions (currently: AWS and GCP).


aws-gate
Better AWS SSM Session manager CLI client.


kro
Kube Resource Orchestrator.


pinniped
Pinniped provides identity services to Kubernetes.

From the cloud providers


#AWS   AWS Security Hub launches 7 new security controls
Security Hub released new controls for Amazon Simple Notification Service (Amazon SNS) topic and AWS Key Management Service (AWS KMS) keys checking for public access.


#AWS   Peek inside your AWS CloudFormation Deployments with timeline view
The new CloudFormation deployment timeline view provides visibility into the orchestration flow and dependencies involved when CloudFormation provisions resources defined in your infrastructure-as-code templates.


#AWS   Introducing resource control policies (RCPs), a new type of authorization policy in AWS Organizations
New Resource Control Policies let you centrally restrict AWS service access across accounts, bolstering security with preventative controls that supersede permissive policies - even for external users.


#AWS   Maximize your cloud security experience at AWS re:Invent 2024
A list of must-attend security sessions at re:Invent 2024.


#GCP   Google Cloud deepens its commitment to security and transparency with expanded CVE program
Google will start issuing CVEs for critical Google Cloud vulnerabilities, even when we do not require customer action or patching.


#GCP   A new flexible DNS-based approach for accessing the GKE control plane
A new DNS-based endpoint for GKE clusters provides enhanced flexibility when accessing the control plane and configuring security.


#AZURE   Unlocking the future: Azure networking updates on security, reliability, and high availability | Microsoft Azure Blog
The general availability of the Bastion Developer SKU, virtual network encryption, and the public preview of DNSSEC support in Azure.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini