Release Date: 09/08/2020 | Issue: 49
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

This week's articles

Network access for private clusters
Very interesting article going into the problem of providing network connectivity between Kubernetes clusters and other internal tools (like deployment pipelines).

Certificate management on Istio
Post focusing on the differences an Istio service mesh makes in regard to certificate management on Kubernetes. The primary difference is the method of solving the ACME HTTP-01 challenge. Solving this challenge involves routing an HTTP request from the ACME server (the Certificate Authority) to the cert-manager challenge solver pod.

Cloud Encryption is worthless! Click here to see why...
When evaluating your cloud security posture priorities, encryption should be at the bottom of your list. First, get your IAM house in order.

How we migrated Dropbox from Nginx to Envoy
Nice post from the Dropbox team, talking about the old Nginx-based traffic infrastructure, its pain points, and the benefits they gained by migrating to Envoy. They also briefly touch on the migration process, its current state, and some of the problems encountered on the way.

File Integrity Monitoring: Detecting suspicious file activity inside a container
Blog exploring suspicious file activity inside a container, as well as how to effectively implement a file integrity monitoring (FIM) workflow.

Implementing a GitOps UI with Spotify's Backstage
How to use Spotify's open source framework, Backstage, to create a GitOps plugin with a UI that can be offered through a developer portal.

GitHub Actions self-hosted runners on Google Cloud
Patterns for configuring and maintaining GitHub Actions self-hosted runners on Google Cloud.

Open Sourcing the etcd Security Audit
The etcd team has successfully completed a 3rd party security audit, performed by Trail of Bits. No major issue was found in the core components of etcd.

Sandboxing and Workload Isolation
Evaluation of a few different isolation techniques, with a focus on Firecracker.

Manage Active Directory Objects with the New Windows AD Provider for HashiCorp Terraform
HashiCorp announced the preview of a Windows Active Directory (AD) provider for Terraform. Windows administrators can now automate configuration of Active Directory and ease the management of enterprise systems.


AWS Exposable Resources
Repo maintaining a list of all AWS resources that can be publicly exposed, and eventually, those that can be shared with untrusted accounts.

Azure Cloud Shell is a browser-based shell environment which enables Azure customers to manage and configure their Azure services. It provides a host of tools, including Azure CLI, Azure PowerShell, Ansible, Terraform, Chef, Puppet Bolt, kubectl, and many more.

Run interactive shell commands on AWS Lambda.

Mount kubernetes metadata storage as a filesystem.

Kip is a Virtual Kubelet provider that allows a Kubernetes cluster to transparently launch pods onto their own cloud instances. The kip pod is run on a cluster and will create a virtual Kubernetes node in the cluster.

CONVEX is a group of CTFs that are independently deployable into participant Azure environments.

DAST (Dynamic application security testing) is a Kubernetes operator that leverages OWASP ZAP to make automated basic web service security testing.

From the cloud providers

AWS Icon  Using Amazon GuardDuty to Protect Your S3 Buckets
The anomaly and threat detection for S3 activities that was previously available in Macie has now been enhanced and reduced in cost by over 80% as part of GuardDuty. This new capability enables GuardDuty to continuously monitor and profile S3 data access events and S3 configurations to detect suspicious activities.

AWS Icon  Assess your security posture to identify and remediate security gaps susceptible to ransomware
The Self-Service Security Assessment is a CloudFormation template that includes a dedicated VPC with two subnets, one NAT Gateway, one EC2 instance, and one S3 bucket. Once deployed, open source projects Prowler and ScoutSuite are downloaded and installed within the EC2 instance and begin locally scanning AWS accounts using AWS APIs to run more than 256 point-in-time checks.

AWS Icon  Logical Separation on AWS Whitepaper: Moving Beyond Physical Isolation in the Era of Cloud Computing
This paper examines the topic of logical separation for customers using AWS, discussing a multi-pronged approach to build logical security mechanisms that meet and often exceed the security results of physical separation and other on-premises security approaches.

AWS Icon  Migrating your rules from AWS WAF Classic to the new AWS WAF
How to migrate your rules from AWS WAF Classic to the new AWS Web Application Firewall.

AWS Icon  Best Practices for Securing Amazon EMR
This post walks you through some of the principles of Amazon EMR (a managed Hadoop framework) security, including encryption, authentication, and network access.

GCP Icon  Preventing lateral movement in Google Compute Engine
To implement a defense in depth approach for Compute Engine there are a few things you should do, like isolate your production resources from the internet, disable the use of default service accounts, limit access to service account credentials, use OS Login to manage access to VMs, apply the principle of least-privilege, and collect logs and monitor your system.

GCP Icon  Introducing CAS: Securing applications with private CAs and certificates
Google announced Certificate Authority Service (CAS), a highly scalable and available service that simplifies and automates the management and deployment of private CAs.

Azure Icon  Moving Windows Server to Microsoft Azure to Enable Compliance
Free e-book discussing how to manage compliance, privacy, and security when migrating Windows Server workloads to Azure.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.