Release Date: 13/09/2020 | Issue: 54
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

This week's articles


Security September: Escaping CodeBuild - The compromise that wasn't
Can you break out of the CodeBuild container? Where will you end up?.   #aws   #attack


Abusing dynamic groups in Azure AD for privilege escalation
Blog presenting a new technique for escalating privileges within Azure environments through the abuse of dynamic groups in Azure Active Directory.   #azure   #attack


How To Enforce Kubernetes Network Security Policies Using OPA
Deep-dive on how to enforce systematic Kubernetes network security policies with Open Policy Agent.   #k8s   #defend   #opa


Monitoring Kubernetes in Production
The challenges of monitoring Kubernetes, both the infrastructure platform and the running workloads, and an overview of Kubernetes monitoring tools.   #k8s   #defend


Announcing the Sentinel Playground
HashiCorp introduced Sentinel Playground, which offers access to a zero-install development environment to learn and experiment with policy as code without having to install and maintain runtime environments on your own machines.   #hashicorp   #announcement


Making Sense of Kubernetes RBAC and IAM Roles on GKE
Interesting post exploring the relationship between Google Cloud IAM and Kubernetes RBAC.   #k8s   #gcp   #explain


Using HashiCorp Vault with Google Confidential Computing
HashiCorp Vault is now validated on Google Cloud Platform's Confidential Computing service. Confidential Computing allows HashiCorp Vault to operate in environments with resilient host based security that adds additional protection through the use of memory encryption.   #hashicorp   #vault   #gcp


What's new in Kubernetes 1.19?
Detailed list of what's new in Kubernetes 1.19. Of the 34 enhancements in this version, 10 are completely new, 8 are graduating to Stable, 2 are management changes on the Kubernetes project, and the other 14 are existing features that kept improving.   #k8s   #explain


Discovering Running Pods By Using DNS and Headless Services in Kubernetes
Post covering what headless services are, how do they work, and how do they integrate with DNS resolution.   #k8s   #explain


Seccomp in Kubernetes โ€” Part 3: The new syntax plus some Advanced topics
Yet another post on mastering the art of creating seccomp profiles for your workloads, this time around covering the new Seccomp GA syntax and some other advanced topics.   #k8s   #defend


Easier Troubleshooting of cert-manager Certificates
Post exploring the newest addition to the kubectl plugin of cert-manager, "kubectl cert-manager status certificate", a command designed to make the troubleshooting experience of cert-manager problems easier.   #k8s   #build


Puppet Assessment Techniques
Blog post aiming to raise security awareness and summarize useful attack and audit techniques for an internal black and whitebox infrastructure assessment of a Puppet Enterprise landscape.   #puppet   #attack

Tools


cdkgoat
Vulnerable by Design AWS CDK repository.


cfngoat
Vulnerable by Design Cloudformation repository.


terragoat
Vulnerable by Design Terraform repository.


grype
A vulnerability scanner for container images and filesystems.


capsule
Capsule is a Kubernetes multi-tenant Operator. It aggregates multiple namespaces assigned to an organization or group of users in a lightweight abstraction called Tenant. Within each tenant, users are free to create their namespaces and share all the assigned resources between the namespaces of the tenant.

From the cloud providers


#AWS   Introducing the AWS Best Practices for Security, Identity, & Compliance Webpage and Customer Polling Feature
AWS released the Best Practices for Security, Identity, & Compliance webpage of the new AWS Architecture Center, containing recommendations for security design principles, workshops, and educational materials.


#AWS   Amazon EKS now supports assigning EC2 security groups to Kubernetes pods
EKS customers can now leverage EC2 security groups to secure applications with varying network security requirements on shared cluster compute resources. Network security rules that span pod to pod and pod to external AWS service traffic can be defined in a single place with EC2 security groups, and applied to individual pods and applications with Kubernetes native APIs.


#AWS   API Gateway HTTP APIs now supports Lambda and IAM authorization options
In addition to the previously supported OIDC/OAuth2 authorization option, it is now possible to secure Amazon API Gateway HTTP APIs using two new authorization options: Lambda authorizers and IAM authorizers.


#AWS   How to configure an LDAPS endpoint for Simple AD
How to configure an LDAPS (LDAP over SSL or TLS) encrypted endpoint for Simple AD so that you can extend Simple AD over untrusted networks.


#GCP   Expanding Google Cloud's Confidential Computing portfolio
Google expanded the Google Cloud Confidential Computing portfolio with the announcement of Confidential GKE Nodes and of Confidential VMs.


#GCP   Google Cloud API Gateway is now available in public beta
Google announced the beta of API Gateway, a fully-managed Google Cloud offering that lets you create, secure, and monitor APIs for your serverless workloads.


#GCP   Designing Secure Data Pipelines with VPC Service Controls
This blog post describes an example of how to build a Data Platform using Cloud Functions, Dataflow, Google Cloud Storage and Bigquery with VPC Service Controls.


#AZURE   Azure DDoS Protection connector in Public Preview for Azure Sentinel
If you are using Azure DDoS Standard Protection, you can now ingest this via a custom connector into your Azure Sentinel workspace.


#AZURE   How to integrate vulnerability management in Azure Sentinel
Blog explaining how to ingest and analyse vulnerability data in Azure Sentinel. In the article, Tenable is used as an example, but the same approach can be used with any other Threat & Vulnerability Management (TVM) platform.


#AZURE   Select an Azure data store for your application
Handy flowchart to select a candidate data store for any kind of workload.


#AZURE   Choose an Azure compute service for your application
Interesting flowchart to help you to choose a compute service for your application.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini