This week's articles
Enter the Vault: Authentication Issues in HashiCorp Vault
#aws, #gcp, #vault, #attack
Project Zero found two vulnerabilities in HashiCorp Vault and its integration with AWS and GCP, which can lead to an authentication bypass in configurations that use the aws and gcp auth methods. Both vulnerabilities (CVE-2020-16250/16251) were addressed by HashiCorp and are fixed in Vault versions 1.2.5, 1.3.8, 1.4.4 and 1.5.1 released in August.
CloudFormer review part I - The stack
#aws, #attack
A security review of AWS CloudFormer (beta), a tool created by AWS that helps create CloudFormation templates of existing resources within an account.
Mapping CIS Controls to Cloud
#defend
Building a public cloud security program from scratch is a lot of work. There are a ton of things you need to do and figuring out what you need to do and the priority is critical.
|
|
Tools
aws-iamctl
IAMCTL is a tool that you can use to extract the IAM roles and policies from two accounts, compare them, and report out the differences and statistics. You can also have a look at the companion blog post.
gcpviz
gcpviz is a visualization tool that takes input from Cloud Asset Inventory, creates relationships between assets and outputs to a format compatible with graphviz.
|
|
From the cloud providers
AWS Lambda Extensions: a new way to integrate Lambda with operational tools (in preview)
AWS introduced "Extensions" for Lambda, a new way for tools to more easily integrate deeply into the Lambda execution environment to control and participate in Lambdaβs lifecycle. They use the Extensions API, a new HTTP interface, to register for lifecycle events and get greater control during function initialization, invocation, and shutdown. As of today, it is possible to use extensions for the following tools: AppDynamics, Check Point, Datadog, Dynatrace, Epsagon, HashiCorp, Lumigo, New Relic, Thundra, Splunk, AWS AppConfig, and CloudWatch Lambda Insights.
AWS Security Hub launches a new user interface for security standards
AWS Security Hub improved how it displays details for security standards, which are collections of automated security checks based on industry and regulatory frameworks like the Center for Internet Security's (CIS) AWS Foundational Benchmarks, the Payment Card Industry Data Security Standard (PCI DSS), and AWS' own Foundational Security Best Practices.
|
|
Thanks for reading!
|
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! π If you have questions, comments, or feedback, let me know on Twitter ( @lancinimarco / @CloudSecList), or at feedback.cloudseclist.com! Thanks, Marco
|
|
|