Release Date: 11/10/2020 | Issue: 58
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

This week's articles


Using AWS Lambda Extensions to Accelerate AWS Secrets Manager Access
Square developed and open sourced an extension that pre-fetches secrets from AWS Secrets Manager. By prefetching it is possible to eliminate the overhead introduced by calls to Secrets Manager, thus making secrets available immediately for Lambda function invocations.   #aws   #build


Use AWS Lambda Extensions to Securely Retrieve Secrets From HashiCorp Vault
HashiCorp announced the public preview of a HashiCorp Vault AWS Lambda extension, utilizing the newly announced AWS Lambda Extensions API (also in public preview) to securely retrieve secrets from HashiCorp Vault.   #aws   #vault   #build


Firebase: Google Cloud's Evil Twin
Whitepaper digging deep into Firebase and its security flaws.   #gcp   #attack


Enter the Vault: Authentication Issues in HashiCorp Vault
Project Zero found two vulnerabilities in HashiCorp Vault and its integration with AWS and GCP, which can lead to an authentication bypass in configurations that use the aws and gcp auth methods. Both vulnerabilities (CVE-2020-16250/16251) were addressed by HashiCorp and are fixed in Vault versions 1.2.5, 1.3.8, 1.4.4 and 1.5.1 released in August.   #aws   #gcp   #vault   #attack


Privilege Escalation and Lateral Movement on Azure
Some techniques for how a red team can gain a foothold and then escalate their privileges and move laterally within an Azure environment by using the Azure RBAC module.   #azure   #attack


CloudFormer review part I - The stack
A security review of AWS CloudFormer (beta), a tool created by AWS that helps create CloudFormation templates of existing resources within an account.   #aws   #attack


Mapping CIS Controls to Cloud
Building a public cloud security program from scratch is a lot of work. There are a ton of things you need to do and figuring out what you need to do and the priority is critical.   #defend


Monitoring Google Cloud with the Elastic Stack and Google Operations
How to set up a pipeline to stream data from Google Operations (ex Stackdriver) to the Elastic Stack so to can analyze Google Cloud logs alongside other observability data.   #gcp   #defend


A visual introduction to AWS Lambda permissions
Article explaining with visual examples the AWS Lambda permission model, focusing on cross-account access and the principle of least privilege.   #aws   #explain


Build end-to-end CI/CD capabilities directly in GitHub
Online workshops teaching how to build end-to-end continuous integration (CI) and continuous deployment (CD) capabilities directly in GitHub repositories using GitHub Actions.   #azure   #build


Dynamic Secrets Retrieval in Azure App Service with HashiCorp Vault
How to integrate Vault with Azure Active Directory and managed identities, and also use this authentication method to access dynamic short-lived secrets for a MySQL database.   #azure   #vault   #build


Verify your Kubernetes Cluster Network Policies: From Faith to Proof
Implement a technical check that verifies implemented security measurements. In case of network policies, try to establish a blocked network connection. Keep the checks as simple as possible and propagate the results in the existing monitoring solution.   #istio   #defend

Tools


aws-iamctl
IAMCTL is a tool that you can use to extract the IAM roles and policies from two accounts, compare them, and report out the differences and statistics. You can also have a look at the companion blog post.


gcpviz
gcpviz is a visualization tool that takes input from Cloud Asset Inventory, creates relationships between assets and outputs to a format compatible with graphviz.

From the cloud providers


#AWS   AWS Lambda Extensions: a new way to integrate Lambda with operational tools (in preview)
AWS introduced "Extensions" for Lambda, a new way for tools to more easily integrate deeply into the Lambda execution environment to control and participate in Lambdaโ€™s lifecycle. They use the Extensions API, a new HTTP interface, to register for lifecycle events and get greater control during function initialization, invocation, and shutdown. As of today, it is possible to use extensions for the following tools: AppDynamics, Check Point, Datadog, Dynatrace, Epsagon, HashiCorp, Lumigo, New Relic, Thundra, Splunk, AWS AppConfig, and CloudWatch Lambda Insights.


#AWS   Designing a secure container image registry
Post outlining a design that can be used or modified to fit Amazon Elastic Container Registry (Amazon ECR) to the requirements of your organization.


#AWS   AWS Security Hub launches a new user interface for security standards
AWS Security Hub improved how it displays details for security standards, which are collections of automated security checks based on industry and regulatory frameworks like the Center for Internet Security's (CIS) AWS Foundational Benchmarks, the Payment Card Industry Data Security Standard (PCI DSS), and AWS' own Foundational Security Best Practices.


#GCP   Creating a CI/CD Environment for Serverless Containers on Google Cloud Run with GitHub Actions
Using GitHub Actions to test and deploy Docker containers on Google Cloud Run.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini