Release Date: 22/11/2020 | Issue: 64
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

This week's articles


Announcing the Cloud Native Security White Paper
The CNCF Security SIG has just released a new Cloud Native Security Whitepaper to help educate the community about best practices for securing cloud native deployments. The whitepaper intends to provide organizations and their technical leadership with a clear understanding of cloud native security, its incorporation in lifecycle processes, and considerations for determining the most appropriate application thereof. You can also check the accompanying blog post om the K8s blog.   #announcement   #cncf   #defend


AWS access keys leak in GitHub repository and some improvements in Amazon reaction
Post testing Amazon's reaction to a case of leaked access keys, with analysis of the recent "AWSCompromisedKeyQuarantine" policy used to contain them.   #aws   #attack


Learning from AWS (Customer) Security Incidents
Really interesting run through of real life security breaches that have happened to the AWS environments of high profile companies.   #aws   #defend


It's time to implement Instance Metadata Service V2
Practical guidance on how you can get started rolling out IMDSv2 via Cloudformation.   #aws   #defend


Pod Security Policies Are Being Deprecated in Kubernetes
It's been 2+ years since PSPs were planned for deprecation, and SIGs are currently coming up with options before the summer deadline.   #k8s   #defend


Automated Origin CA for Kubernetes
CloudFlare released origin-ca-issuer, an extension to cert-manager integrating with Cloudflare Origin CA to easily create and renew certificates for your account's domains.   #k8s   #build


How to Maintain Compliance At the Speed of Kubernetes
Capital One acquired Critical Stack in 2016 to scale and manage containerized applications with compliance in mind. This week, all elements of the platform have been made available to the open-source community.   #k8s   #defend


Privileged Container Escape - Control Groups release_agent
Post expanding on a technique reported by Felix Wilhelm (@_fel1x) to escape a privileged container to execute arbitrary commands on the container host.   #k8s   #attack


Introducing BloodHound 4.0: The Azure Update
The newest release of BloodHound introduced AzureHound (a new data collector for Azure), 10 new node types, and 14 new edges that cover attack primitives against the new node types.   #azure   #attack   #defend


Introducing a mind map for AWS investigations
The Expel team released a mindmap on detection and response in AWS, breaking down what APIs attackers will leverage for different types of attacks.   #aws   #defend

Tools


project_lockdown
Collection of automated remediation Cloud Functions that react to high risk events in real time. See also the related blog post.


illuminatio
illuminatio is a tool for automatically testing kubernetes network policies.

From the cloud providers


#AWS   Deep Dive with Security: AWS Identity and Access Management
New on-demand digital course provides a deep dive into AWS IAM and best practices for using IAM policies.


#AWS   Announcing protection groups for AWS Shield Advanced
AWS Shield Advanced now allows you to bundle resources into protection groups, giving you a self-service way to customize the scope of detection and mitigation for your application by treating multiple resources as a single unit.


#AWS   Fall 2020 SOC 2 Type I Privacy report now available
The Fall 2020 SOC 2 Type I Privacy report (available through "Artifact" in the AWS Management Console) provides a third-party attestation of AWS systems.


#AWS   AWS Network Firewall - New Managed Firewall Service in VPC
AWS announced AWS Network Firewall, a high availability, managed network firewall service for your virtual private cloud (VPC). It enables you to easily deploy and manage stateful inspection, intrusion prevention and detection, and web filtering to protect your virtual networks on AWS.


#AWS   Integrating CloudEndure Disaster Recovery into your security incident response plan
How to integrate CloudEndure Disaster Recovery - an AWS DR solution that enables fast, reliable recovery of physical, virtual, and cloud-based servers on AWS - into the recovery section of your incident response plan.


#AWS   Introducing Amazon S3 Storage Lens – Organization-wide Visibility Into Object Storage
The S3 team has built a new feature called Amazon S3 Storage Lens. This is the first cloud storage analytics solution with support for AWS Organizations to give you organization-wide visibility into object storage, with point-in-time metrics and trend lines as well as actionable recommendations. All these things combined will help you discover anomalies, identify cost efficiencies, and apply data protection best practices across accounts.


#AWS   AWS Single Sign-On adds Web Authentication (WebAuthn) support for user authentication with security keys and built-in biometric authenticators
AWS Single Sign-On (SSO) now enables you to secure user access to AWS accounts and business applications using multi-factor authentication (MFA) with FIDO-enabled security keys, such as YubiKey, and built-in biometric authenticators, such as Touch ID on Apple MacBooks and facial recognition on PCs.


#GCP   Introducing the Anthos Developer Sandbox—free with a Google account
Google launched the Anthos Developer Sandbox, providing a way to learn how to develop on Anthos with Cloud Shell Editor, Cloud Code, and Cloud Build Local.


#GCP   Introducing Voucher, a service to help secure the container supply chain
Voucher evaluates container images created by CI/CD pipelines and signs those images if they meet certain predefined security criteria. Binary Authorization then validates these signatures at deploy time, ensuring that only explicitly authorized code that meets your organizational policy and compliance requirements can be deployed to production.


#GCP   I do declare! Infrastructure automation with Configuration as Data
The Kubernetes Resource Model (KRM) that powers containerized applications can manage non-Kubernetes resources including other infrastructure, platform, and application services. For example, you can use the Kubernetes Resource Model to deploy and manage cloud databases, storage buckets, networks, and much more.


#GCP   Use real-time anomaly detection reference patterns to combat fraud
Reference patterns are technical reference guides that offer step-by-step implementation and deployment instructions and sample code.


#AZURE   Deploying and Managing Azure Sentinel - Ninja style
How to configure and maintain Azure Sentinel through Azure DevOps with IaC using the Sentinel API, AzSentinel and ARM templates.


#AZURE   New Azure Kubernetes Service (AKS) Security Workbook
Now you can get even more insights about the security of your AKS clusters with the new workbook for Azure Kubernetes Service (AKS) security in Sentinel. The workbook helps you to get a better visibility to your cluster from security perspective.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini