Release Date: 22/11/2020 | Issue: 64
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

This week's articles

Announcing the Cloud Native Security White Paper   #announcement, #cncf, #defend
The CNCF Security SIG has just released a new Cloud Native Security Whitepaper to help educate the community about best practices for securing cloud native deployments. The whitepaper intends to provide organizations and their technical leadership with a clear understanding of cloud native security, its incorporation in lifecycle processes, and considerations for determining the most appropriate application thereof. You can also check the accompanying blog post om the K8s blog.

AWS access keys leak in GitHub repository and some improvements in Amazon reaction   #aws, #attack
Post testing Amazon's reaction to a case of leaked access keys, with analysis of the recent "AWSCompromisedKeyQuarantine" policy used to contain them.

Learning from AWS (Customer) Security Incidents   #aws, #defend
Really interesting run through of real life security breaches that have happened to the AWS environments of high profile companies.

It's time to implement Instance Metadata Service V2   #aws, #defend
Practical guidance on how you can get started rolling out IMDSv2 via Cloudformation.

Pod Security Policies Are Being Deprecated in Kubernetes   #k8s, #defend
It's been 2+ years since PSPs were planned for deprecation, and SIGs are currently coming up with options before the summer deadline.

Automated Origin CA for Kubernetes   #k8s, #build
CloudFlare released origin-ca-issuer, an extension to cert-manager integrating with Cloudflare Origin CA to easily create and renew certificates for your account's domains.

How to Maintain Compliance At the Speed of Kubernetes   #k8s, #defend
Capital One acquired Critical Stack in 2016 to scale and manage containerized applications with compliance in mind. This week, all elements of the platform have been made available to the open-source community.

Privileged Container Escape - Control Groups release_agent   #k8s, #attack
Post expanding on a technique reported by Felix Wilhelm (@_fel1x) to escape a privileged container to execute arbitrary commands on the container host.

Introducing BloodHound 4.0: The Azure Update   #azure, #attack, #defend
The newest release of BloodHound introduced AzureHound (a new data collector for Azure), 10 new node types, and 14 new edges that cover attack primitives against the new node types.

Introducing a mind map for AWS investigations   #aws, #defend
The Expel team released a mindmap on detection and response in AWS, breaking down what APIs attackers will leverage for different types of attacks.


Collection of automated remediation Cloud Functions that react to high risk events in real time. See also the related blog post.

illuminatio is a tool for automatically testing kubernetes network policies.

From the cloud providers

AWS Icon  Deep Dive with Security: AWS Identity and Access Management
New on-demand digital course provides a deep dive into AWS IAM and best practices for using IAM policies.

AWS Icon  Announcing protection groups for AWS Shield Advanced
AWS Shield Advanced now allows you to bundle resources into protection groups, giving you a self-service way to customize the scope of detection and mitigation for your application by treating multiple resources as a single unit.

AWS Icon  Fall 2020 SOC 2 Type I Privacy report now available
The Fall 2020 SOC 2 Type I Privacy report (available through "Artifact" in the AWS Management Console) provides a third-party attestation of AWS systems.

AWS Icon  AWS Network Firewall - New Managed Firewall Service in VPC
AWS announced AWS Network Firewall, a high availability, managed network firewall service for your virtual private cloud (VPC). It enables you to easily deploy and manage stateful inspection, intrusion prevention and detection, and web filtering to protect your virtual networks on AWS.

AWS Icon  Integrating CloudEndure Disaster Recovery into your security incident response plan
How to integrate CloudEndure Disaster Recovery - an AWS DR solution that enables fast, reliable recovery of physical, virtual, and cloud-based servers on AWS - into the recovery section of your incident response plan.

AWS Icon  Introducing Amazon S3 Storage Lens โ€“ Organization-wide Visibility Into Object Storage
The S3 team has built a new feature called Amazon S3 Storage Lens. This is the first cloud storage analytics solution with support for AWS Organizations to give you organization-wide visibility into object storage, with point-in-time metrics and trend lines as well as actionable recommendations. All these things combined will help you discover anomalies, identify cost efficiencies, and apply data protection best practices across accounts.

AWS Icon  AWS Single Sign-On adds Web Authentication (WebAuthn) support for user authentication with security keys and built-in biometric authenticators
AWS Single Sign-On (SSO) now enables you to secure user access to AWS accounts and business applications using multi-factor authentication (MFA) with FIDO-enabled security keys, such as YubiKey, and built-in biometric authenticators, such as Touch ID on Apple MacBooks and facial recognition on PCs.

GCP Icon  Introducing the Anthos Developer Sandboxโ€”free with a Google account
Google launched the Anthos Developer Sandbox, providing a way to learn how to develop on Anthos with Cloud Shell Editor, Cloud Code, and Cloud Build Local.

GCP Icon  Introducing Voucher, a service to help secure the container supply chain
Voucher evaluates container images created by CI/CD pipelines and signs those images if they meet certain predefined security criteria. Binary Authorization then validates these signatures at deploy time, ensuring that only explicitly authorized code that meets your organizational policy and compliance requirements can be deployed to production.

GCP Icon  I do declare! Infrastructure automation with Configuration as Data
The Kubernetes Resource Model (KRM) that powers containerized applications can manage non-Kubernetes resources including other infrastructure, platform, and application services. For example, you can use the Kubernetes Resource Model to deploy and manage cloud databases, storage buckets, networks, and much more.

GCP Icon  Use real-time anomaly detection reference patterns to combat fraud
Reference patterns are technical reference guides that offer step-by-step implementation and deployment instructions and sample code.

Azure Icon  Deploying and Managing Azure Sentinel - Ninja style
How to configure and maintain Azure Sentinel through Azure DevOps with IaC using the Sentinel API, AzSentinel and ARM templates.

Azure Icon  New Azure Kubernetes Service (AKS) Security Workbook
Now you can get even more insights about the security of your AKS clusters with the new workbook for Azure Kubernetes Service (AKS) security in Sentinel. The workbook helps you to get a better visibility to your cluster from security perspective.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present, CloudSecList by Marco Lancini.