This week's articles
Leaky Serverless Framework
#aws, #defend
Corey Quinn raising an issue by which it seems the Serverless Framework will in some cases copy your API credentials to their own systems and execute things on your behalf.
GCP .actAs d-day > How not to remediate
#gcp, #defend, #explain
Blog post detailing the .actAs permission, a little ditty on the history of this vulnerability and how to remediate before Google does it for you.
AWS Lambda $LATEST is dangerous
#aws, #build
You should always use function versioning. You should almost always use function aliases, which have a handful of benefits involving metrics in CloudWatch, IAM permissions, traffic-shifting, etc.
|
|
Tools
CrowdStrike Reporting Tool for Azure (CRT)
A tool which helps organizations quickly and easily review excessive permissions in their Azure AD environments, helps determine configuration weaknesses, and provides advice to mitigate risk.
serverlessish
Run the exact same image for websites in Lambda as you do in ECS, Kubernetes, etc.
policy-hub-cli
PolicyHub is a CLI tool that makes Rego policies searchable.
|
|
From the cloud providers
Searching IAM policies
The Cloud Asset API allows you to use a custom query language to search Identity and Access Management (IAM) policies within a project, folder, or organization.
Protecting your Kubernetes deployments with Policy Controller
If you are using a Google Cloud managed solution like Anthos or Kubernetes Engine (GKE), you can easily and effectively mitigate CVE-2020-8554, which lets users create objects that could act as a "Man in the Middle" and therefore potentially intercept sensitive data.
|
|
Thanks for reading!
|
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌 If you have questions, comments, or feedback, let me know on Twitter ( @lancinimarco / @CloudSecList), or at feedback.cloudseclist.com! Thanks, Marco
|
|
|