Release Date: 31/01/2021 | Issue: 72
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

This week's articles


The CSA Cloud Controls Matrix (CCM) V4: Raising the cloud security bar to the next level
The Cloud Security Alliance released version 4 of the Cloud Controls Matrix (CCM). The upgrade from CCM v3.0.1 to v4 has been imperative considering the evolution of the cloud security landscape, both from the technical and legal and regulatory standpoint. There was also a need for organizations to make the implementation of security and privacy controls more efficient and streamline compliance.   #defend   #build


Bringing Your A-Game: Availability for Security People
An overview of why infosec teams stand to substantially benefit from rediscovering the importance of availability within their mandate, and why it's imperative they do so.   #defend   #build


Intercept SSM Agent Communications
Leveraging SSM for post-exploitation: with access to an EC2 instance you can block EC2 Messages (like send-command) and SSM sessions, send arbitrary responses, or snoop on communications.   #aws   #attack


Kubernetes Honey Token
How to use an artisanally crafted Kubernetes Service Account as a Honeytoken.   #k8s   #defend


Test an S3 bucket policy using the AWS IAM Simulator
How to use the AWS IAM Simulator to test an S3 bucket policy attached to a bucket in your AWS account.   #aws   #defend


How We Escaped Docker in Azure Functions
Vulnerability in Azure Functions which would allow an attacker to escalate privileges and escape the Azure Functions Docker container to the Docker host. Microsoft has determined that the vulnerability has no security impact on Function users as the Docker host itself is protected by a Hyper-V boundary.   #azure   #attack


Publishing Checkov Terraform Quality Checks to Azure DevOps Pipelines
Step by step explanation on how to integrate Checkov Terraform quality checks into Azure DevOps pipelines.   #azure   #build


Using Jenkins, Vault, Terraform, Ansible, and Consul to Deliver an End-to-End CI/CD Pipeline
A series focusing on best practices around the automation of infrastructure provisioning and application deployment. It covers the concepts of Infrastructure as Code, CI/CD, secrets management, dynamic secrets, the secret zero problem, service mesh, and more.   #ci/cd   #build


Falco vs. AuditD from the HIDS perspective
How Falco and AuditD compare from a Host Intrusion Detection perspective. Bear in mind this post has been written by Sysdig.   #k8s   #monitor

Tools


gcp_sa_lister
Crawls your GCP Org and returns service accounts that have not been used in the past 90 days.


k8s-mirror
Creates a local mirror of a Kubernetes cluster in a docker container to support offline reviewing.


Cloud Scout
Cloud Scout is a plugin which works on top of BloodHound, leveraging its visualization capabilities in order to visualize cross platform attack paths.


go-containerregistry
Go library and CLIs for working with container registries. It also lets you build your own layers and images programmatically.

From the cloud providers


#AWS   Security Overview of AWS Lambda
Amazon released a whitepaper presenting a deep dive into the AWS Lambda service through a security lens. It provides a well-rounded picture of the service, which is useful for new adopters, and deepens understanding of Lambda for current users.


#AWS   Discover, review, and remediate unintended access to Secrets Manager secrets using IAM Access Analyzer
AWS IAM Access Analyzer now analyzes AWS Secrets Manager resource-based policies to help you discover secrets that can be accessed publicly or from other accounts or organizations.


#AWS   Amazon GuardDuty enhances security incident investigation workflows through new integration with Amazon Detective
Amazon GuardDuty has added Amazon Detective hyperlink pivots to make it even easier to jump from a GuardDuty security finding into a pre-populated Amazon Detective investigation experience.


#AWS   Using Route 53 Private Hosted Zones for Cross-account Multi-region Architectures
This blog presents an architecture that provides a unified view of the DNS while allowing different AWS accounts to manage subdomains. It utilizes PHZs with overlapping namespaces and cross-account multi-region VPC association for PHZs to create an efficient, scalable, and highly available architecture for DNS.


#AWS   AWS Certificate Manager Private Certificate Authority now supports additional certificate customization
AWS Certificate Manager (ACM) Private Certificate Authority (CA) now supports additional customization options for issuing CA and end entity certificates to meet additional use cases such as identity certificates, including smart card certificates. Customers can now include certificate attributes via API calls at the time of issuance in addition to inclusion in the certificate signing request (CSR).


#AWS   Sudo Security Issue (CVE-2021-3156)
AWS infrastructure and services are not affected by this issue. As a general security best practice, it is recommended that Amazon EC2 customers running Amazon Linux update their operating systems to install the latest version of sudo.


#GCP   Assess the security of Google Kubernetes Engine (GKE) with InSpec for GCP
Google announced the GKE CIS 1.1.0 Benchmark InSpec profile, which allows you to assess Google Kubernetes Engine (GKE) clusters against security controls recommended by CIS.


#GCP   Take the first step toward SRE with Cloud Operations Sandbox
Cloud Operations Sandbox is an open-source tool that helps you learn SRE practices from Google and apply them on cloud services using Google Cloudโ€™s operations suite (formerly Stackdriver).


#GCP   Designing and deploying a data security strategy with Google Cloud
Google released a new white paper Designing and deploying a data security strategy with Google Cloud that shares a view of how to deploy a modern and effective data security program.


#GCP   Lifecycle of a container on Cloud Run
Post explaining the entire lifecycle of a container on Cloud Run, from starting to serving and shutting down.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini