Release Date: 28/03/2021 | Issue: 80
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Cloud Cyber Resilience Report: Evolving Risks, Insecure Defaults, Watering Hole Threats
As cloud native technologies, such as serverless, containers, and service mesh experience explosive growth, it’s apparent that organizations see cloud native as the future. Accurics latest research identified some common trends, such as a move of Identity and Access Management into Infrastructure as Code, rapid adoption of CSP-managed services, and insecure default configurations for many resource types.
This report examines the top cloud infrastructure risks, provides practical advice and best practices to avoid common misconfigurations that kill productivity.
Read the report.

This week's articles


Secure access to 100 AWS accounts
Segment's journey towards designing a scalable IAM architecture.   #aws   #defend


Thread on CI security
Many useful insights from Dino Dai Zovi on how to properly harden your CI infrastructure to make supply chain attacks more difficult to pull off.   #ci/cd   #defend


What Architects Need to Know About Networking on AWS
Blog, walking through the importance of managing your network, and presenting a network structure for full control over your cloud resources.   #aws   #explain


Presenting the Risk: Do You Know About this AWS Authorization Bypass?
In AWS IAM, even if a group has an explicit "Deny", this will only impact Group actions, and not User actions, opening organizations up to misconfiguration and vulnerabilities.   #aws   #defend


Continuous AWS IAM Security Best Practices
Walkthrough on how to automate, validate and monitor AWS IAM Security best practices with CloudQuery.   #aws   #defend


10 Kubernetes Security Context settings you should understand
Cheatsheet taking a look at the various "securityContext" settings, explore what they mean and how you should use them.   #k8s   #explain


Trying out Cosign
How to setup a Github Action to build and sign an image with Cosign.   #docker   #build


Using Open Policy Agent with Strimzi and Apache Kafka
Blog looking at Kafka authorization using Open Policy Agent. It explains the advantages and disadvantages of using it, compare it with other supported authorization methods and look at some interesting ways it can be used.   #opa   #kafka


How to monitor multi-cloud Kubernetes with Prometheus and Grafana
How to connect services running in multiple, isolated, Kubernetes clusters spread across cloud providers or running on-premises with Inlets.   #k8s   #monitor


Argo CD v2.0-rc1 is here
The Argoproj team announced the first release candidate for Argo CD v2.0. This post explains the new Argo CD user interface features, Kubernetes resource syncing and diffing enhancements.   #ci/cd   #build

Sponsor CloudSecList

If you want to get your product or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
📨 [email protected] 📨

Tools


red-shadow
Scan your AWS IAM Configuration for shadow admins in AWS IAM based on misconfigured deny policies not affecting users in groups.


s3-account-search
Find the account ID an S3 bucket belongs too. You can also read the companion blog post.


kubestriker
Kubestriker performs numerous in depth checks on kubernetes infra to identify the security misconfigurations and challenges that devops engineers/developers are likely to encounter when using Kubernetes, especially in production and at scale.


argocd-image-updater
Tool to automatically update the container images of Kubernetes workloads which are managed by Argo CD. In a nutshell, it will track image versions specified by annotations on the Argo CD Application resources and update them by setting parameter overrides using the Argo CD API. You can also check the companion blog post.


magpie
Magpie is a free, open-source framework and a collection of community developed plugins that can be used to build complete end-to-end security tools such as a Cloud Security Posture Manager.

CloudSecDocs


Secrets
A collection of tools useful for secrets management, as well as hooks and scanners handy for preventing and detecting leaked secrets.

From the cloud providers


#AWS   Organizing Your AWS Environment Using Multiple Accounts
In-depth guide on how to set up an AWS multi-account environment, full of advice and examples from AWS engineers and customer experts.


#AWS   Approaches for authenticating external applications in a machine-to-machine scenario
Post aiming to help you decide which approach is best to securely connect your applications, either residing on premises or hosted outside of AWS, to your AWS environment when no human interaction comes into play. The post goes through the various alternatives available and highlights the pros and cons of each.


#AWS   Now you can use AWS CloudTrail to log data-plane API activity in DynamoDB tables
Now you can use AWS CloudTrail to log data-plane API activity to monitor, alarm, and archive item-level activity in your Amazon DynamoDB tables. You can use this information about item-level activity as part of an audit, to help address compliance requirements, and monitor which IAM users, roles, and permissions are being used to access your table data.


#AWS   AWS Security Hub integrates with Amazon Macie to automatically ingest sensitive data findings
AWS Security Hub is now integrated with Amazon Macie to automatically ingest sensitive data findings from Macie. Security Hub previously ingested policy findings from Macie, and this integration adds sensitive data findings.


#AWS   How to automate SCAP testing with AWS Systems Manager and Security Hub
How to automate OpenSCAP's STIG testing and integrate the findings with AWS Security Hub to improve your view of your IT systems' compliance status.


#GCP   Announcing Network Connectivity Center
With Network Connectivity Center, you can connect and manage VPNs, interconnects, third-party routers and SD-WAN across on-prem and cloud networks.


#GCP   Building and debugging locally
It is now possible to run Google Cloud Build builds locally on your laptop with: "$ cloud-build-local --dryrun=false --config=cloudbuild.yaml".


#GCP   Policy Simulator
Policy Simulator lets you see how an IAM policy change might impact a member's access before you commit to making the change. You can use Policy Simulator ensure that the changes you're making won't cause a member to lose access that they need.


#GCP   You make the rules with authentication controls for Cloud Storage
Once you've got your data into Cloud Storage, it's time for an important conversation about authentication. This post reviews some critical components for determining who has access to that data.


#AZURE   Strengthen and optimize compliance in Azure Security Center
The Regulatory Compliance dashboard in Azure Security Center is an excellent tool for helping organizations understand their compliance posture relative to industry standards.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini