This week's articles
Thread on CI security
#ci/cd, #defend
Many useful insights from Dino Dai Zovi on how to properly harden your CI infrastructure to make supply chain attacks more difficult to pull off.
Using Open Policy Agent with Strimzi and Apache Kafka
#opa, #kafka
Blog looking at Kafka authorization using Open Policy Agent. It explains the advantages and disadvantages of using it, compare it with other supported authorization methods and look at some interesting ways it can be used.
Argo CD v2.0-rc1 is here
#ci/cd, #build
The Argoproj team announced the first release candidate for Argo CD v2.0. This post explains the new Argo CD user interface features, Kubernetes resource syncing and diffing enhancements.
|
|
Tools
red-shadow
Scan your AWS IAM Configuration for shadow admins in AWS IAM based on misconfigured deny policies not affecting users in groups.
kubestriker
Kubestriker performs numerous in depth checks on kubernetes infra to identify the security misconfigurations and challenges that devops engineers/developers are likely to encounter when using Kubernetes, especially in production and at scale.
argocd-image-updater
Tool to automatically update the container images of Kubernetes workloads which are managed by Argo CD. In a nutshell, it will track image versions specified by annotations on the Argo CD Application resources and update them by setting parameter overrides using the Argo CD API. You can also check the companion blog post.
magpie
Magpie is a free, open-source framework and a collection of community developed plugins that can be used to build complete end-to-end security tools such as a Cloud Security Posture Manager.
|
|
CloudSecDocs
Secrets
A collection of tools useful for secrets management, as well as hooks and scanners handy for preventing and detecting leaked secrets.
|
|
Sponsor CloudSecList
If you want to get yourย productย or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at ๐จ [email protected] ๐จ
|
|
|
From the cloud providers
Now you can use AWS CloudTrail to log data-plane API activity in DynamoDB tables
Now you can use AWS CloudTrail to log data-plane API activity to monitor, alarm, and archive item-level activity in your Amazon DynamoDB tables. You can use this information about item-level activity as part of an audit, to help address compliance requirements, and monitor which IAM users, roles, and permissions are being used to access your table data.
Building and debugging locally
It is now possible to run Google Cloud Build builds locally on your laptop with: "$ cloud-build-local --dryrun=false --config=cloudbuild.yaml".
Policy Simulator
Policy Simulator lets you see how an IAM policy change might impact a member's access before you commit to making the change. You can use Policy Simulator ensure that the changes you're making won't cause a member to lose access that they need.
|
|
Thanks for reading!
|
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐ If you have questions, comments, or feedback, let me know on Twitter ( @lancinimarco / @CloudSecList), or at feedback.cloudseclist.com! Thanks, Marco
|
|
|