This week's articles
Threat matrix for storage services
#azure, #defend
Blog from Microsoft outlining potential risks that you should be aware of when deploying, configuring, or monitoring your storage environment.
Introducing Suspended Jobs
#kubernetes, #explain
With the recent Kubernetes 1.21 release, you will be able to suspend a Job by updating its spec. The Job controller will refrain from creating Pods until you are ready to start the Job, which you can do by setting suspend: false .
Kubernetes Version 1.21: What You Need to Know
#kubernetes, #explain
Kubernetes version 1.21 released with changes affecting its security, deprecation of PodSecurityPolicies, new features to block Kubernetes vulnerabilities, and more.
Transparently Generate Pre-Signed URLs with S3 Object Lambdas
#aws, #build
AWS recently introduced S3 Object Lambdas. These Lambda functions sit behind an S3 Access Point and can transparently mutate objects as they are retrieved from S3. This post shows how this mechanism can be combined with pre-signed URLs to protect assets, while simplifying application code and improving the user experience.
|
|
Tools
opal
OPAL is an administration layer for Open Policy Agent (OPA), detecting changes to both policy and policy data in realtime and pushing live updates to your agents. As your application state changes (whether it's via your APIs, DBs, git, S3 or 3rd-party SaaS services), OPAL will make sure your services are always in sync with the authorization data and policy they need.
kube-secrets-init
kube-secrets-init is a Kubernetes mutating admission webhook that mutates any Pod that is using specially prefixed environment variables, directly or from Kubernetes as Secret or ConfigMap.
keto
Open Source (Go) implementation of "Zanzibar: Google's Consistent, Global Authorization System". Ships gRPC, REST APIs, newSQL, and an easy and granular permission language. Supports ACL, RBAC, and other access models.
gcptree
Like the unix tree command but for GCP Org hierarchy.
|
|
CloudSecDocs
Security Programs
A collection of resources that provide insights into how to create effective security programs.
|
|
From the cloud providers
How to relate IAM role activity to corporate identity
AWS STS now offers the ability to specify a unique identity attribute for your workforce identities and applications when they assume an IAM role. This new SourceIdentity attribute makes it easier to determine the identity that performed the actions while the role was assumed.
CISO Perspectives: April 2021
Google Cloud CISO Phil Venables shares his perspective on industry news from spring 2021 and updates from Google's security team.
Google Cloud security foundations guide
This guide presents an opinionated view of Google Cloud security best practices, organized to allow users to adopt or adapt them and then automatically deploy them for their estates on Google Cloud.
Google Cloud adds compliance certifications and resources
GCP's compliance-related initiatives like expanding the list of FedRAMP High certified products and providing new capabilities for North American public sector agencies, assisting with data protection and security requirements in APAC, and evolving with region-specific regulatory requirements in Europe.
|
|
Thanks for reading!
|
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌 If you have questions, comments, or feedback, let me know on Twitter ( @lancinimarco / @CloudSecList), or at feedback.cloudseclist.com! Thanks, Marco
|
|
|