Release Date: 18/04/2021 | Issue: 83
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up
Sponsor

The State of DevSecOps Report
The adoption of cloud native infrastructure such as serverless, containers, and servicemesh are enabling organizations to rapidly deliver new innovations to the market. Unfortunately, over 30 billion records have been exposed as a result of cloud infrastructure misconfigurations over the last two years and the velocity of cloud breaches continue to increase. Download this report to dive deeper into top risks and gain an understanding of the state of DevSecOps.

This week's articles


5 best practices to get to production readiness with Hashicorp Vault in Kubernetes   #vault, #build
A list of architectural and technical recommendations from the Expel team to help reliably and securely deploy, run, and configure a Vault server in Kubernetes.


Threat matrix for storage services   #azure, #defend
Blog from Microsoft outlining potential risks that you should be aware of when deploying, configuring, or monitoring your storage environment.


Azure Storage Security: Attacking & Auditing   #azure, #attack
How to attack and audit cloud storage services on Azure.


Unveil hidden malicious processes with Falco in cloud-native environments   #kubernetes, #monitor
How Falco can detect and mitigate attacks performed by malware which tries to evade detection.


Defend the Core: Kubernetes Security at Every Layer   #kubernetes, #defend
High level security best practices for every layer of the container stack, from kernel to cluster components.


Kubernetes multi tenancy with Amazon EKS: Best practices and considerations   #kubernetes, #defend
Some considerations for Kubernetes multi tenancy implementation using Amazon EKS, covering different perspectives around compute, networking, and storage.


Generating Kubernetes Network Policies By Sniffing Network Traffic   #kubernetes, #defend
This blog post is about an experiment to automate creation of Kubernetes Network Policies based on actual network traffic captured from applications running on a Kubernetes cluster.


Introducing Suspended Jobs   #kubernetes, #explain
With the recent Kubernetes 1.21 release, you will be able to suspend a Job by updating its spec. The Job controller will refrain from creating Pods until you are ready to start the Job, which you can do by setting suspend: false.


Kubernetes Version 1.21: What You Need to Know   #kubernetes, #explain
Kubernetes version 1.21 released with changes affecting its security, deprecation of PodSecurityPolicies, new features to block Kubernetes vulnerabilities, and more.


Transparently Generate Pre-Signed URLs with S3 Object Lambdas   #aws, #build
AWS recently introduced S3 Object Lambdas. These Lambda functions sit behind an S3 Access Point and can transparently mutate objects as they are retrieved from S3. This post shows how this mechanism can be combined with pre-signed URLs to protect assets, while simplifying application code and improving the user experience.


Announcing HashiCorp Terraform 0.15 General Availability   #terraform, #announcement
Terraform 0.15 includes improvements like state file format stability, unified console support, provider-based, sensitivity and sensitive functions, and structured logging levels.

Tools


opal
OPAL is an administration layer for Open Policy Agent (OPA), detecting changes to both policy and policy data in realtime and pushing live updates to your agents. As your application state changes (whether it's via your APIs, DBs, git, S3 or 3rd-party SaaS services), OPAL will make sure your services are always in sync with the authorization data and policy they need.


kube-secrets-init
kube-secrets-init is a Kubernetes mutating admission webhook that mutates any Pod that is using specially prefixed environment variables, directly or from Kubernetes as Secret or ConfigMap.


keto
Open Source (Go) implementation of "Zanzibar: Google's Consistent, Global Authorization System". Ships gRPC, REST APIs, newSQL, and an easy and granular permission language. Supports ACL, RBAC, and other access models.


gcptree
Like the unix tree command but for GCP Org hierarchy.

CloudSecDocs


Security Programs
A collection of resources that provide insights into how to create effective security programs.


From the cloud providers


AWS Icon  How to relate IAM role activity to corporate identity
AWS STS now offers the ability to specify a unique identity attribute for your workforce identities and applications when they assume an IAM role. This new SourceIdentity attribute makes it easier to determine the identity that performed the actions while the role was assumed.


AWS Icon  Optimizing cloud governance on AWS: Integrating the NIST Cybersecurity Framework, AWS Cloud Adoption Framework, and AWS Well-Architected
This post explores the value and use of the NIST CSF as a framework to establish your security objectives, assess your organization's current capabilities, and develop a plan to improve and maintain your desired security posture.


AWS Icon  How to use AWS IAM Access Analyzer API to automate detection of public access to AWS KMS keys
How to use AWS IAM Access Analyzer to automate the detection of public access to resources in an AWS account.


AWS Icon  AWS Control Tower introduces changes to preventive S3 guardrails and updates to S3 bucket encryption protocols
AWS Control Tower is releasing four new, less restrictive, mandatory preventative S3 Log Archive guardrails and changing the guidance of the four previous, more restrictive, preventative S3 Log Archive guardrails from mandatory to elective. With these guardrail changes you can now separate S3 Log Archive governance for resources created by AWS Control Tower from governance for the S3 resources you create.


GCP Icon  CISO Perspectives: April 2021
Google Cloud CISO Phil Venables shares his perspective on industry news from spring 2021 and updates from Google's security team.


GCP Icon  Google Cloud security foundations guide
This guide presents an opinionated view of Google Cloud security best practices, organized to allow users to adopt or adapt them and then automatically deploy them for their estates on Google Cloud.


GCP Icon  Enable keyless access to GCP with workload Identity Federation
With workload Identity federation, you can securely operate your workloads and no longer have to worry about managing service account keys.


GCP Icon  How to deploy Google CAS: Whitepaper
Google CAS can help manage certifications at scale. Here's how to put it to work.


GCP Icon  Google Cloud adds compliance certifications and resources
GCP's compliance-related initiatives like expanding the list of FedRAMP High certified products and providing new capabilities for North American public sector agencies, assisting with data protection and security requirements in APAC, and evolving with region-specific regulatory requirements in Europe.


Azure Icon  How to use Azure Sentinel for Incident Response, Orchestration and Automation
A Security Orchestration, Automation and Response (SOAR) solution offers a path to handling the long series of repetitive tasks involved in incident triage, investigation and response, letting analysts focus on the most important incidents and allowing SOCs to achieve more with the resources they have.


Azure Icon  Learn how to use Kubernetes in Azure for free
Create new Azure Kubernetes Service (AKS) clusters using images from Microsoft's container repository.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.