This week's articles
Threat matrix for storage services
Blog from Microsoft outlining potential risks that you should be aware of when deploying, configuring, or monitoring your storage environment.
#azure
#defend
Introducing Suspended Jobs
With the recent Kubernetes 1.21 release, you will be able to suspend a Job by updating its spec. The Job controller will refrain from creating Pods until you are ready to start the Job, which you can do by setting suspend: false.
#kubernetes
#explain
Kubernetes Version 1.21: What You Need to Know
Kubernetes version 1.21 released with changes affecting its security, deprecation of PodSecurityPolicies, new features to block Kubernetes vulnerabilities, and more.
#kubernetes
#explain
Transparently Generate Pre-Signed URLs with S3 Object Lambdas
AWS recently introduced S3 Object Lambdas. These Lambda functions sit behind an S3 Access Point and can transparently mutate objects as they are retrieved from S3. This post shows how this mechanism can be combined with pre-signed URLs to protect assets, while simplifying application code and improving the user experience.
#aws
#build
|
|
Tools
opal
OPAL is an administration layer for Open Policy Agent (OPA), detecting changes to both policy and policy data in realtime and pushing live updates to your agents. As your application state changes (whether it's via your APIs, DBs, git, S3 or 3rd-party SaaS services), OPAL will make sure your services are always in sync with the authorization data and policy they need.
kube-secrets-init
kube-secrets-init is a Kubernetes mutating admission webhook that mutates any Pod that is using specially prefixed environment variables, directly or from Kubernetes as Secret or ConfigMap.
keto
Open Source (Go) implementation of "Zanzibar: Google's Consistent, Global Authorization System". Ships gRPC, REST APIs, newSQL, and an easy and granular permission language. Supports ACL, RBAC, and other access models.
gcptree
Like the unix tree command but for GCP Org hierarchy.
|
|
CloudSecDocs
Security Programs
A collection of resources that provide insights into how to create effective security programs.
|
|
From the cloud providers
#AWS
How to relate IAM role activity to corporate identity
AWS STS now offers the ability to specify a unique identity attribute for your workforce identities and applications when they assume an IAM role. This new SourceIdentity attribute makes it easier to determine the identity that performed the actions while the role was assumed.
#GCP
CISO Perspectives: April 2021
Google Cloud CISO Phil Venables shares his perspective on industry news from spring 2021 and updates from Google's security team.
#GCP
Google Cloud security foundations guide
This guide presents an opinionated view of Google Cloud security best practices, organized to allow users to adopt or adapt them and then automatically deploy them for their estates on Google Cloud.
#GCP
Google Cloud adds compliance certifications and resources
GCP's compliance-related initiatives like expanding the list of FedRAMP High certified products and providing new capabilities for North American public sector agencies, assisting with data protection and security requirements in APAC, and evolving with region-specific regulatory requirements in Europe.
#AZURE
How to use Azure Sentinel for Incident Response, Orchestration and Automation
A Security Orchestration, Automation and Response (SOAR) solution offers a path to handling the long series of repetitive tasks involved in incident triage, investigation and response, letting analysts focus on the most important incidents and allowing SOCs to achieve more with the resources they have.
|
|
Thanks for reading!
|
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐ If you have questions, comments, or feedback, let me know on Twitter ( @lancinimarco / @CloudSecList), or at feedback.cloudseclist.com! Thanks, Marco
|
|
|