Release Date: 06/06/2021 | Issue: 90
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up
Sponsor

Learn the Benefits of Infrastructure as Code Security βœ…
Leverage Infrastructure as Code (IaC) to embed cloud security and compliance directly into developer workflows. With policy-as-code, you can get both real-time visibility and preventative governance to more efficiently manage your cloud security posture. Download more IaC Security insights in the free DZone Refcard.

This week's articles


Access Service: Temporary Access to the Cloud   #aws, #gcp, #build
How the Segment Security Engineering Team approaches access to AWS/GCP roles and SaaS apps, and how they implemented a time-based, peer-reviewed access.


AWS Accounts as Security Boundaries - 97+Ways Data Can be Shared Across Accounts   #aws, #defend
Security teams cannot simply rely on the AWS account boundary to limit access between environments. Instead, they must carefully audit IAM policies, resource policies, Organization membership, RAM shares, service-level integrations, and sometimes combinations of one of more of these options, in order to properly evaluate how data from one account is being sent to others.


How to measure SOC quality   #strategy, #monitor
You can scale your SOC and improve quality. Seems impossible? Not if you know how and what to measure. The crew that helped build Expel's SOC explain how they pulled it off.


Getting Started in Pentesting the Cloud: Azure   #azure, #attack
Differences between Azure resources and Microsoft 365 can oftentimes be confusing but knowing these differences is key to helping you pivot and escalate privileges.


Ensure Content Trust on Kubernetes using Notary and Open Policy Agent   #kubernetes, #build
A detailed guide to help you to ensure that only signed images can get deployed on a cluster.


Protecting Amazon S3 Data from Ransomware   #aws, #defend
Ransomware targeting S3 is more than likely to simply delete your data and claim that it's being held ransom than actually encrypting it.


Analyze Kubernetes Audit logs using Falco   #kubernetes, #monitor
Detect intrusions that happened in your Kubernetes cluster through audit logs using Falco.


Reverse Engineering a Docker Image   #docker, #attack
The Docker image format is a lot more transparent than it could be. A little detective work is needed, but a lot can be figured out just by pulling apart an image file.


K0s Cluster Without Internet Access   #kubernetes, #build
In companies with high security constraints, it might be needed to install a Kubernetes cluster on machines without any internet access. This article shows how k0s manages air-gapped installations.


Is your Ansible Package Configuration Secure?   #ansible, #attack
Deep dive into what package management vulnerabilities in the world of Ansible look like.


Best Practices Around Production Ready Web Apps with Docker Compose   #docker, #build
Quite a few patterns on how to safely use Docker Compose.


Running Linux Tools in Lambda Containers   #aws, #defend
Lambda Containers are a great fit for performing tasks that require elevated privileges, especially if AWS IAM can control access. Running tasks with elevated privileges in an ephemeral manner is great for security, since there's nothing constantly running with that access.

Tools


kpexec
kpexec is a kubernetes cli that runs commands in a container with high privileges.


k8scr
A kubectl plugin for pushing OCI images through the Kubernetes API server.


kubevela
KubeVela is a modern application platform that simplifies deploying and managing applications, based on Kubernetes and OAM.


upgrade-manager
RollingUpgrade provides a Kubernetes native mechanism for doing rolling-updates of instances in an AutoScaling group using a CRD and a controller.


confectionery
A library of rules for Conftest used to detect misconfigurations within Terraform configuration files.

Sponsor CloudSecList

If you want to get yourΒ productΒ or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
πŸ“¨ [email protected] πŸ“¨

From the cloud providers


AWS Icon  How to implement a hybrid PKI solution on AWS
How to plan and deploy a PKI that enables certificates to be issued across a hybrid (cloud & on-premises) environment with a common root.


AWS Icon  Integrating Okta with AWS Single Sign-On in an AWS Control Tower environment
How to integrate AWS Control Tower, AWS SSO, and Okta as an external identity provider so that you can manage users, entitlements, accounts, and roles in Okta.


AWS Icon  Automate security scans for cross-account workloads using Amazon Inspector and AWS
How to automatically scan for vulnerabilities in cross-account workloads on AWS.


AWS Icon  Building a serverless Jenkins environment on AWS Fargate
Walkthrough oh how to set up a completely serverless Jenkins environment on AWS Fargate using Terraform.


GCP Icon  DevOps on Google Cloud: tools to speed up software development velocity
Google Cloud's application development and continuous integration/continuous delivery (CI/CD) tools.


GCP Icon  How to use VPC Flow Logs in GCP for network traffic analysis
A set of open-source tools from Google Cloud Professional Services that provide export, analytics and reporting capabilities for multiple use-cases.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! πŸ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
Β© 2019-present, CloudSecList by Marco Lancini.