Release Date: 06/06/2021 | Issue: 90
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Learn the Benefits of Infrastructure as Code Security βœ…
Leverage Infrastructure as Code (IaC) to embed cloud security and compliance directly into developer workflows. With policy-as-code, you can get both real-time visibility and preventative governance to more efficiently manage your cloud security posture. Download more IaC Security insights in the free DZone Refcard.

This week's articles


Access Service: Temporary Access to the Cloud
How the Segment Security Engineering Team approaches access to AWS/GCP roles and SaaS apps, and how they implemented a time-based, peer-reviewed access.   #aws   #gcp   #build


AWS Accounts as Security Boundaries - 97+Ways Data Can be Shared Across Accounts
Security teams cannot simply rely on the AWS account boundary to limit access between environments. Instead, they must carefully audit IAM policies, resource policies, Organization membership, RAM shares, service-level integrations, and sometimes combinations of one of more of these options, in order to properly evaluate how data from one account is being sent to others.   #aws   #defend


How to measure SOC quality
You can scale your SOC and improve quality. Seems impossible? Not if you know how and what to measure. The crew that helped build Expel's SOC explain how they pulled it off.   #strategy   #monitor


Getting Started in Pentesting the Cloud: Azure
Differences between Azure resources and Microsoft 365 can oftentimes be confusing but knowing these differences is key to helping you pivot and escalate privileges.   #azure   #attack


Ensure Content Trust on Kubernetes using Notary and Open Policy Agent
A detailed guide to help you to ensure that only signed images can get deployed on a cluster.   #kubernetes   #build


Protecting Amazon S3 Data from Ransomware
Ransomware targeting S3 is more than likely to simply delete your data and claim that it's being held ransom than actually encrypting it.   #aws   #defend


Analyze Kubernetes Audit logs using Falco
Detect intrusions that happened in your Kubernetes cluster through audit logs using Falco.   #kubernetes   #monitor


Reverse Engineering a Docker Image
The Docker image format is a lot more transparent than it could be. A little detective work is needed, but a lot can be figured out just by pulling apart an image file.   #docker   #attack


K0s Cluster Without Internet Access
In companies with high security constraints, it might be needed to install a Kubernetes cluster on machines without any internet access. This article shows how k0s manages air-gapped installations.   #kubernetes   #build


Is your Ansible Package Configuration Secure?
Deep dive into what package management vulnerabilities in the world of Ansible look like.   #ansible   #attack


Best Practices Around Production Ready Web Apps with Docker Compose
Quite a few patterns on how to safely use Docker Compose.   #docker   #build


Running Linux Tools in Lambda Containers
Lambda Containers are a great fit for performing tasks that require elevated privileges, especially if AWS IAM can control access. Running tasks with elevated privileges in an ephemeral manner is great for security, since there's nothing constantly running with that access.   #aws   #defend

Sponsor CloudSecList

If you want to get yourΒ productΒ or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
πŸ“¨ [email protected] πŸ“¨

Tools


kpexec
kpexec is a kubernetes cli that runs commands in a container with high privileges.


k8scr
A kubectl plugin for pushing OCI images through the Kubernetes API server.


kubevela
KubeVela is a modern application platform that simplifies deploying and managing applications, based on Kubernetes and OAM.


upgrade-manager
RollingUpgrade provides a Kubernetes native mechanism for doing rolling-updates of instances in an AutoScaling group using a CRD and a controller.


confectionery
A library of rules for Conftest used to detect misconfigurations within Terraform configuration files.

From the cloud providers


#AWS   How to implement a hybrid PKI solution on AWS
How to plan and deploy a PKI that enables certificates to be issued across a hybrid (cloud & on-premises) environment with a common root.


#AWS   Integrating Okta with AWS Single Sign-On in an AWS Control Tower environment
How to integrate AWS Control Tower, AWS SSO, and Okta as an external identity provider so that you can manage users, entitlements, accounts, and roles in Okta.


#AWS   Automate security scans for cross-account workloads using Amazon Inspector and AWS
How to automatically scan for vulnerabilities in cross-account workloads on AWS.


#AWS   Building a serverless Jenkins environment on AWS Fargate
Walkthrough oh how to set up a completely serverless Jenkins environment on AWS Fargate using Terraform.


#GCP   DevOps on Google Cloud: tools to speed up software development velocity
Google Cloud's application development and continuous integration/continuous delivery (CI/CD) tools.


#GCP   How to use VPC Flow Logs in GCP for network traffic analysis
A set of open-source tools from Google Cloud Professional Services that provide export, analytics and reporting capabilities for multiple use-cases.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! πŸ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
Β© 2019-present CloudSecList Β· Marco Lancini