Release Date: 04/07/2021 | Issue: 94
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

๐Ÿค” Know someone who needs help with mapping their attack surface? ๐Ÿ“ก
Then you may want to send them this webinar! Understanding the extent of your attack surface is top of mind for many defenders today. How do you do this in a way that can match the pace of the bad actors out there? Detectify and Cybelangel dive into this topic that goes into some research and use cases to present options on how to tackle this going forward.
View the webinar on demand on Brighttalk

This week's articles


How we prevented subdomain takeovers and saved $000s
How the OVO team developed Domain Protect, an open source tool for automated scanning of cloud infrastructure for subdomains vulnerable to takeover.   #aws   #defend


The Gamer Guide to Playing Amazon Web Services (AWS)
This is such a nice article, sharing a getting started guide for AWS, in a similar style to the getting started guides that many experienced MMORPG players write for new players.   #aws   #explain


Onboarding Applications to Vault Using Terraform: A Practical Guide
How to build an automated HashiCorp Vault onboarding system with Terraform using sensible naming standards, ACL policy templates, pre-created application entities, and workflows driven by VCS and CI/CD.   #vault   #explain


Seeding HashiCorp Vault With Terraform at Form3
Talk explaining how the Form3 team created a repeatable process to automate the setup of Vault using Terraform.   #vault   #terraform   #explain


Detect Malicious Behaviour on Kubernetes API Server through Audit Logs
How to use Kubernetes Audit Logs as an event source that Falco can consume. You can also refer to the companion repo.   #kubernetes   #falco   #monitor


Best practices for securing Identity and Access Management on AWS
Post looking at different approaches to help keep IAM configuration tidy, auditable and right-sized.   #aws   #defend   #iac


Uncomplicate Security for developers using Reference Architectures
Walk through some of the salient features of a meaningful security reference architecture and the process required to develop one.   #aws   #build


Getting Started with ArgoCD on Kubernetes
Guide explaining how to install, configure, and run ArgoCD in Kubernetes.   #kubernetes   #build


Google Compute Engine (GCE) VM takeover via DHCP flood
An advisory about an unpatched vulnerability affecting virtual machines in GCP. Attackers could take over virtual machines over the network due to weak random numbers used by the ISC DHCP software, and an unfortunate combination of additional factors.   #gcp   #attack


Azure Persistence with Desired State Configurations
How the Desired State Configuration (DSC) VM extension can be abused by anyone with the Contributor role in an Azure subscription to run arbitrary commands, with built-in functionality for recurring commands and persistence.   #azure   #attack


Integrating Jira and Security Scorecard with AWS Step Functions
A reference design using step functions to integrate Jira with Security Scorecard.   #aws   #build

Tools


jimi
Automation first no-code platform designed and developed for Security Orchestration and Response.


authorino
Cloud-native AuthN/AuthZ enforcer to protect your APIs.


distribution
Distribution is the open source code that is the basis of the container registry that is part of Docker Hub, and also many other container registries. It has been recently donated to the CNCF.


pixie
Pixie gives you instant visibility by giving access to metrics, events, traces and logs without changing code.

From the cloud providers


#AWS   AWS Security Reference Architecture: A guide to designing with AWS security services
AWS announced the publication of the AWS Security Reference Architecture (AWS SRA). This is a comprehensive set of examples, guides, and design considerations that you can use to deploy the full complement of AWS security services in a multi-account environment that you manage through AWS Organizations.


#AWS   How Banks Can Use AWS to Meet Compliance
Post outlining a mechanism that facilitates a healthy, data-driven dialogue between banks and regulators to better achieve compliance objectives.


#AWS   IAM Access Analyzer adds new policy checks to help validate conditions during IAM policy authoring
IAM Access Analyzer extended policy validation by adding new policy checks that validate conditions included in IAM policies. These checks analyze the condition block in your policy statement and report security warnings, errors, and suggestions along with actionable recommendations.


#AWS   AWS Lambda now supports SASL/PLAIN authentication for functions triggered from self-managed Apache Kafka
AWS Lambda functions that are triggered from self-managed Apache Kafka topics can now access usernames and passwords secured by AWS Secrets Manager using SASL/PLAIN.


#GCP   Analyze secrets with Cloud Asset Inventory
How to leverage Cloud Asset Inventory to analyze Secret Manager resources.


#GCP   Copying log entries
How to manually copy log entries that are already stored in Cloud Logging buckets to Cloud Storage buckets.


#GCP   Integrating Cloud DNS with GKE
Google announced the release of container-native Cloud DNS, the native integration of Cloud DNS with GKE to provide in-cluster Service and Pod DNS resolution.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini