Release Date: 25/07/2021 | Issue: 97
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Trying to Automate AppSec? ๐Ÿค–
StackHawk is helping One Medical equip developers with automated security testing and self-service remediations. Learn about what One Medical is up to and see how you can get going with automated API and application security for free.
One Medical Automates AppSec with StackHawk

This week's articles


Four steps for hardening Amazon EKS security
Best practices for hardening AWS EKS clusters, including the importance of dedicated continuous delivery IAM roles, multi-account architecture for cluster isolation, and how to encrypt secrets in the control plane.   #aws   #defend   #kubernetes


Guide to Designing EKS Clusters for Better Security
A set of guidelines to help you design your EKS clusters without compromising security.   #aws   #defend   #kubernetes


Bye bye bastion hosts...Hello AWS IAM!
How Segment got rid of SSH bastion hosts, reducing cost, complexity, and maintenance of their infrastructure, as well as eliminating the need to distribute SSH Keys. Last but not least, they reduced their attack surface by not having any SSH port open to the world.   #aws   #defend


Ansible over AWS Systems Manager Sessions - a perfect solution for high security environments
You can combine AWS SSM Sessions with Ansible and execute existing playbooks on the instance, skipping traditional direct SSH connections.   #ansible   #aws   #build


Kubernetes monitoring with Prometheus, the ultimate guide
How to implement Kubernetes monitoring with Prometheus, by learning how to deploy a Prometheus server and metrics exporters, setup kube-state-metrics, pull and collect those metrics, and configure alerts with Alertmanager and dashboards with Grafana.   #kubernetes   #monitor


S3 Bucket Namesquatting - Abusing predictable S3 bucket names
Abuse of permissions in S3 buckets is one of the more common security issues companies face but this post addresses a different issue, S3 Bucket Namesquatting.   #attack   #aws


Detecting new crypto mining attack targeting Kubeflow and TensorFlow
Article introducing Kubeflow and TensorFlow, track how this attack works, and cover steps to detect if you are affected, and mitigate its effects.   #attack   #docker


Azure Flow Log Analysis
Azure flow logs don't have the same instance ID that AWS flow logs do. So how do you figure out which VM the logs came from?   #azure   #monitor


Policy-based infrastructure guardrails with Terraform and OPA
Learn how Open Policy Agent (OPA) can be leveraged to secure infrastructure deployments by building policy-based guardrails around them.   #opa   #terraform


Seamless Dynamic Credentials for Developers with HashiCorp Vault
How Sky Betting & Gaming helps its developers seamlessly grab dynamic credentials from HashiCorp Vault without having to specify which credentials they need.   #vault   #build


What Is Workload Security? On-Premises, Cloud, Kubernetes, and More
Different workloads have different characteristics, and the best platform for a particular workload to run on depends on the nature of the specific workload. Workloads and their layers of abstraction need to be addressed independently since the workflow of its users will vary between use cases.   #explain   #kubernetes


New Attacks on Kubernetes via Misconfigured Argo Workflows
How Argo is Abused by attackers to drop cryptominers in exposed Kubernetes clusters.   #attack   #kubernetes

Tools


mizu
A simple-yet-powerful API traffic viewer for Kubernetes to help you troubleshoot and debug your microservices. Think TCPDump and Chrome Dev Tools combined.


rbac-manager
A Kubernetes operator that simplifies the management of Role Bindings and Service Accounts.


domain-protect-gcp
Scans Google Cloud DNS across a GCP Organization for domain records vulnerable to takeover.


trackiam
A project to collate IAM actions, AWS APIs and managed policies from various public sources.


actions-runner-controller
This controller operates self-hosted runners for GitHub Actions on your Kubernetes cluster.

From the cloud providers


#AWS   AWS Private Certificate Authority introduces integration with Kubernetes
AWS Private Certificate Authority (CA) now supports an open source plugin for cert-manager that offers a more secure certificate authority solution for Kubernetes containers.


#AWS   Using Amazon Macie to Validate S3 Bucket Data Classification
How to set up Amazon Macie to validate data classifications provided by decentralized software development teams.


#AWS   How to restrict IAM roles to access AWS resources from specific geolocations using AWS Client VPN
A solution which uses Client VPN to implement geolocation authentication rules. When a client VPN connection is established, authentication is implemented at the first point of entry into the AWS Cloud.


#AWS   Easily enable AWS Config recording and deploy Conformance Packs across your organization using Quick Setup
AWS Systems Manager Quick Setup announced support for AWS Config, allowing you to enable AWS Config recording and deploy conformance packs across all the accounts and Regions in your organization.


#AWS   Implement a centralized patching solution across multiple AWS Regions
How to implement a centralized patching solution across AWS Regions by using AWS Systems Manager to initiate, track, and manage patching events from one centralized place.


#GCP   Modernizing SOC ... Introducing Autonomic Security Operations
Google announced Autonomic Security Operations, a stack of products, integrations, blueprints, technical content, and an accelerator program to enable customers to take advantage of Google's technology stack built on Chronicle and Google's deep security operations expertise.


#GCP   Cloud Armor: enhancing security at the edge with Adaptive Protection, expanded coverage scope, and new rules
Google released the preview of Cloud Armor Adaptive Protection, a machine learning-powered capability to protect your applications and services from Layer 7 DDoS attacks.


#GCP   Extending our Trusted Cloud: Introducing Cloud IDS for Network-based Threat Detection
Cloud IDS (Intrusion Detection System) helps detect malware, spyware, and command-and-control attacks.


#GCP   Private Catalog: Improving Terraform deployment management experiences
With this release, Private Catalog admins can use Terraform configurations to keep end users informed about updates.


#GCP   What you need to know about Confidential Computing
How Google Cloud uses Confidential VMs and GKE Nodes to encrypt data even when it's in use.


#AZURE   Azure Active Directory security operations guide
Microsoft has published an Azure AD security operations guide. It covers identity security configurations and their monitoring (including user/privileged accounts, apps, devices, infrastructure).


#AZURE   Next-generation firewall capabilities with Azure Firewall Premium
Microsoft announced the general availability release of Azure Firewall Premium. Key features in this release include: TLS Inspection, IDPS, Web Categories, and URL Filtering.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini