Release Date: 15/08/2021 | Issue: 100
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
🎉 CloudSecList reaches the 100th issue! 🎉
This week CloudSecList reaches an important milestone, the 100th issue. It definitely came a long way since issue #1 (go check it out!), and for this I have to thank you, readers and sponsors.
As always, I'm happy to receive feedback: just reply to this email or let me know on Twitter @lancinimarco!
Sponsor

Is your startup SOC 2 compliant? 🦙
Vanta restores trust in internet businesses by giving startups an easy-to-use platform to improve and prove their security. Over 1500 fast-growing companies rely on Vanta to automate their SOC 2, ISO 27001, or HIPAA compliance certifications in weeks instead of months.
Check Vanta out!

This week's articles


Cloud Security Orienteering
#aws, #azure, #defend, #gcp, #strategy
A cloud and environment agnostic methodology for getting your bearings if tasked with securing a novel cloud environment.


So You Inherited an AWS Account. A 30-day security guide for engineers…
#aws, #defend
Many engineers have found themselves in the unenviable position of being handed the keys to an AWS environment with absolutely no explanation of its contents, documentation, or training.


Expanding Secrets Infrastructure to AWS Lambda
#aws, #build, #terraform
How Square extended their datacenter-based secrets infrastructure to enable a cloud migration supporting Lambda. They added SPIFFE compatibility to their secrets infrastructure and developed a Lambda secrets syncer that Square engineers can deploy via a Terraform module.


Hacking G Suite: The Power of Dark Apps Script Magic
#attack, #gcp, #gsuite
You’ve seen plenty of talks on exploiting, escalating, and exfiltrating the magical world of Google Cloud (GCP), but what about its buttoned-down sibling? This talk delves into the dark art of utilizing Apps Script to exploit G Suite (AKA Google Workspace).


Hiding in Plaintext Sight: Abusing The Lack of Kubernetes Auditing Policies
#attack, #kubernetes, #monitor
How to enable Kubernetes logging in cloud environments, and how to detect logging evasion.


Lightsail object storage concerns
#attack, #aws
Part one of a two part series that will discuss AWS’s new Lightsail object storage. The first part looks at the new access key capability and its security issues.


Remediating AWS IMDSv1
#aws, #defend
An article on remediating IMDSv1 in AWS, a common server-side request forgery vector targeting lateral movement and persistence.


How to create IAM roles for deploying your AWS Serverless app
#aws, #build, #iam
An in-depth guide to creating production-ready, least privilege IAM roles for deploying your serverless application across multiple AWS accounts.


Encrypt your Kubernetes Secrets with Mozilla SOPS
#azure, #build, #kubernetes
How to encrypt and decrypt your secrets with Mozilla SOPS and Azure Key Vault.


Introducing the Allstar GitHub App
#announcement, #ci/cd, #defend, #github
The Open Source Security Foundation announced Allstar, a GitHub app that provides automated continuous enforcement of security best practices for GitHub projects. With Allstar, owners can check for security policy adherence, set desired enforcement actions, and continuously enact those enforcements when triggered by a setting or file change in the organization or project repository.


Kubernetes 1.22: Reaching New Peaks
#announcement, #kubernetes
Kubernetes 1.22 has been released, and it contains breaking changes! Go check the CHANGELOG to avoid surprises at upgrade time.

Tools


whoc
A container image that extracts the underlying container runtime and sends it to a remote server. Poke at the underlying container runtime of your favorite CSP container platform.


KUR8
A visual overview of Kubernetes architecture and Prometheus metrics.


service-ca-operator
Controller to mint and manage serving certificates for Kubernetes services.


docker-credential-magic
A magic shim for Docker credential helpers. You can also refer to the companion blog post.


amazon-eks-pod-identity-webhook
Amazon EKS Pod Identity Webhook: this webhook is for mutating pods that will require AWS IAM access.

From the cloud providers


AWS Icon  Announcing Amazon CloudWatch cross account alarms
Amazon CloudWatch announces cross account alarms, a new feature that enables customers to set alerts and take actions based on changes to metrics in other AWS accounts.


AWS Icon  AWS Config Adds 3 New Config Rules for Amazon Secrets Manager
AWS Config now supports three new AWS Config managed rules to help you verify that your secrets in AWS Secrets Manager are configured in accordance with your organization’s security and compliance requirements.


AWS Icon  How to scale your authorization needs by using attribute-based access control with S3
How to scale an S3 authorization strategy as an alternative to using path based authorization, by combining attribute-based access control (ABAC) using IAM with a standard Active Directory Federation Services (AD FS) connected to Microsoft AD.


AWS Icon  Using multiple segments in Amazon API Gateway base path mapping
Multi-level base path mapping enables segmented paths, with each segment able to route to a different endpoint. This pattern allows developers to use RESTful URLs to identify the application paths in easy-to-understand patterns.


GCP Icon  Integrating Service Directory with GKE: one registry for all your services
You can now register Google Kubernetes Engine (GKE) services in Service Directory, Google Cloud’s managed service registry.


GCP Icon  Introducing Unattended Project Recommender
Save money and improve security by automating the discovery, management and reclamation of old projects with Unattended Project Recommender.


GCP Icon  OWASP Top 10 mitigation options on Google Cloud
This document helps you identify Google Cloud products and mitigation strategies that can help you defend against common application-level attacks that are outlined in the OWASP Top 10.


Azure Icon  Azure Sentinel SQL Solution Query Deep-Dive
Post covering each of the Detection and Hunting queries included in the Azure Sentinel SQL solution.


Azure Icon  What's new: Incident advanced search is now public
By default, incident searches run across the Incident ID, Title, Tags, Owner, and Product name values only. Now, with the new Advanced search pane, you can scroll down the list to select one or more other parameters to search on.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.