Release Date: 05/09/2021 | Issue: 103
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

ControlPlane is hiring!
ControlPlane is a remote-first security and devops consultancy that focuses on our team’s personal growth to deliver value to customers. We are looking for UK-based cloud security architects, threat modellers, and Kubernetes security engineers to do cutting-edge work securing cloud native systems.
Grow your career in a high-achieving, friendly, and collaborative culture: work with the latest in cloud and container innovation, cloud native CTF builders and breakers, and SANS SEC584 and O’Reilly Hacking Kubernetes authors and trainers.
https://control-plane.breezy.hr

This week's articles


Cloud Native Security Map
#strategy
The Cloud Native Security map builds on top of the Cloud Native Security Whitepaper by TAG-Security, by providing an additional practitioner's perspective as well as an interactive mode of consumption, to facilitate the exploration of Cloud Native Security concepts and how they are used.


How much does it cost to build a 24x7 SOC?
#defend, #explain, #strategy
Not all 24x7 SOCs are created equal. In this post, the Expel team outlines four possible security operations centers and an estimate of their cost.


AWS OIDC Authentication with SPIFFE
#aws, #build
How to authenticate data center applications to AWS using automated SPIFFE credentials.


AWS ReadOnlyAccess: Not Even Once
#aws, #explain, #iam
How your faith in "ReadOnly" access will betray you and leave you with trust issues.


AWS privilege escalation: exploring odd features of the Trust Policy
#attack, #aws, #iam
Post focusing on some inconsistencies in the Trust Policy access model, which in consequence can be used for privilege escalation.


Looking at the Kubernetes Control Plane for Multi-Tenancy
#attack, #defend, #kubernetes
A report outlining a detailed threat analysis for the Kubernetes control plane. No severe vulnerabilities were discovered, but this blog post highlights a few important insights to consider. You can also refer to the companion repo.


Security Implication of Root principal in AWS
#attack, #aws
An interesting way of abusing the AWS KMS for data exfiltration in restricted VPCs.


Illogical Apps - Exploring and Exploiting Azure Logic Apps
#attack, #azure
How to obtain sensitive information as an user with the Reader role, and how to identify/abuse API Connection hijack scenarios as a Contributor in Azure Logic Apps.


ChaosDB: How we hacked thousands of Azure customers' databases
#attack, #azure, #defend
Researchers were able to gain complete unrestricted access to the accounts and databases of several thousand Microsoft Azure customers. Also refer to the companion blog post to learn how to protect your environment from ChaosDB.


How (and Why) to Use AppRole Correctly in HashiCorp Vault
#explain, #vault
Best and worst practices for using HashiCorp Vault's AppRole authentication method.


AWS Observability Recipes
#aws, #monitor
A site dedicated to explain AWS offerings in the observability space and provide you with hands-on recipes on how to use them.

Tools


cloud-foundation-fabric
End-to-end modular samples for Terraform on GCP.


aws-error-utils
Making botocore.exceptions.ClientError easier to deal with.


sgCheckup
sgCheckup generates nmap output based on scanning your AWS Security Groups for unexpected open ports.


Gatekeeper v3.6.0
Gatekeeper v3.6.0 has been released.


aws-security-analytics-bootstrap
AWS Security Analytics Bootstrap enables to perform security investigations on AWS service logs by providing an Amazon Athena analysis environment that's quick to deploy, ready to use, and easy to maintain.

From the cloud providers


AWS Icon  Ransomware mitigation: Top 5 protections and recovery preparation actions
Top five things that AWS customers can do to help protect and recover their resources from ransomware: Set up the ability to recover your apps and data, Encrypt your data, Apply critical patches, Follow a security standard, Make sure you're monitoring and automating responses.


AWS Icon  AWS introduces changes to access denied errors for easier permissions troubleshooting
AWS is introducing additional context in the access denied error messages, by adding information about the IAM policy type that's responsible for the denied access.


AWS Icon  AWS CloudFormation introduces the option to troubleshoot provisioning errors before rollback, accelerating deployments
AWS CloudFormation users can now choose to preserve the state of successfully deployed resources in the event of CloudFormation stack operation errors. Using this feature, you can retry the operation using an updated CloudFormation template and quickly iterate through feedback loops, shortening development cycles.


AWS Icon  Apply the principle of separation of duties to shell access to your EC2 instances
How to use AWS Systems Manager Change Manager to control access to EC2 instance interactive shell sessions, to enforce separation of duties.


AWS Icon  AWS Firewall Manager now supports AWS WAF log filtering
AWS Firewall Manager now enables security administrators to specify which web requests to log and which requests to exclude from logs when using AWS WAF to inspect web traffic.


AWS Icon  Amazon VPC Routing Enhancements Allow You to Inspect Traffic Between Subnets In a VPC
It is now possible to analyze traffic flowing from one subnet to another inside your VPC, also known as east-west traffic.


GCP Icon  Cloud CISO Perspectives: August 2021
Google Cloud CISO Phil Venables shares his thoughts on JCDC, Whitehouse Cybersecurity Summit, and other cloud security developments.


GCP Icon  New features to better secure your Google App Engine apps
Announcing new features to further extend the security already provided by App Engine: Egress Controls for Serverless VPC Access and User-managed service accounts.


GCP Icon  Google Site Reliability Engineering (SRE)
Google Cloud's new SRE website, a one-stop shop with customer stories, videos, products and a white paper showcasing how Google Cloud can help your team along the SRE journey.


GCP Icon  Cloud Foundation Toolkit
The Cloud Foundation Toolkit allows you to get up and running in Google Cloud fast with best practice Infrastructure as Code (IaC) templates.


Azure Icon  Announcing private preview of authorized DoD Cloud Infrastructure as Code for Azure
Microsoft announced the private preview of DoD Cloud Infrastructure as Code (IaC) for Azure - a set of preauthorized baselines that build standard environments in Azure Government to accelerate DoD adoption of cloud services.


Azure Icon  Ingestion Cost Spike detection Playbook
This ingestion cost spike alert logic app is based on the principle of anomaly detection and as such utilizes the built-in KQL function series_decompose_anomalies(). It compares the baseline/expected level of ingestion over a period of time and then uses that historical pattern to determine whether to alert on a sudden increase of billable data into the workspace.


Azure Icon  Becoming an Azure Sentinel Notebooks ninja - the series!
Post introducing a series covering the Notebooks feature of Azure Sentinel.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.