Release Date: 19/09/2021 | Issue: 105
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

Is your startup SOC 2 compliant? 🦙
Vanta restores trust in internet businesses by giving startups an easy-to-use platform to improve and prove their security. Over 1500 fast-growing companies rely on Vanta to automate their SOC 2, ISO 27001, or HIPAA compliance in weeks instead of months.
Check Vanta out!

This week's articles


Agent Exposes Azure Customers To Unauthorized Code Execution
#attack, #azure
Azure customers on Linux machines - which account for over half of all Azure instances according to Microsoft - are at risk if they use any of the services relying on OMI (Open Management Infrastructure), a Windows Management Infrastructure (WMI) for UNIX/Linux systems. The RCE is the simplest RCE you can ever imagine: simply remove the auth header and you are root. This Twitter thread is also useful to understand the impact of this flaw.


Bypassing GCP Org Policy with Custom Metadata
#attack, #gcp
Google makes use of custom metadata to authorize access to AI Notebooks and their web UIs. Individuals granted access via custom metadata need not have any IAM permissions on the compute instance, on the service account running the Notebook or even be a member of the Organization. This kind of authorization bypasses a specific Organization Policy Constraint which restricts cross-domain resource sharing.


Security Bulletin - Announcements - Travis CI Community
#attack, #ci/cd
Between the 3rd and 10th of September, secure environment variables of all public repositories hosted on Travis were injected into PR builds. This Twitter thread can help put some perspective on this.


NSA & CISA Kubernetes Security Guidance - A Critical Review
#explain, #kubernetes
Last month, NSA and CISA released a report detailing the security hardening they recommend be applied to Kubernetes cluster. The guidance the document contains is generally reasonable, but there are several points which are either incorrect or do not provide sufficient context for administrators to make good security-focused decisions.


Permissions Reference for AWS IAM
#aws, #iam
A website built in order to provide an alternate, community-driven source of truth for AWS identity.


IAM Vulnerable - An AWS IAM Privilege Escalation Playground
#aws, #explain, #iam
The IAM Vulnerable tool helps you learn how to identify and then exploit intentionally vulnerable IAM configurations that allow for privilege escalation.


AWS Authentication: Principals in AWS IAM
#aws, #explain, #iam
Newcomers to AWS can sometimes get confused by what it means to have AWS credentials. This article aims to explain the basics of AWS authentication, that is, the way you gain an identity that you can use to access AWS services.


AWS federation comes to GitHub Actions
#aws, #ci/cd, #github, #iam
GitHub Actions has a new functionality that can vend OpenID Connect credentials to jobs running on the platform. This is very exciting for AWS account administrators as it means that CI/CD jobs no longer need any long-term secrets to be stored in GitHub.


Threat Detection Maturity Framework
#defend, #monitor, #strategy
How do you measure the success or maturity of a Threat Detection program? What should a Threat Detection team roadmap look like? What is the north star for Threat Detection?


Keyless API - Launching GCP workloads from AWS
#aws, #azure, #build, #gcp, #iam
How to call Google Cloud APIs from AWS or Azure without managing secret keys impersonating a service account.


Terraform Cloud Run Tasks Beta Now Available
#announcement, #ci/cd, #terraform
HashiCorp Terraform Cloud run tasks allow you to integrate third-party tools into the pre-apply stage of a Terraform Cloud run.

Tools


ttl.sh
An anonymous & ephemeral (and free) Docker image registry.


approver-policy
approver-policy is a cert-manager approver that allows users to define policies that restrict what certificates can be requested.


ClusterSecret
ClusterSecret operator makes sure all the matching namespaces have the secret available. New namespaces, if they match the pattern, will also have the secret. Any change on the ClusterSecret will update all related secrets.


aws-requests-auth
This package allows you to authenticate to AWS with Amazon's signature version 4 signing process with the python requests library.

CloudSecDocs


Technical Leadership
I've spent some time overhauling and reorganising the "Culture & Engineering" section on CloudSecDocs, now with more resources on topics like engineering decisions, personal development, technical leadership, and management

If you want to get your product or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
📨 [email protected] 📨

From the cloud providers


AWS Icon  Protect your remote workforce by using a managed DNS firewall and network firewall
Amazon Route 53 Resolver DNS Firewall and AWS Network Firewall help you protect your VPC workloads by inspecting network traffic and applying deep packet inspection rules to block unwanted traffic.


AWS Icon  IAM Access Analyzer Update - Policy Validation
Use the CLI (aws accessanalyzer validate-policy) or the API (ValidatePolicy) in IAM Access Analyzer to perform programmatic validation as part of your CI/CD workflows, helping you construct correct & secure IAM policies & SCPs.


AWS Icon  Navigating Compliance with EU Data Transfer Requirements
How customers can continue to use AWS services in compliance with the evolving EU data protection landscape following the Schrems II ruling and recent EDPB recommendations.


AWS Icon  Aligning IAM policies to user personas for AWS Security Hub
How to deploy sample IAM policies for three personas: sysadmins, security analysts, and DevOps engineers or application builders.


AWS Icon  The three most important AWS WAF rate-based rules
What the three most important AWS WAF rate-based rules are for proactively protecting web applications against common HTTP flood events, and how to implement these rules.


GCP Icon  Leveraging Network Telemetry for Forensics in Google Cloud
Network Forensics and Telemetry solution to enable Threat Hunting; brings together Packet Mirroring, Open source and your choice of SIEM.


GCP Icon  New Detectors for Event Threat Detection
Event Threat Detection has launched new detectors in public preview: "Credential Access: Privileged Group Joinability Risk", "Persistence: IAM Anomalous Group Grant", "Credential Access: External Member In Privileged Group".


GCP Icon  Unattended project recommender
The unattended project recommender analyzes usage activity on projects in your organization and provides recommendations that help you discover, reclaim or remove unattended projects.


Azure Icon  Boost your network security with new updates to Azure Firewall
Microsoft announced new Azure Firewall capabilities as well as updates for August 2021 including new Azure Firewall supported regions, auto-generated self-signed certificates for Azure Firewall Premium SKU, and more.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.