Release Date: 03/10/2021 | Issue: 107
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

Take Action: How to Kick Your S3 Bucket Ransomware Threat
With Ransomware growing in popularity and wreaking havoc in its wake, there is an aspect of it that is surprisingly not discussed enough.
Join Ermetic for a workshop that will outline the specifics of how ransomware infiltrates S3 buckets and give you strategies for reducing your exposure. You will learn key techniques that attackers use to perform ransomware, common vulnerabilities and configuration issues exposing environments to such threats, the complexity of identifying and mitigating exposure, and what native AWS tools are available to help protect your S3 buckets.

This week's articles


Anatomy of a Cloud Infrastructure Attack via a Pull Request
#attack, #ci/cd
In April 2021, an attack vector was discovered that could allow a malicious Pull Request to a Github repository to gain access to Teleport's production environment. Open source companies, or anyone else who accepts external contributions, are especially vulnerable to this.


Control The Blast Radius Of Your Lambda Functions With An IAM Permissions Boundary
#aws, #explain, #iam
A great benefit of building Lambda-based applications is that the security best practice of least privilege can be applied at a very granular level, the individual Lambda function.


Decentralized GitOps over multiple environments
#build, #ci/cd, #kubernetes
An interesting article describing how SAP Artificial Intelligence implements GitOps in their large-scale project spanning multiple environments.


It's tough being an Azure fan
#azure, #strategy
Even as a user and somewhat of a fan of the Azure technology, it is proving increasing difficult to recommend.


Securely Decoupling Kubernetes-based Applications on Amazon EKS using Kafka with SASL/SCRAM
#aws, #build, #kafka
Post exploring a Go-based application deployed to Kubernetes using Amazon EKS. The microservices that comprise the application communicate asynchronously by producing and consuming events from Amazon Managed Streaming for Apache Kafka (Amazon MSK).


Verify Container Image Signatures in Kubernetes using Notary or Cosign or both
#ci/cd, #kubernetes
Connaisseur is a Kubernetes admission controller to integrate container image signature verification and trust pinning into a cluster. Version 2.0 adds support for multiple keys and signature solutions.


Top 20 Dockerfile best practices
#docker, #explain
How to prevent security issues and optimize containerized applications by applying a quick set of Dockerfile best practices in your image builds.


How to Choose a Data Protection Method
#explain, #vault
An overview of modern data protection and encryption methods, their tradeoffs, and how to achieve them with HashiCorp Vault.


Announcing Terraform AWS Cloud Control Provider Tech Preview
#announcement, #aws, #terraform
A new provider for Terraform, built around the AWS Cloud Control API, is designed to bring new services to Terraform faster.

Tools


rover
Interactive Terraform visualization. State and configuration explorer.


k8s_gateway
A CoreDNS plugin to resolve all types of external Kubernetes resources.


aws-cloudformation-iam-policy-validator
A command line tool that takes a CloudFormation template, parses the IAM policies attached to IAM roles, users, groups, and resources then runs them through IAM Access Analyzer validation checks.


org-formation-cli
AWS Organization Formation is an Infrastructure as Code (IaC) tool for AWS Organizations.

If you want to get your product or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
📨 [email protected] 📨

From the cloud providers


AWS Icon  Defining an AWS multi-account strategy for a digital bank
Benefits of using a multi-account strategy for a digital bank and the important factors a digital bank should look at while defining an AWS account structure.


AWS Icon  AWS Cloud Control API, a Uniform API to Access AWS & Third-Party Services
Amazon announced the availability of AWS Cloud Control API, a set of common application programming interfaces (APIs) that are designed to make it easy for developers to manage their AWS and third-party services.


AWS Icon  Programmatically managing alternate contacts on member accounts with AWS Organizations
Amazon launched a new capability making it easier for you to manage the alternate contacts (billing, operations, and security) on your member accounts managed in AWS Organizations. You can now programmatically manage your account alternate contact information in addition to managing this with the AWS Management Console.


AWS Icon  Enable Security Hub PCI DSS standard across your organization and disable specific controls
A solution that can be used to customize the configuration and deployment of the PCI DSS standard compliance standard using AWS Security Hub across multiple AWS accounts and AWS Regions managed by AWS Organizations.


AWS Icon  AWS Security Hub adds 18 new controls to its Foundational Security Best Practices
AWS Security Hub has released 18 new controls for its Foundational Security Best Practice standard to enhance customers' cloud security posture monitoring. These controls conduct fully-automatic checks against security best practices for API Gateway, EC2, ECS, Elastic Load Balancing, Elasticsearch, RDS, Redshift, and SQS.


GCP Icon  Tales from the (en)crypt: What's new for Cloud Storage security
Encryption enhancements include Cloud Key Management performance improvements and support for customer-managed encryption keys (CMEK) for object composition.


GCP Icon  Improve your security posture with new Overly Permissive Firewall Rule Insights
Google introduced a new module within Firewall Insights called "Overly Permissive Firewall Rule Insights", which allows customers to rely on GCP to automatically analyze massive amounts of firewall logs and generate easy-to-understand insights and recommendations to help them optimize their firewall configurations and improve their network security posture.


GCP Icon  Managing GCP service usage through delegated role grants
Use delegated role grants to implement fine-grained control over which services users are allowed to use in GCP.


Azure Icon  General Availability of Azure Sentinel Threat Intelligence in Public and Azure Government cloud
Microsoft announced the General availability (GA) of Azure Sentinel Threat Intelligence in Public cloud and Azure Government cloud.


Azure Icon  Azure Sentinel To-Go! A Linux Lab with AUOMS Set Up to Learn About the OMI Vulnerability
How to automatically deploy a research lab environment with Azure Sentinel , a few Linux virtual machines and the Microsoft Audit Collection Tool (AUOMS) set up to understand the underlying behavior of the exploitation of the OMI vulnerability.


Azure Icon  Govern your data wherever it resides with Azure Purview
Microsoft announced that Azure Purview is generally available. Every organization can now build a unified data governance solution to maximize the value of their data in the cloud.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.