Release Date: 17/10/2021 | Issue: 109
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

Expel is a Leader in The Forrester Wave™: Managed Detection And Response, Q1 2021
Expel receives the highest possible score in 14 criteria.
Learn what makes Expel different.

This week's articles


Bypassing required reviews using GitHub Actions
#attack, #ci/cd
A newly discovered security flaw in GitHub allows leveraging GitHub Actions to bypass the required reviews mechanism and push unreviewed code to a protected branch, potentially allowing malicious code to be used by other users or flow down the pipeline to production.


AWS WAF's Dangerous Defaults
#attack, #aws
AWS WAF's defaults make bypassing trivial in POST requests, even when you enable the AWS Managed Rules.


Azure Privilege Escalation via Service Principal Abuse
#attack, #azure, #iam
Post explaining how to abuse Service Principals to escalate rights in Azure and how to protect yourself against it.


Deploy without credentials with GitHub Actions and OIDC
#build, #iac, #iam
Did you know that OpenID Connect can be used to build trust between two different clouds? Learn how a new OIDC feature in GitHub Actions replaces passwords.


Are Dockerfiles good enough?
#defend, #docker
There has been a major regression in many organizations, who now tolerate risks inside containers that never would have been allowed on virtual machines. A lot of the blame seems to rest with Dockerfiles: we need guardrails against common mistakes.


Designing Least Privilege AWS IAM Policies for People
#aws, #explain, #iam
Got engineers with AdministratorAccess? Here's how to deploy reduced privilege IAM roles for people without breaking their workflows.


VPC Service Controls in Plain English
#explain, #gcp
GCP offers powerful security controls to mitigate API-based data exfiltration called VPC Service Controls. To execute a successful and secure cloud architecture with VPC Service Controls, it is important to understand exactly how they work.


Understanding Azure Logs from a security perspective - Part 2
#azure, #monitor
This blog is the second in a multi-part series to cover the available logs and telemetry of the Azure platform, discuss the security insights that we can obtain from them and also to highlight existing blind spots that can save you a few headaches down the line.


Remotely Access your Kubernetes Lab with Cloudflare Tunnel
#build, #kubernetes
How to use Cloudflare Tunnel to connect my Kubernetes Lab to the Cloudflare network, and Auditable Terminal to connect to it using nothing more than a browser. Disclaimer: I did write this post.


16 things you didn't know about Kube APIs and CRDs
#explain, #kubernetes
If you're familiar with Kubernetes, you're likely familiar with the Kubernetes API and the concept of controllers, but despite the seeming simplicity of the core ideas, there are plenty of details that may be surprising once you scratch the surface.

Tools


Kubernetes YAML Generator
A handy generator of boilerplate YAML for Kubernetes resources.


snowcat
Snowcat gathers and analyzes the configuration of an Istio cluster and audits it for potential violations of security best practices. You can also check the companion blog post.


k8s-opa-boilerplate
Boilerplate example of managing OPA with kustomize.


minik8s-ctf
A beginner-friendly CTF about Kubernetes security.


kdigger
kdigger is a context discovery tool for Kubernetes penetration testing.

If you want to get your product or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
📨 [email protected] 📨

From the cloud providers


AWS Icon  Determining whether a request is allowed or denied within an account
The IAM docs on policy evaluation have been updated with a table that explains how resource policies can or can't grant access beyond a permissions boundary.


AWS Icon  AWS Network Firewall Adds New Configuration Options for Rule Ordering and Default Drop
AWS Network Firewall now offers new configuration options for rule ordering and default drop, making it easier to write and process rules to monitor your virtual private cloud (VPC) traffic.


AWS Icon  Introducing AWS Instance Scheduler v2.0
AWS Instance Scheduler is a solution that helps you control your AWS resource cost by configuring start and stop schedules for their Amazon Elastic Compute Cloud (Amazon EC2 On-Demand Instances) and Amazon Relational Database Service (Amazon RDS) instances.


AWS Icon  AWS Backup adds an additional layer for backup protection with the availability of AWS Backup Vault Lock
AWS Backup announced the availability of AWS Backup Vault Lock. This new feature enhances customers' ability to protect backups from inadvertent or malicious actions. It helps customers implement safeguards that ensure they are storing their backups using a Write-Once-Read-Many (WORM) model.


AWS Icon  Simplifying Kubernetes configurations using AWS Lambda
How to create a multi-stage Dockerfile that uses eksctl, kubectl, and aws-auth. This will allow you to call Kubernetes APIs to create and manage resources through a unified control plane.


GCP Icon  Centralised audit logs in GCP in a secure environment with VPC Service Controls
On paper, setting up GCP logging sinks is relatively easy. In reality, as soon as VPC Service Controls are involved, you suddenly find yourself locked out of every "how-to" tutorial; they likely won't work with your security setup.


Azure Icon  Analyzing Endpoints Forensics - Azure Sentinel Connector
Analyzing Endpoints Forensics - Azure Sentinel Connector can enable more-powerful forensic analysis through techniques such as streaming a computer's EPP (Endpoint Protection) health status, policies, settings, and configuration in addition to IoT vulnerable assets, data events & vulnerabilities.


Azure Icon  Azure Monitor container insights for Azure Arc enabled Kubernetes
Azure Monitor container insights for Azure Arc enabled Kubernetes is now generally available. You can now monitor all Kubernetes, AKS or non-AKS through container insights.


Azure Icon  IP-based website protection for Azure Static Web Apps
Azure Static Web Apps adds support for access restrictions by IP addresses and service tags.


Azure Icon  Customize Azure Static Web Apps authentication with a serverless function
Azure Static Web Apps adds support for programmatically assigning custom user roles using Azure Functions.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.