Release Date: 07/11/2021 | Issue: 112
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

Cybersecurity, a daily task
As companies grow, so does their attack surface. Faraday offers an integral approach to scalability, to help businesses keep up with growing networks and security requirements. Scalability is about resource optimization. We developed a platform that allows us to automate vulnerability detection, summarizing results, and management of larger volumes of vulnerabilities. Faraday eases the integration of security tasks to regular workflow, and ultimately, of productivity with security. Including an integration with Jira which allows you to create time and automate your team resources.
Scale your security now

This week's articles


Streamline Fifteen SOC 2 Controls with AWS Config and AWS Security Hub
#aws, #defend
There are two services on AWS that can make SOC 2 easier for you and your company, AWS Config and AWS Security Hub. These two services have built-in rules (Config) and controls (Security Hub) that directly address SOC 2 criteria and controls.


Kubernetes API Access Security Hardening
#defend, #kubernetes
Kubernetes is driven by an HTTP API server which allows complete configuration and control of Kubernetes runtime. Therefore, securing access to the API server is one of the most critical security controls to ensure resilient Kubernetes in production.


Automating cloud governance at scale
#aws, #defend
Blog post from SkyScanner, introducing some recent improvements to CFRipper that have enabled them to detect issues more accurately, allow for increasing levels of customization, and facilitate dynamic stack exemptions for engineering squads.


The 2 limits of Google Cloud IAM
#explain, #gcp, #iam
2 use cases where the GCP IAM model is limited, requiring some trickery to get right.


Server-side Apply in Kubernetes
#announcement, #kubernetes
This new merging algorithm running on the Kubernetes API server replaces the client side apply feature with a server-side implementation, helping users and controllers manage their resources.


Using New S3 Features to Give CloudTrail Logs Service-Side Enrichment
#aws, #monitor
Use the recent S3 Object Lambda functionality in AWS to enrich S3-based logs with valuable intelligence.


Container CVE List
#attack, #docker, #kubernetes
A page listing CVEs affecting Kubernetes/runc/ContainerD/Docker.


Terraform support in Semgrep
#announcement, #defend, #terraform
Semgrep 0.70+ now supports scanning Terraform source files (HCL) for misconfigurations and security flaws.

Tools


driftctl
Detect, track and alert on infrastructure drift.


camp
CloudSplaining on AWS Managed Policies. It automatically downloads and keeps a local copy of all AWS IAM Managed Policies, and also runs Cloudsplaining on each.


helm-scanner
Open source IaC security scanner for public Helm charts.


ottr
Ottr is a serverless framework for Public Key Infrastructure (PKI) that aims to provide a robust and scalable method to manage end-to-end certificate rotations using an agentless approach.


terraform-validator
Terraform Validator can run pre-deployment checks on Terraform plans for policy compliance.

From the cloud providers


AWS Icon  Forensic investigation environment strategies in the AWS Cloud
This post provides strategies that you can use to prepare your organization to respond to secure baseline deviations. These strategies take the form of best practices around AWS account structure, OUs and SCPs, forensic VPC and network infrastructure, evidence artifacts to be collected, AWS services to be used, forensic analysis tool infrastructure, and user access and authorization to the above.


AWS Icon  Analyze Cross-Account AWS KMS Call Usage with AWS CloudTrail and Amazon Athena
How to use AWS CloudTrail and Amazon Athena to analyze AWS KMS API usage. In a hub and spoke account model, cross-account AWS KMS API quotas are applied to the spoke account when the spoke account accesses SSE-KMS encrypted S3 bucket in the hub account.


AWS Icon  Extending the Baseline in AWS Control Tower to Accelerate the Transition from AWS Landing Zone
This blog post explains how to modify and deploy the code to apply AWS Landing Zone specific baselines such as IamPasswordPolicy and EnableNotifications into AWS Control Tower using Customizations for the AWS Control Tower.


AWS Icon  AWS Control Tower Account vending through Amazon Lex ChatBot
Post describing a multi-environment solution that uses a cloud native CI/CD pipeline to build, test, and deploy a Serverless ChatOps bot that integrates with AWS Control Tower Account Factory for AWS account vending.


GCP Icon  Zero trust workload security with GKE, Traffic Director, and CA Service
Google announced the general availability of new security capabilities for Traffic Director which provide fully-managed workload credentials for Google Kubernetes Engine (GKE) via CA Service.


GCP Icon  Introducing GKE image streaming for fast application startup and autoscaling
New container image streaming in Google Kubernetes Engine slashes the time it takes to boot your applications.


Azure Icon  Azure trusted launch for Virtual Machines now generally available
Azure offers trusted launch as a seamless way to bolster the security of Generation 2 VMs. Designed to protect against boot kits, rootkits, and kernel-level malware, trusted launch is comprised of secure boot, virtual trusted platform module (vTPM), and boot integrity monitoring.


Azure Icon  Introducing Microsoft Defender for Cloud Apps
Defender for Cloud Apps helps you gain visibility of your deployed cloud apps, discovers shadow IT, and protects your sensitive information.


Azure Icon  Introducing Azure Container Apps: a serverless container service for running modern apps at scale
Microsoft announced Azure Container Apps, an app centric hosting service for serverless containers. It is built with microservices in mind on the foundation of powerful open-source technology in the Kubernetes ecosystem.


Azure Icon  OpenID Connect integration between Azure AD and GitHub Actions
Microsoft announced the public preview of capabilities that enable developers to secure their deployments to Azure through OpenID Connect's integration between Azure AD and GitHub Actions.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them πŸ™

If you have questions, comments, or feedback, just reply to this email orΒ let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser Β© 2019-present
The Cloud Security Reading List by SecurityBite LTD.