Release Date: 14/11/2021 | Issue: 113
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

Best Practices for CIEM Security
Did you know that over-permissioned accounts and roles is the most common cloud service misconfiguration security problem? To mitigate risks of data breaches and contain privilege escalation and lateral movement, implementing least privilege is a crucial best practice. To do this effectively, you need Cloud Infrastructure Entitlement Management (CIEM) security.
Read our blog to discover what CIEM Security is and how easy it is to implement with Sysdig Secure for cloud.

This week's articles


ChaosDB Explained: Azure's Cosmos DB Vulnerability Walkthrough
#attack, #azure
This is the full story of the Azure ChaosDB Vulnerability that was discovered and disclosed by the Wiz Research Team, where they were able to gain complete unrestricted access to the databases of several thousand Microsoft Azure customers.


Exploiting and defending anonymous access in Azure
#attack, #azure, #defend, #iam
Most of Azure services require some form of authentication for access. However, there are a few exceptions that allows the configuration of unauthenticated and unauthorized access. The most common ones are the Azure Blob Container and the Azure Container registry.


Everything you always wanted to know about VPC Peering (but were afraid to ask)
#explain, #gcp
An overview of Google Cloud VPC network peerings, their anatomy, major misconceptions, and some watchpoints, so that users can learn how to use them wisely, while designing their infrastructures.


Detection Engineering for Kubernetes clusters
#kubernetes, #monitor
A background on what logging in Kubernetes looks like, followed by novel detection rules created around how privilege escalation is achieved within a Kubernetes cluster.


Kubernetes Logging in Production
#explain, #kubernetes, #monitor
Learn about scalable logging patterns for your production Kubernetes clusters.


A Practical Guide to Continuous Compliance for Your Cloud Infrastructure
#ci/cd, #strategy
A 5-step journey to achieve continuous compliance without sacrificing speed.


Zero-friction keyless signing with Kubernetes
#build, #containers, #kubernetes
A new way of signing container images without needing to manage signing keys, including a demo of how easy it is to get started signing on Amazon EKS thanks to cosign.


How to Secure Containers with Cosign and Distroless Images
#ci/cd, #containers, #kubernetes
Post talking about the need of using Distroless container images and Cosign for safer production deployments.


Flux Security Audit has concluded
#announcement
The engagement uncovered a privilege escalation vulnerability in Flux that could enable users to gain cluster admin privileges. The issue has been fixed and is assigned CVE 2021-41254. You can also take a look at the full report.


Terraform Cloud Variable Sets Beta Now Available
#announcement, #terraform
The new variable sets in HashiCorp Terraform Cloud enable capabilities that help simplify use cases such as credential management, disaster recovery, tagging, and cost reduction.

Tools


cloudkey
No need for IAM users when we have Yubikeys.


dco
GitHub App that enforces the Developer Certificate of Origin (DCO) on Pull Requests.


yet-another-aws-exporter
A Prometheus metrics exporter for AWS that fills in gaps CloudWatch doesn't cover.


kubectl-cost
CLI for determining the cost of Kubernetes workloads.

CloudSecDocs


Vault
A collection of resources for HashiCorp Vault.

From the cloud providers


AWS Icon  Measure and Improve Your Application Resilience with AWS Resilience Hub
Amazon announced the availability of AWS Resilience Hub, a new AWS service designed to help you define, track, and manage the resilience of your applications.


AWS Icon  AWS CloudTrail announces ErrorRate Insights
AWS CloudTrail announces CloudTrail error rate Insights, a new feature of CloudTrail Insights that enables customers to identify unusual activity in their AWS account based on API error codes and their rate.


GCP Icon  Secure Software Supply Chain (S3C) in Serverless world
A no-ops method to build a S3C using Cloud Run, Cloud Build and Binary Authorization in Google Cloud.


GCP Icon  Enabling SRE best practices: new contextual traces in Cloud Logging
Developers can now view trace information for applications directly in Google Cloud Logging for faster debugging.


Azure Icon  Protect workloads with inline DDoS protection from Gateway Load Balancer partners
Microsoft announced the preview of inline DDoS protection which will be offered through partner network virtual appliances (NVAs) that are deployed with Azure Gateway Load Balancer and integrated with Azure DDoS Protection Standard.


Azure Icon  Public preview: Azure Bastion IP based connection
With the new Azure Bastion IP based connection capability, you can now connect to any target resource reachable from your Bastion using its private IP address.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them πŸ™

If you have questions, comments, or feedback, just reply to this email orΒ let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser Β© 2019-present
The Cloud Security Reading List by SecurityBite LTD.