Release Date: 12/12/2021 | Issue: 117
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

Uncover lessons learned from the recent cloud attack by a group called TeamTNT in this short blog. TeamTNT is known for large-scale attacks against virtual and cloud solutions, like Kubernetes and Docker. Recently they deployed a new strategy that leverages AWS metadata giving them access to excessive permissions that can be exploited in the cloud resulting in lateral movement attacks.
Read the blog to discover how the attack works, the associated risks, and how to detect it.

This week's articles


Snaring the Bad Folks
#aws, #defend, #monitor
Blog post introducing Snare, Netflix's Detection, Enrichment, and Response platform for handling cloud security related findings. Snare is responsible for receiving millions of records a minute, analyzing, alerting, and responding to them.


Falco 101
#explain, #falco
All you need to learn to get started with Falco.


Zero Trust with Envoy, SPIRE and Open Policy Agent (OPA)
#build, #opa
Blog exploring one of the key principles of Zero Trust, around authenticating and authorizing every request before a service is allowed to access a resource, and defining a simple OPA policy that demonstrates how service to service communication can be protected.


Achieving Least Privilege with AWS IAM
#aws, #explain, #iam
A few tips and tricks that should help anyone looking to advance their understanding of IAM.


Pod Security Graduates to Beta
#announcement, #defend, #kubernetes
With the release of Kubernetes v1.23, Pod Security admission has now entered beta. Pod Security is a built-in admission controller that evaluates pod specifications against a predefined set of Pod Security Standards and determines whether to admit or deny the pod from running.


Zero-friction keyless signing with Github Actions
#build, #ci/cd, #containers
How-to guide explaining how to use cosign to sign container images built in Github. You can also check the related Github Announcement.


Using Google Cloud Service Account impersonation in your Terraform code
#build, #gcp, #terraform
This blog details different ways to authenticate as a service account in Terraform code using short-lived credentials.


Best practices for using workload identity federation
#build, #gcp, #iam
This guide presents best practices for deciding when to use workload identity federation, and how to configure it in a way that helps you minimize risks.


AWS SageMaker Jupyter Notebook Instance Takeover
#attack, #aws
An attacker can run any code on a victim's SageMaker JupyterLab Notebook Instance across accounts. This means that an attacker can access the Notebook Instance metadata endpoint and steal the access token for the attached role.


Over-Privileged Service Accounts Create Escalation of Privileges and Lateral Movement in Google Cloud
#attack, #gcp, #iam
There are standard best practices for service accounts but many GCP environments lag behind in implementing these best practices. This research shown how these violations in best practices can allow attackers to chain together attack steps to gain broader access to resources in a GCP environment.

Tools


csp_security_mistakes
A list of security mistakes made by Cloud Service Providers (AWS, GCP, Azure). Includes CVEs, SOC 2 Type 2 failures, security researchers compromising managed services, and more.


starboard-exporter
A standalone exporter for vulnerability reports and other CRs created by Starboard.

From the cloud providers


AWS Icon  Amazon S3 console now reports security warnings, errors, and suggestions from IAM Access Analyzer as you author your S3 policies
The S3 console now reports security warnings, errors, and suggestions from Identity and Access Management (IAM) Access Analyzer as you author your S3 policies. The console automatically runs more than 100 policy checks to validate your policies.


GCP Icon  Ensuring scale and compliance of your Terraform Deployment with Cloud Build
The best way to run Terraform on Google Cloud is with Cloud Build and Cloud Storage. This article explains why, covering scale, security and compliance.


GCP Icon  Cloud IDS for network-based threat detection is now generally available
Google announced the general availability of Cloud IDS. This core network security offering helps detect network-based threats and helps organizations meet compliance standards that call for the use of an intrusion detection system.


GCP Icon  Enabling keyless authentication from GitHub Actions
With GitHub's introduction of OIDC tokens into GitHub Actions Workflows, you can authenticate from GitHub Actions to Google Cloud using Workload Identity Federation, removing the need to export a long-lived JSON service account key.


Azure Icon  Public preview availability of Virtual Machine restore points
Take multi-disk consistent point in time snapshots of all the disks attached to a VM for backup and disaster recovery purposes.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them πŸ™

If you have questions, comments, or feedback, just reply to this email orΒ let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser Β© 2019-present
The Cloud Security Reading List by SecurityBite LTD.