This week's articles
Shifting Left with Cloud Native CI/CD and Tekton
Slides from the talk Christie Wilson (@bobcatwilson) delivered at QCon San Francisco 2019. The first half is a refresher of cloud native topics, but from slide 52 it gets very interesting with a nice description of Tekton and of its main components.
Inviting Security to the Party
In this blog post, the DeliveryTech team describe the massive cultural change they faced when they migrated from ECS to EKS, and from "JSON+CloudFormation" to "YAML+Terraform". The post also describes how they use anchore-engine for scanning container images for known vulnerabilities and to verify them against user-defined policies. For example, you can block containers that contain known vulnerabilities or that contain AWS access keys.
Detecting Manual AWS Console Actions
If you are looking for a high signal / low noise alert, then you might be interested in setting up Cloudtrail alerting rules that let you detect when someone makes a manual change in your AWS Console. This way you could get notified when, for example, one of your engineers manually add new security group ingress rules through the AWS Console.
GitHub Token scanning
GitHub can now scan public repositories for known token formats to prevent fraudulent use of credentials that were committed accidentally. As a service provider, you can partner with GitHub so that your token formats are included in their token scanning. Whenever a match of your token format is found, a payload is sent to an HTTP endpoint of your choice.
Fine-Grained IAM Roles for Service Accounts for EKS
AWS just made pods first class citizens in IAM: rather than intercepting the requests to the EC2 metadata API to perform a call to the STS API to retrieve temporary credentials, AWS made changes in the identity APIs to recognize Kubernetes pods. By combining an OpenID Connect (OIDC) identity provider and Kubernetes service account annotations, you can now use IAM roles at the pod level.
AWS is working to prevent bucket sniping
As Scott Piper pointed out, looks like AWS is working to prevent bucket sniping. Athena used to just create and use the bucket "aws-athena-query-results-ACCOUNTID-REGION" on first use, or use that bucket if it already existed, which meant an attacker could create it in advance, causing problems. This problem class was blogged about by @iann0036 where he referred to it as bucket name squatting
Announcing Network Intelligence Center: towards proactive network operations
GCP introduced "Network Intelligence Center", Google Cloud’s network monitoring, verification, and optimisation platform across the cloud and on-prem data centers, along with an initial set of modules. Network Intelligence Center offers four modules: Connectivity Tests and Network Topology, both in beta; Performance Dashboard and Firewall Metrics & Insights in alpha; with several other modules to follow. So far it looks like Cloudmapper!