Release Date: 13/02/2022 | Issue: 124
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

AppSecEngineer: It's like Skillshare, but for application security
Learning application security can be confusing. Where do you even start? Beginners find it especially hard to find quality resources online. What if you could have all your AppSec courses in ONE place? Now you can with AppSecEngineer!
We have courses in Cloud Security, Kubernetes, DevSecOps and more. We have over 30+ courses and 400+ hands-on labs that you can use for practice!
Start learning FREE today.

This week's articles


Supply Chain Attack as Code
#attack, #supply-chain, #terraform
TL;DR: Limit the use of third party Terraform modules and if you do use them, use the "Verified" ones.


Malicious Kubernetes Helm Charts can be used to steal sensitive information from Argo CD deployments
#attack, #kubernetes
Malicious actors could exploit CVE-2022-24348 affecting Argo CD to load a Kubernetes Helm Chart YAML file and "hop" from their application ecosystem to other applications' data outside of the user's scope.


Auditing GKE operations? Configure Data Access audit logs
#gcp, #kubernetes, #monitor
The GKE Admin Activity logs are missing "get" operations on Secret objects by default. So for example, if you store a service account password in your cluster as a Kubernetes secret, a "kubectl get secret service_account_password -o yaml" will get an attacker the entire secret without logging a single line into the audit logs.


Understanding and Protecting local authentication for Azure services
#azure, #defend
The challenge is to protect service-level (or local) authentication credentials from malicious or unintended use in a way that is manageable at scale.


How to Make Package Signing Useful
#containers, #supply-chain
The benefits and limitations of signing an open source package, using a private key to create a unique digital signature, are a surprisingly contentious topic.


Dynamic Policy Composition for OPA
#explain, #opa
How to compose policies based on dynamic attributes provided with the request when querying Open Policy Agent (OPA) for decisions.


A "Safety Net" for AWS Canarytokens
#aws, #monitor
AWS Canarytokens are a low-effort, high-fidelity method to detect attackers who have compromised your infrastructure.


Elastic and AWS Serverless Application Repository (SAR)
#aws, #elastic, #monitor
How to use the Elastic serverless forwarder, that is published in the AWS Serverless Application Repository (SAR), to simplify log ingestion from S3.


Terraform AWS Provider 4.0 Refactors S3 Bucket Resource
#announcement, #aws, #terraform
Version 4.0 of the HashiCorp Terraform AWS provider brings usability improvements to data sources and attribute validations along with a refactored S3 bucket resource. The list of breaking changes for this release is quite long.

Tools


grr
GRR Rapid Response: remote live forensics for incident response.


action-validator
Tool to validate GitHub Action and Workflow YAML files.


amazon-ecr-credential-helper
Automatically gets credentials for Amazon ECR on docker push/docker pull.


kbrew
kbrew is homebrew for Kubernetes.

From the cloud providers


AWS Icon  Automating Anomaly Detection in Ecommerce Traffic Patterns
How Amazon Kinesis and Amazon Lookout for Metrics can be used to detect major and minor anomalies near-real time, based on historical and current traffic trends.


AWS Icon  AWS Announces the General Availability of AWS CloudFormation Hooks
AWS announced the general availability of AWS CloudFormation Hooks, a feature that allows customers to invoke custom logic to automate actions or inspect resource configurations prior to a create, update or delete CloudFormation stack operation.


AWS Icon  Signed cookie-based authentication with Amazon CloudFront and AWS [email protected]
How to use email addresses and domain names for user authentication (part 1, part 2).


AWS Icon  Replicate Existing Objects with Amazon S3 Batch Replication
You can replicate existing S3 objects and synchronize your buckets using the new Amazon S3 Batch Replication feature.


GCP Icon  Introducing container-native Cloud DNS: Global DNS for Kubernetes
The new container-native Cloud DNS integrates Cloud DNS with Google Kubernetes Engine (GKE) to provide in-cluster Service and Pod DNS resolution.


Azure Icon  Key foundations for protecting your data with Azure confidential computing
Azure's foundation for confidential computing includes: hardware root-of-trust, remote attestation, trusted launch, memory isolation and encryption, and secure key management.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.