Release Date: 24/11/2019 | Issue: 13
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.

This week's articles

Kubernetes State of Security
This talk gives an overview of the security issues reported to the Kubernetes project in the last year, as well as of the overall security improvements introduced in Kubernetes (especially around service account tokens and NodeRestriction). Two main take away points: PodSecurityPolicies might never make it to GA (!!), and misconfiguration remains the primary pain-point and source of compromise.

How Kubernetes components communicate securely in your cluster
These are the slides of the talk Maya Kaczorowski delivered at Kubecon. The talk starts by covering the main Kubernetes components that need trusted communication, and how this communication is protected. Then, it goes over how the cluster certificate authority (CA) works, and how this grants certificates to Kubernetes components. Lastly, it explains how you can protect other communications within your cluster, if needed for your workload - like node to node and pod to pod.

Fixing The Capital One Breach
This post from Evan analyses the change introduced this past week by AWS around "session-based requests", in order to mitigate the risk of SSRF in the EC2 metadata service. They refer to the new offering as IMDSv2, with the previous offering used by Capital One being IMDSv1. In the end, requiring HTTP PUT prevents GET based attacks (like webhooks) but this is not a complete solution to SSRF problems.

Announcing the Cloud Native Security Hub
The Cloud Native Security Hub aims to be a platform for discovering and sharing rules and configurations for all cloud native security tools. The first version just released introduces Falco rules support, but support for other tools will come soon. On the plus side, all the source code for the Hub is available under Apache 2.0 license, under the falcosecurity Github organisation.

Sysdig introduced the industry’s first Kubernetes native ThreatPrevention and IncidentResponse tool
Sysdig Secure 3.0 introduced native prevention and incident response for Kubernetes, with three main features: Kubernetes Policy Advisor prevents threats at runtime using Kubernetes Pod Security Policies, Falco Tuning optimises Falco rules to reduce false positives and alert fatigue, and Activity Audit speeds incident response and enables audit by correlating container and Kubernetes activity.

An AWS IAM Policy Linter: Parliament
The Duo Labs team released parliament, an AWS IAM policy linter. This tool helps avoid IAM policy errors that can have significant impact to both security and functionality.

kubepox, which stands for "Kubernetes network Policy eXploration tool", is a tool that allows to query all the network policies defined in the cluster, together with the affected Pods.

Full Docker breakout exploit through CVE-2019-14271
Nice writeup (with exploitation) of CVE-2019-14271, an issue in the implementation of the Docker cp command that can lead to full container escape.

gVisor Security Basics
This post goes super in-depth about the design thinking behind gVisor and container sandboxes.

From the cloud providers

AWS Icon  Say goodbye to SSRF on AWS EC2 Instances
AWS released v2 of the EC2 Instance Metadata Service (IMDSv2). With IMDSv2, every request is now protected by session authentication. IMDSv2’s combination of beginning a session with a PUT request, and then requiring the secret session token in other requests, is always strictly more effective than requiring only a static header. AWS analysis of real-world vulnerabilities found that this combination protects against the vast majority of SSRF vulnerabilities. But there is a caveat, both IMDSv1 and IMDSv2 will be available and enabled by default, and customers can choose which they will use.

AWS Icon  Continuously monitor unused IAM roles with AWS Config
The IAM API now provides information about when a role has last been used to make an AWS request. In this post, AWS demonstrates how you can identify inactive roles using role last used information. Additionally, they show how to implement continuous monitoring of role activity using AWS Config.

AWS Icon  Use IAM to share your AWS resources with groups of AWS accounts in AWS Organizations
You can now reference Organizational Units (OUs), which are groups of AWS accounts in AWS Organizations, in AWS Identity and Access Management (IAM) policies, making it easier to define access for your IAM principals (users and roles) to the AWS resources in your organization. AWS Organizations lets you organize your accounts into OUs to align them with your business or security purposes. Now, you can use a new condition key, aws:PrincipalOrgPaths, in your policies to allow or deny access based on a principal’s membership in an OU. This makes it easier than ever to share resources between accounts you own in your AWS environments.

GCP Icon  Hardening your cluster's security
Google updated their GKE hardening guide with new security features and a new section "Secure Defaults". The goal: move as many items to secure defaults as possible.

View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.