Release Date: 08/05/2022 | Issue: 136
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

Interested in beta testing a new Cloudflare security product?
Cloudflare is excited to share a new opportunity to try out one of our latest platform additions, Cloudflare CASB. This new product gives IT and security teams a ridiculously easy way to connect their SaaS apps - like Google Workspace and Microsoft 365 - and scan them for critical security issues and risks, like misconfigurations, insecure file sharing, and shadow IT.
Sound like something that could help at your organization?
Please visit and submit our beta access form to get started!

This week's articles


Old Services, New Tricks: Cloud Metadata Abuse by UNC2903
#attack, #aws
Mandiant identified exploitation of public-facing web applications by threat actors (UNC2903) to harvest credentials using Amazon's Instance Metadata Service (IMDS).


Compromising Read-Only Containers with Fileless Malware
#attack, #containers
Post exploring the mechanics and prevalence of malware fileless execution in attacking read-only containerized environments.


CloudFlare Pages, part 1: The fellowship of the secret
#attack, #cloudflare
A 3-part serie (see also Part 2 and Part 3) uncovering issues like: command injection, container escapes, Github tokens, Cloudflare's Github tokens, Cloudflare API Keys to Cloudflare Organisation, and Cloudflare's Azure API tokens amongst other things. You can also read Cloudflare's own writeup.


SBOM + SLSA: Accelerating SBOM success with the help of SLSA
#defend, #supply-chain
Post explaining the strengths of SBOMs and SLSA and how they fundamentally differ, and shows how SLSA principles can both support the generation of high-quality SBOMs and help consumers respond to supply chain attacks.


Kubernetes signals massive adoption of Sigstore for protecting open source ecosystem
#containers, #defend, #kubernetes, #supply-chain
Kubernetes 1.24 will be the first release officially using Sigstore, enabling seamless verification of signatures to protect against supply chain attacks across the 5.6m developer community. This marks a huge shift toward verifiable infra.


Increasing the security bar in Ingress-NGINX v1.2.0
#defend, #kubernetes
The Ingress may be one of the most targeted components of Kubernetes. While its risks are well understood, it's not an easy process to tackle them, so the Kubernetes community took another approach to reduce (but not remove!) them in the current (v1.2.0) release: by isolating the NGINX service as a container inside the controller container.


Bottlerocket Security Guidance
#aws, #build
Recommendations, details, and examples to help you create a configuration that meets your security and compliance requirements.


Limiting access to Kubernetes resources with RBAC
#explain, #iam, #kubernetes
How to recreate the Kubernetes RBAC authorization model from scratch and practice the relationships between Roles, ServiceAccounts, RoleBindings, etc.


Intro to OCI Reference Types
#containers, #explain
What is OCI? OCI stands for Open Container Initiative. This is a group which oversees a collection of open specifications relating to containers. If you have ever run an application on Kubernetes, then you have leveraged OCI.


Gaining Unlimited access to graph AuditLogs endpoint using complex filters with non-privileged user account
#attack, #azure
Another Azure vulnerability, this time allowing an unprivileged user to modify graph search filters so that user could access logs which would normally require admin roles.

Tools


pre-commit-opa
Pre-commit git hooks for Open Policy Agent (OPA) and Rego development.


cloud-forensics-utils
Python library to carry out DFIR analysis on the Cloud.


ChopChop
ChopChop is a CLI to help developers scanning endpoints and identifying exposition of sensitive services/files/folders.


GitGoat
GitGoat enables DevOps and Engineering teams to test security products intending to integrate with GitHub. GitGoat is a learning and training project that demonstrates common configuration errors that can potentially allow adversaries to introduce code to production.

Job Advert

Doyensec is an independent security research and development company focused on vulnerability discovery and remediation. We love what we do and we routinely take on difficult engineering challenges to help our customers build with security.
We are looking for a Cloud Security Engineer to join our team. We need someone who has a strong interest in auditing and researching cloud platforms and containerized environments.
More details: https://www.careers-page.com/doyensec-llc/job/L8X354RV

From the cloud providers


AWS Icon  AWS Well-Architected Labs - Security
Hands on labs and real world design scenarios for Well-Architected workloads.


AWS Icon  Authenticate AWS Client VPN users with AWS Single Sign-On
How to integrate Client VPN with an existing AWS Single Sign-On via a custom SAML 2.0 application to authenticate and authorize Client VPN connections and traffic.


AWS Icon  Disabling Security Hub controls in a multi-account environment
An automated process for disabling or enabling selected AWS Security Hub controls across multiple accounts and multiple regions.


AWS Icon  Implement OAuth 2.0 device grant flow by using Amazon Cognito and AWS Lambda
How to implement the OAuth 2.0 device authorization grant flow for Amazon Cognito by using AWS Lambda and Amazon DynamoDB.


GCP Icon  Introducing SWIFT on Google Cloud
Introducing SWIFT on Google Cloud - modernize your payments by bringing them to the cloud.


GCP Icon  CIS hardening support in Container-Optimized OS from Google
Google's latest Container-Optimized OS release supports CIS benchmark compliance and can provide continuous CIS scanning capabilities.


Azure Icon  Customize your secure VM session experience with native client support on Azure Bastion
Azure Bastion is a fully managed jumpbox-as-a-service that provides secure and seamless Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) access to your VMs in local or peered virtual networks. With native client support available on the Standard SKU for Azure Bastion, you now unlock customizable features and added functionality in your VM sessions.


Azure Icon  Intelligent application protection from edge to cloud with Azure Web Application Firewall
Microsoft has been evolving Azure Web Application Firewall (Azure WAF), a cloud-native, self-managed security service to protect your applications and APIs running in Azure or anywhere else, from the network edge to the cloud.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.