Release Date: 02/02/2020 | Issue: 22
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.

This week's articles

Multi cluster monitoring with Thanos
In this post, Banzai Cloud explains how they settled on Thanos as a standardised solution that would allow them to federate metrics, and collect them into a single place for long term storage, querying and analysis.

This GitHub repo contains a reference implementation of a fully productionalized Kubernetes setup, based on immutable infrastructure and Gitops Flow methodologies. Everything starts out in Git as either code or configuration. Items are manipulated to the desired state and that is applied onto the infrastructure.

Guide to Kubernetes Egress Network Policies
This post provides a nice introduction into Network Policies, and explains how to enhance them to control allowed egress.

NSA guidance on cloud security
Check out the latest guidance from NSA on how to navigate the cloud securely.

Locking down the Instance Metadata Service: Announcing imds-filterd
imds-filterd is a tool that allows administrators of EC2 instances to lock down which data from the Instance Metadata Service can be accessed by specified system users and groups, thereby making the EC2 Instance Metadata Service compatible with traditional UNIX privilege separation.

Interesting application that simulates an attack on AWS infrastructure.

kube-resource-report is a handy script that generates an HTML report of cluster and pod resource requests (CPU and memory) vs. usage (collected via Metrics API/Heapster). If you are curious, you can check out the sample HTML report.

Little utility that provides an easy way to give all your EC2 instances SSH host certificates: run it in your EC2 userdata script, and it will use AWS KMS to sign the instance's SSH host key. You can then add a @ cert-authority line to your ~/.ssh/known_hosts and never be prompted about an unknown host again.

conman - [the] container manager: inception
The first article in a series covering the implementation of a high-level container runtime. If you are wondering what is a container manager, some prominent examples would be containerd, cri-o, dockerd, and podman.

From the cloud providers

AWS Icon  Results of the 2019 AWS Container Security Survey
AWS conducted an anonymous survey in late 2019 amongst container users on AWS, and the results are quite discomforting (although I have to admit the sample size is close to be classified as statistical error). Among the findings, 83% of the respondents admitted they don't employ dynamic/runtime scanning, 89% don't sign their images, and 81% do not manage the supply chain. The questions and results are available via GitHub.

AWS Icon  Achieving Operational Resilience in the Financial Sector and Beyond
Amazon has released a new whitepaper, "Amazon Web Services' Approach to Operational Resilience in the Financial Sector and Beyond", in which they discuss how AWS and customers build for resiliency on the AWS cloud.

Azure Icon  Azure Security Compass
This is a great presentation from Microsoft, designed to rapidly increase your Azure security posture and to make the right security decisions with best practices, choices and context/recommendations. As a plus, it has general recommendations that can be abstracted away from Azure and applied to other cloud providers as well.

View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.