Release Date: 09/02/2020 | Issue: 23
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


An Opinionated Guide to Scaling Your Company's Security
This is an absolute must-read from Clint Gibler (@clintgibler), in which he tries to distill the best insights from a vast number of talks, blog posts, and conversations he had with security teams at a variety of companies. Things companies have found that systematically, scalably, raise their security bar. Not one-off wins.


Kubernetes Security monitoring at scale with Sysdig Falco
This post describes how Skyscanner decided to adopt Falco to detect malicious activity in their Kubernetes clusters. Main factors while evaluating different solutions were the ability to scale as much as their most demanding services, and the option of having an automated way of mapping and contacting the owners of the affected services if anything were to happen.


Open-Sourcing riskquant, a library for quantifying risk
Netflix open sourced riskquant, a library for quantifying risk and helping teams dig deeper into areas like loss scenarios and risk tolerance. Riskquant takes a list of loss scenarios, each with estimates of frequency, low loss magnitude, and high loss magnitude, and calculates and ranks the annualized loss for all scenarios.


Dufflebag: Uncovering Secrets in Exposed EBS Volumes
Did you know that Elastic Block Store (Amazon EBS) has a "public" mode that makes your virtual hard disk available to anyone on the internet? Apparently, hundreds of thousands of others didn't either, because they're out there exposing secrets for everyone to see. To help identify these exposed EBS volumes and allow individuals and businesses to secure their secrets, the Bishop Fox team developed Dufflebag, an open source tool which searches exposed EBS volumes for secrets.


Backdooring Route 53 With Cross Account DNS
As perfectly summarized by Scott Piper, if an attacker compromises your AWS account, they can backdoor the DNS responses you'll get without you being able to detect it. It can be spotted in CloudTrail logs, but there is no API to review these, only manual web console browsing.


Contrasting Transparent Logs And The Update Framework
Both Transparent Logs and The Update Framework were designed to protect end-users from a compromise of package repositories, but ultimately reflect different assumptions about how security should be managed. Transparent Logs are better at providing an immutable history of packages, which lends itself to third-party auditing. The Update Framework is better at providing a higher degree of compromise resilience, as well as built-in procedures for recovering from a compromise. One can obtain the best of both worlds by combining both systems.


Defense and Detection for Attacks Within Azure
This article gives an overview of the native Activity Log service functionality within Azure and provides insights into how to detect many TTPs, as well as suggestions on how to acquire more details out of the Activity Log service.


ALB authentication with G Suite SAML using Cognito
This here's a story about how Alex Smolen tried (and failed) to get GSuite SAML plugged into ALB authentication with Cognito.


kubeform
Kubeform provides auto-generated Kubernetes CRDs for Terraform resources and modules so that you can manage any cloud infrastructure in a Kubernetes native way. You write a CRD for a cloud infrastructure, apply it and Kubeform will create it for you.


Understanding Kubernetes limits and requests by example
Another explicative post from the Sysdig team, in which they explain how to properly set Kubernetes limits and requests.

From the cloud providers


AWS Icon  Architecting for PCI DSS Segmentation and Scoping on AWS
AWS has published a whitepaper, "Architecting for PCI DSS Scoping and Segmentation on AWS", to provide guidance on how to properly define the scope of your PCI DSS workloads running on the AWS Cloud. The whitepaper looks at how to define segmentation boundaries between your in-scope and out-of-scope resources using cloud native AWS services.


AWS Icon  Automated Response and Remediation with AWS Security Hub
AWS Security Hub is a service that gives you aggregated visibility into your security and compliance status across multiple AWS accounts. In addition to consuming findings from Amazon services and integrated partners, Security Hub gives you the option to create custom actions, which allow a customer to manually invoke a specific response or remediation action on a specific finding. You can send custom actions to Amazon CloudWatch Events as a specific event pattern, allowing you to create a CloudWatch Events rule that listens for these actions and sends them to a target service, such as a Lambda function or Amazon SQS queue.


AWS Icon  Use AWS Secrets Manager client-side caching libraries to improve the availability and latency of using your secrets
AWS Secrets Manager introduced a client-side caching library for Java and a set of JDBC drivers that make it easier to distribute credentials to your applications.


GCP Icon  Unify Kubernetes and GCP resources for simpler and faster deployments
Google announced the general availability of Config Connector, which lets you manage GCP resources as Kubernetes resources, giving you a single place to configure your entire application.


GCP Icon  Introducing Config Sync
Google also introduced "Config Sync", which allows to sync Kubernetes objects and namespaces across multiple clusters in your fleet from a single source-of-truth (a Git repo).

Website
Twitter
Buy me a coffee
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.