Release Date: 16/02/2020 | Issue: 24
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


Privilege escalation and post exploitation tactics in GCP environments
Red teaming or pentesting the Google Cloud Platform? This is a very well written tutorial on privilege escalation and post exploitation tactics by GitLab.


Attacker's Tactics and Techniques in Unsecured Docker Daemons Revealed
Between September and December 2019, Unit 42 researchers periodically scanned and collected metadata from Docker hosts exposed to the internet (largely due to inadvertent user errors) and this research reveals some of the tactics and techniques used by attackers in the compromised Docker engines.


AWS Automated Remediation - Part 1: Security Groups
First in a multi-part series where we develop a fully customized system to automatically remediating high risk findings. The first part focuses on creating a system that automatically removes open security groups.


AWS S3 Encryption Mechanisms Infographic
Really nice infographic to help you understand how the encryption & decryption process works for the 5 types of AWS S3 encryption mechanisms.


How to make the most out of AWS Guard Duty
It's all about understanding the data and instead of trying to treat them all the same, handle them differently based on the environment.


sentinel-attack
Repository of sentinel alerts and hunting queries leveraging sysmon and the MITRE ATT&CK framework.


peerd
peerd is an AWS VPC Peering Connection management tool. It creates meshes of VPCs from a yaml file, and manages the full lifecycle of creation, deletion and route table updates needed to make VPC peerings useful across accounts and regions.


Sync routes across route tables with AWS Sync Routes
aws-sync-routes synchronizes the specified route from the main/default route table to all custom route tables in the VPC.


SSH over AWS SSM
Configure SSH and use AWS SSM to connect to instances. No bastions or public-facing instances. SSH user management through IAM. No requirement to store SSH keys locally or on server.


Introducing Varna: Cheap, Easy & Quick AWS CloudTrail Monitoring
varna is a tool that is meant to monitor AWS CloudTrail logs with support for custom rules while remaining easy to deploy and cheap to run. Varna uses Event Query Language (EQL) as its query language of choice for writing rules in.


Logquacious (lq)
Logquacious is an open source, fast, and simple log viewer written at Cash App. It supports reading structured log entries directly from an Elasticsearch log store.

From the cloud providers


AWS Icon  How to use AWS KMS and AWS IAM to enable independent security controls for encrypted data in S3
Typically, when you protect data in S3, you use a combination of IAM policies and S3 bucket policies to control access, and you use the AWS KMS to encrypt the data. However, many customers want to extend the value of encryption beyond basic protection against unauthorized access to the storage layer where the data resides. They want to enforce a separation of duties between which team manages access to the storage layer and which team manages access to the encryption keys.


AWS Icon  Use AWS CloudFormation StackSets for Multiple Accounts in an AWS Organization
CloudFormation StackSets allows you to roll out CloudFormation stacks over multiple AWS accounts and in multiple Regions. Since the launch of AWS Organizations, you can centrally manage multiple AWS accounts across diverse business needs including billing, access control, compliance, security and resource sharing.


AWS Icon  AWS Security Hub adds 15 new resources
AWS Security Hub released updates and additions to AWS Security Finding Format (ASFF) that enable integrated Security Hub partners to send richer, more detailed findings to Security Hub.


GCP Icon  Exploring Container Security: Run what you trust; isolate what you don't
Some advice on how to protect your Kubernetes environment, plus a breakdown of recent GKE features and resources (e.g., Shielded GKE Nodes, Workload Identity, GKE Sandbox).


GCP Icon  Best practices for enterprise multi-tenancy
This guide provides best practices to safely and efficiently set up multiple multi-tenant clusters for an enterprise organization.


GCP Icon  Understanding data pipeline security in Cloud Data Fusion
Some tips on how to build more secure ELT and ETL pipelines in Cloud Data Fusion.


Azure Icon  VS Code extension for managing Azure resource groups
Manage Azure Resource Groups directly from VSCode.

Website
Twitter
Buy me a coffee
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.