Release Date: 23/02/2020 | Issue: 25
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


Deep Dive into Real-World Kubernetes Threats
Companion blog post for the "Command and KubeCTL: Real-World Kubernetes Security for Pentesters" talk from Shmoocon 2020, covering the case study presented in the talk. I really like the walkthrough/scenario-based style of the slides by the way. (Slides and demos also provided)


Hacking AWS Cognito Misconfigurations
A case study of AWS account takeover via misconfigured AWS Cognito.


Top level dependency graph for Kubernetes
Ever wondered what are the top level dependencies of Kubernetes? You can now have a look at this diagram.


Simple DLP for AWS S3
When discussing the risk S3 buckets pose to organizations, the majority of the discussion is around public buckets and inadvertently exposing access. But what about data exfiltration from attackers that may have gained access through some other attack vector? This blog post looks for a simple way to detect cross account exfiltration from S3 buckets.


So you want to learn Azure Security?
Introductory post referencing multiple resources and links useful to get started with Azure security.


Architecting for Multicluster Kubernetes
Recently, the Linkerd community has been spending time tackling the challenge of multicluster Kubernetes. In this blog post, they outline the minimal requirements of a multi-cluster solution that makes cross-cluster traffic more reliable, secure and observable. In subsequent blog posts, they'll address some of the implementation choices.


Accessing Secret Manager from Terraform
This post explores how to access Secret Manager secrets from Terraform. Full sample code is also available on GitHub.


Kubernetes Virtual Cluster
Virtual cluster is a mechanism to achieve hard multi tenancy in Kubernetes using nested clusters: the parent cluster can create child clusters that can use the same common resources. However, the control plane is isolated for each tenant.

From the cloud providers


AWS Icon  AWS Compliance Center
The AWS Compliance Center offers a central location to research cloud-related regulatory requirements and how they impact different industries. Select the country you are interested in, and the AWS Compliance Center will display the country’s regulatory position regarding the adoption of cloud services.


AWS Icon  How to define least-privileged permissions for actions called by AWS services
AWS IAM now includes condition keys to make it easier to grant only the minimum level of access necessary for IAM principals (users and roles) and AWS services to take those actions. Using the aws:CalledVia condition key, you can create distinct access rules for the actions performed by your IAM principals, and for the subsequent actions taken by AWS services on your behalf. You could, for example, enforce that all actions for a principal are to or via CloudFormation.


AWS Icon  How to use the AWS Security Hub PCI DSS v3.2.1 standard
AWS added partial support for PCI DSS version 3.2.1 requirements to AWS Security Hub. This post covers how to use the AWS Security Hub PCI DSS v3.2.1 standard, interpret your security score, remediate failed security checks, and more.


AWS Icon  Manage your AWS KMS API request rates using Service Quotas and Amazon CloudWatch
AWS KMS publishes API usage metrics to Amazon CloudWatch and Service Quotas allowing you to both monitor and manage your AWS KMS API request rate quotas. This functionality helps you understand trends in your usage of KMS and can help prevent API request throttling.


GCP Icon  New Application Manager brings GitOps to Google Kubernetes Engine
Google released Application Manager, an application delivery solution delivered as an add-on to GKE. Now available in beta, Application Manager allows developers to easily create a dev-to-production application delivery flow, while incorporating Google's best practices for managing release configurations.


GCP Icon  Now GA: Managed Service for Microsoft Active Directory (AD)
Managed Service for Microsoft AD can help you manage authentication and authorization for your AD-dependent workloads, automate AD server maintenance and security configuration, and connect your on-premises AD domain to the cloud.


Azure Icon  Azure Firewall Manager now supports virtual networks
Last November Microsoft introduced Azure Firewall Manager preview for Azure Firewall policy and route management in secured virtual hubs. This week, the Azure Firewall Manager preview has been extended to include automatic deployment and central security policy management.

Website
Twitter
Buy me a coffee
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.