Release Date: 08/03/2020 | Issue: 27
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.

This week's articles

A Survey of Istio's Network Security Features
Great write up of Istio's security misconfigurations and bypasses of policies. In particular, it focuses on Istio's security features that are used to control service network interactions. The post also walks through lab-based examples in order to concretely illustrate the limits of each of these features, possible misconfigurations, and what can be done to ensure operators’ intended security goals are met.

App-Layer Encryption in AWS
CashApp's first blog post in a series on how they are making App-Layer Encryption easy for engineers building services in the cloud.

Continuous Cloud Security Monitoring (CCSM)
AppSec Cali 2020 talk which provides a summary of Continuous Cloud Security Monitoring (CCSM) strategies, techniques, and best practices so you don't have to spend the next 12 months reading AWS white papers. Takeaways from this presentation will be methods to immediately apply logging, monitoring, alerting, and Honey[Things] to detect and respond to threats in AWS environments.

Everyone might be a cluster-admin in your Kubernetes cluster
By default, Kubernetes is fairly secure: every namespace gets a default service account, which has no assigned permissions. But many apps and manifests people blindly deploy into their clusters affect the RBAC controls in ways the users may not even understand. k8s-pod-rbac-breakout is a project meant to demonstrate how one particular Kubernetes visualization tool gives every pod running in the default namespace full cluster-admin privileges, so any pod would then be able to do almost anything to almost any resource in the cluster!

Advanced Persistence Threats: The Future of Kubernetes Attacks
As Kubernetes grows in popularity, the sophistication of attackers will improve, and security by obscurity will no longer be sufficient. What could an attacker who understands Kubernetes at a deep level be capable of? This talk explores the dark corners of clusters and shine a light on several new advanced attacks on Kubernetes.

GitOps Security with k8s-security-configwatch
The k8s-security-configwatch GitHub Action aims to help secure your GitOps workloads by detecting changes on your Kubernetes security configuration.

Kubernetes Attack Surface
Slides covering some of the Attack Surface of Kubernetes as well as some hardening.

Attacking and defending the GCP metadata API
This repository gives an overview of some (GCP specific) metadata API attack and defence patterns.

On-Demand Container Scanning API is an open python API built using Trivy, Flask, Gunicorn, and Nginx that for now has two public endpoints (more endpoints and tools coming): the first provides a trivy report of all opened vulnerabilities for the container specified, whereas the second provides a list of open CVEs on the container.

Istio in 2020 - Following the Trade Winds
The Istio project just consolidated its control plane services (Pilot, Citadel, Galley, and the sidecar injector) into a single binary, Istiod.

From the cloud providers

AWS Icon  AWS Security Fundamentals (Second Edition)
Self-paced, free, online course to learn fundamental AWS security concepts, including access control, data encryption methods, and how network access to your AWS infrastructure can be secured.

AWS Icon  How to run AWS CloudHSM workloads on AWS Lambda
When the service first launched, many customers ran CloudHSM workloads on EC2. Today, people who are interested in leveraging CloudHSM for serverless workloads using AWS Lambda, but when using Lambda there is no instance to install the CloudHSM client on. This blog post shows a workaround that can be used to satisfy the CloudHSM client installation requirement on Lambda functions to be able to run CloudHSM workloads within these Lambda functions.

AWS Icon  Access Logging Made Easy with AWS App Mesh and Fluent Bit
Want to learn how to implement consistent logging across your containerized applications? This blog post explains how to do it with AWS App Mesh, Envoy and Fluent Bit.

GCP Icon  ML based Network Anomaly Detection solution
An anomaly detection solution using Dataflow, BigQuery, Pub/Sub and Cloud DLP has been open sourced, implementing a Telco network traffic use case.

Azure Icon  Container security in Security Center
Microsoft announced the general availability of vulnerability scanning for Containers in Azure Security Center.

Azure Icon  Preview of Active Directory authentication support on Azure Files
Microsoft announced the preview of Azure Files Active Directory (AD) authentication. You can now mount your Azure Files using AD credentials with the exact same access control experience as on-premises. You may leverage an Active Directory domain service (AD DS) either hosted on-premises or on Azure for authenticating user access to Azure Files.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Forward Forward
Twitter Tweet
Share Share
View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.