Release Date: 22/03/2020 | Issue: 29
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

This week's articles

Gaining AWS Console Access via API Keys
While performing penetration tests, active IAM credentials are often found by a variety of ways. These credentials can then allow to perform privileged actions in AWS services within an AWS account. This post goes through the process of gaining access to the AWS console using leaked API credentials and introduces a tool (AWS Consoler) to automatically convert CLI credentials into AWS console access.

Recommended Steps to Secure a DigitalOcean Kubernetes Cluster
The objective of this article is to provide a solid security foundation for a DigitalOcean Kubernetes cluster. Note that this tutorial covers basic security measures for Kubernetes, and is meant to be a starting point rather than an exhaustive guide.

Understanding Terraform state
Very interesting post explaining how the Terraform state works, how to inspect it, how to move and rename resources, and even delete them.

Continuously monitor AWS services for configurations that can lead to degradation of confidentiality, integrity, or availability, with results sent to Security Hub.

Kubernetes by Parts
This tutorial builds on the legacy of Kubernetes The Hard Way by Kelsey Hightower. While KTHW is a great resource, it is aging and not using many new Kubernetes features which make manual cluster deployment both easier and more robust.

Building a Repeatable and Hardened Vault POC
Learn some simple, low-effort steps to build a production-hardened proof-of-concept Vault deployment.

Creating Workspaces with the HashiCorp Terraform Operator for Kubernetes
The HashiCorp Terraform Operator for Kubernetes leverages the benefits of Terraform Cloud with a first-class Kubernetes experience. This new Operator lets you define and create infrastructure as code natively in Kubernetes by making calls to Terraform Cloud.

Introduction to Security Contexts and SCCs
RBAC is a good control to apply at the container platform level (Kubernetes), but it doesn't apply to the underlying nodes. That is where a Pod may not be able to delete an object in etcd using the API because it's restricted by RBAC, but it may delete important files in the system and even stop kubelet if properly programmed for that. To prevent this scenario, SCCs (Security Context Constraints) can come to the rescue.

EKS RBAC: How to use IAM roles for Service accounts
This article explains how to use IAM roles for service accounts in EKS clusters, so to provide fine-grained permissions to pods.

Deprek8ion Policies
Another cool Open Policy Agent use case: a set of rego policies to monitor Kubernetes APIs deprecations.

Knative Eventing Delivery Methods
Knative Eventing has event sources, services, channels, subscriptions, brokers and triggers. It can be confusing. This blog post explains the delivery methods in Knative Eventing and when to use what.

From the cloud providers

AWS Icon  Amazon GuardDuty Price Reduction
Amazon GuardDuty introduces new pricing with an additional volume discount tier for threat detection.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.