Release Date: 22/03/2020 | Issue: 29
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


Gaining AWS Console Access via API Keys
While performing penetration tests, active IAM credentials are often found by a variety of ways. These credentials can then allow to perform privileged actions in AWS services within an AWS account. This post goes through the process of gaining access to the AWS console using leaked API credentials and introduces a tool (AWS Consoler) to automatically convert CLI credentials into AWS console access.


Recommended Steps to Secure a DigitalOcean Kubernetes Cluster
The objective of this article is to provide a solid security foundation for a DigitalOcean Kubernetes cluster. Note that this tutorial covers basic security measures for Kubernetes, and is meant to be a starting point rather than an exhaustive guide.


Understanding Terraform state
Very interesting post explaining how the Terraform state works, how to inspect it, how to move and rename resources, and even delete them.


ElectricEye
Continuously monitor AWS services for configurations that can lead to degradation of confidentiality, integrity, or availability, with results sent to Security Hub.


Kubernetes by Parts
This tutorial builds on the legacy of Kubernetes The Hard Way by Kelsey Hightower. While KTHW is a great resource, it is aging and not using many new Kubernetes features which make manual cluster deployment both easier and more robust.


Building a Repeatable and Hardened Vault POC
Learn some simple, low-effort steps to build a production-hardened proof-of-concept Vault deployment.


Creating Workspaces with the HashiCorp Terraform Operator for Kubernetes
The HashiCorp Terraform Operator for Kubernetes leverages the benefits of Terraform Cloud with a first-class Kubernetes experience. This new Operator lets you define and create infrastructure as code natively in Kubernetes by making calls to Terraform Cloud.


Introduction to Security Contexts and SCCs
RBAC is a good control to apply at the container platform level (Kubernetes), but it doesn't apply to the underlying nodes. That is where a Pod may not be able to delete an object in etcd using the API because it's restricted by RBAC, but it may delete important files in the system and even stop kubelet if properly programmed for that. To prevent this scenario, SCCs (Security Context Constraints) can come to the rescue.


EKS RBAC: How to use IAM roles for Service accounts
This article explains how to use IAM roles for service accounts in EKS clusters, so to provide fine-grained permissions to pods.


Deprek8ion Policies
Another cool Open Policy Agent use case: a set of rego policies to monitor Kubernetes APIs deprecations.


Knative Eventing Delivery Methods
Knative Eventing has event sources, services, channels, subscriptions, brokers and triggers. It can be confusing. This blog post explains the delivery methods in Knative Eventing and when to use what.

From the cloud providers


AWS Icon  Amazon GuardDuty Price Reduction
Amazon GuardDuty introduces new pricing with an additional volume discount tier for threat detection.

Website
Twitter
Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.