Release Date: 29/03/2020 | Issue: 30
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


AWS SCP Best Practices
AWS Service Control Policies (SCPs) are a way of restricting the actions that can be taken in an AWS account so that all IAM users and roles, and even the root user cannot perform them. This high quality article from SummitRoute points out important concepts of SCPs and then provides example SCPs that can be used.


What is your GCP infra worth?...about ~$700
A tale of how GCP service account keys left exposed in a Jupyter notebook led to an environment compromise.


Running Kubernetes clusters at scale: Square
How Cash App built its stack on top of Amazon EKS while leveraging AWS's managed services. If you are running at scale any application that requires operational excellence and fine-grained security policies, these slides might be of interest for you.


MKIT
MKIT is a "Managed Kubernetes Inspection Tool" that validates several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster.


How to Embezzle Money Using Amazon AMIs
Do you restrict which Amazon Machine Images (AMIs) your users can deploy within your AWS accounts? Why does it matter?


Writing Kubernetes network policies with Inspektor Gadget's Network Policy Advisor
Inspektor Gadget is a collection of gadgets for debugging and introspecting Kubernetes applications using BPF. One of the newest gadgets helps to write proper Kubernetes network policies: let Inspektor Gadget monitor and analyse the network traffic so it can suggest network policies itself.


Announcing the Zeek Agent
The Zeek Network Security Monitor provides a powerful open-source platform for network traffic analysis, but lacks access to host-level semantics. The new Zeek Agent fills this gap by collecting endpoint data through custom probes and, optionally, by interfacing to osquery.


What's New in Kubernetes 1.17: A Deeper Look at New Features
The release of Kubernetes 1.17 introduces several new features and sees others maturing toward or into general availability. This recap provides a rundown of some of the most notable changes, which include: major improvements in cluster network and routing controls and scalability, new capabilities in cluster storage, pod scheduling and runtime options, and better custom resource support.


Rego Playground: New Features
New features for OpenPolicyAgent's Rego playground have just been released: common examples for kubernetes/envoy/app authorization, bundle serving to help you kick the tires, and improved support for context-aware policies.


Docker Desktop Local Privilege Escalation (CVE-2020-10665)
The diagnostics functionality of Docker Desktop for Windows executes privileged operations under a folder that is controllable by standard users who are members of the 'docker-users' group, leading to an arbitrary DACL permissions overwrite.


Multiple DoS Vulnerabilities Affecting Kubernetes
Two DoS vulnerabilities affecting different components of Kubernetes: one for kubelet, and one for the API server.

From the cloud providers


AWS Icon  Top 10 security items to improve in your AWS account
If you're looking to improve your cloud security, a good place to start is to follow the top 10 most important cloud security tips that Stephen Schmidt, Chief Information Security Officer for AWS, laid out at AWS re:Invent 2019.


AWS Icon  Use AWS Lambda authorizers with a third-party identity provider to secure Amazon API Gateway REST APIs
How an organization using a third-party identity provider can use AWS Lambda authorizers to implement a standard token-based authorization scheme for REST APIs that are deployed using API Gateway.


AWS Icon  Connect to Amazon Athena Using an Interface VPC Endpoint
Improve Athena' security by connecting to it directly with an interface VPC endpoint instead of publicly over the internet.


AWS Icon  Important AWS Certification Updates
Among others: all exams are now available via online proctoring, as well as certification expiration dates & benefits extended.

Website
Twitter
Buy me a coffee
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.