Release Date: 05/04/2020 | Issue: 31
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


Isolated networks on AWS
It is possible on AWS to have an isolated network where you cannot communicate in or out except through limited, controlled pathways. Setting something like this up has some gotchas. This post provides a CDK app to help you experiment and see these issues for yourself, with discussions of the gotchas, their mitigations, and limitations of those mitigations.


Attack matrix for Kubernetes
Microsoft created the first Kubernetes attack matrix: an ATT&CK-like matrix comprising the major techniques that are relevant to container orchestration security, with focus on Kubernetes.




HashiCorp Vault: Delivering Secrets with Kubernetes
Walk through example of the HashiCorp Vault & Kubernetes sidecar injection integration method, by delivering database credentials from Vault to a Kubernetes pod using the Vault Agent Side-car Injector.


The Need for A Cloud Native Tunnel
Inlets is a Cloud Native Tunnel written in Go, which creates a tunnel between two networks using a websocket and optional TLS for encryption. The main use-case for inlets is to expose a private API or service on the Internet, or to gain incoming network access (ingress) to a private network.


They told me I could be anything, so I became a Kubernetes node
How K3s can serve as an easy command and control (C2) mechanism to remotely control compromised Linux machines.


Kpt: Packaging up your Kubernetes configuration with git and YAML since 2014
Kpt is an OSS tool from Google for Kubernetes packaging that uses a standard format to bundle, publish, customize, update, and apply configuration manifests.


Using an Image Release Process for Security Wins
Walkthrough of a secure HashiCorp Packer image release process for an AWS environment.


Provisioning cloud resources (AWS, GCP, Azure) in Kubernetes
This article explores the Service Catalog and other alternatives on how to provision cloud resources in Kubernetes.


How to detect outdated Kubernetes APIs
Deprek8 is a set of Open Policy Agent (OPA) policies that allow you to check your repository for deprecated API versions. These policies offer a way to provide warnings and errors when something is in the process of being or has already been deprecated.


AWS Phishing Emails
This post describes a very sophisticated phising attack that appeared that have originated from AWS, and concludes with mitigations against phishing attempts to compromise your AWS accounts.


Tint: Multi-Cloud Cost Visualization for Terraform
Terraform Cloud recently added a new feature called Cost Estimation, which allows you to integrate cloud infrastructure spend estimates into your provisioning workflow and Sentinel policies.


HashiCorp Nomad Audit Logging
Nomad is the first HashiCorp product outside of Vault to have a real audit log.


SSRF via Neo4j query on AWS EC2
SSRF via Neo4j query on AWS EC2 by kmcquade3 that fits in a tweet!


HashiCorp Joins the CNCF
To further HashiCorp product integrations with the Cloud Native Computing Foundation (CNCF) projects and to work more closely with the broad community of cloud engineers, HashiCorp joined the CNCF.

From the cloud providers


AWS Icon  Amazon Detective – Rapid Security Investigation and Analysis
Amazon Detective is a fully managed service that empowers users to automate the heavy lifting involved in processing large quantities of AWS log data to determine the cause and impact of a security issue. Once enabled, Detective automatically begins distilling and organizing data from AWS Guard Duty, AWS CloudTrail, and Amazon Virtual Private Cloud Flow Logs into a graph model that summarizes the resource behaviors and interactions observed across your entire AWS environment.


AWS Icon  Use AWS IAM Access Analyzer in AWS Organizations
Access Analyzer helps you quickly identify when resources in your organization can be accessed from outside of your AWS Organization.


AWS Icon  Updated data classification whitepaper
The Secure Cloud Adoption: Data Classification whitepaper has been updated to get how-to steps for classifying data, see examples of data types relative to their classification levels and learn about global best practices.


AWS Icon  TLS 1.2 to become the minimum for all AWS FIPS endpoints
TLS 1.2 to become the minimum for all AWS FIPS endpoints. This update will deprecate the ability to use TLS 1.0 and TLS 1.1 on all FIPS endpoints across all AWS Regions by March 31, 2021.


GCP Icon  Introducing Service Directory: Manage all your services in one place at scale
Service Directory is a new managed solution that helps publish, discover, and connect services in a consistent and reliable way, regardless of the environment and platform in which they are deployed.


Azure Icon  Protecting your Teams with Azure Sentinel
How to collect Microsoft Teams data and monitor for suspicious activity.


Azure Icon  Security Documentation Hub
Microsoft just published a new security docs site to make it easier to access resources + 55 new videos on Security Best Practices.

Website
Twitter
Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.