Release Date: 19/04/2020 | Issue: 33
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


The undetectable way of exporting an AWS DynamoDB
This post describes a limitation in the current AWS CloudTrail logging features that limit detection capabilities of possible abuse against AWS DynamoDB, in the event of the user's AWS IAM keys being compromised. In particular, CloudTrail doesn't currently record any scanning/reading of a DynamoDB table through awscli.


SkyWrapper
SkyWrapper is an open source project which analyzes behaviors of temporary tokens created in a given AWS account. It aims to find suspicious creation forms and uses of temporary tokens, so to detect malicious activity in the account.


Breaking and Pwning Apps and Servers on AWS and Azure
Free course content, lab setup instructions, and documentation of a hands on training.


Enforcing AWS S3 Security Best Practices Using Terraform & Sentinel
Unsecured AWS S3 buckets are a frequent source behind many of today's cloud security breach headlines. This blog post shows how to use Terraform and Sentinel to ensure that every S3 bucket that is provisioned is compliant with security best practices.


Amazon EKS Security Best Practices
Lessons learned and best practices for engineers running workloads on EKS clusters.


RBAC.dev
A site dedicated to good practices and tooling around Kubernetes RBAC.


AWS Account Controller
Very interesting account controller solution, which creates an AWS SSO application for federated users to create or delete ephemeral/sandbox accounts.


guard
Guard is a Kubernetes Webhook Authentication server. Using guard, you can log into your Kubernetes cluster using various auth providers such as Azure, Google, etc.


Implementing a custom Kubernetes authentication method
Learn how you can implement LDAP authentication for Kubernetes.


Fully automated creation of an AAD-integrated Kubernetes cluster with Terraform
Terraform sample for an out-of-the-box, AAD integrated AKS/Kubernetes cluster: create a Kubernetes cluster with Terraform, integrate it with Azure Active Directory, add an AAD group, and bind it to the cluster-admin role.


Creating Exceptions Lists for Conftest in Rego
Interesting article on how to create exceptions lists for Conftest in Rego, so to offload your decision making from your code.


Kubernetes Networking Demystified: A Brief Guide
Kubernetes cluster networking can be more than a bit confusing. In this article you will follow the journey of an HTTP request to a service running on a basic Kubernetes cluster.

From the cloud providers


AWS Icon  How to define least-privileged permissions for actions called by AWS services
Want to restrict actions on your AWS resources to specific services? Here's how to define least-privileged permissions for actions called by AWS services.


AWS Icon  Enable automatic logging of web ACLs by using AWS Config
How to use AWS Config, with its auto-remediation functionality, to ensure that all web ACLs have logging enabled. The AWS CloudFormation template included in this blog post will facilitate this solution, and will get you started being able to manage web ACL logging at scale.


AWS Icon  AWS Storage Gateway adds File Gateway audit logs
AWS Storage Gateway now enables logging end-user operations on files and folders for SMB file shares when using File Gateway.


AWS Icon  Extend a self-managed Active Directory to AWS Control Tower
Already using Microsoft Active Directory? This step-by-step tutorial shows how to set up AWS Control Tower to delegate user authentication to a self-managed Microsoft Active Directory via AWS Managed Microsoft AD.


AWS Icon  AWS Snowball now supports local AWS IAM
AWS Snowball now supports local AWS Identity and Access Management (IAM), allowing you to securely manage access to AWS services and resources running on your Snowball device by controlling what actions users can take, and what AWS resources on the device users can take those actions on.


GCP Icon  Protect your running VMs with new OS patch management service
Google announced the general availability of Google Cloud's OS patch management service to protect your running VMs against defects and vulnerabilities. With OS patch management, you can apply OS patches across a set of VMs, receive patch compliance data across your environments, and automate installation of OS patches across VMs—all from one centralized location.

Website
Twitter
Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.