Release Date: 03/05/2020 | Issue: 35
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


The Extended AWS Security Ramp-Up Guide
NCC Group put together an "Extended" AWS Security Ramp-Up Guide, compiling some of the public resources they've found most helpful.


Working-As-Intended: RCE to IAM Privilege Escalation in GCP Cloud Build
Another good blog from the RhinoSecurity team, which focuses on a feature of Google Cloud Build that might allow for IAM privilege escalation in certain scenarios.


Everything We Learned Running Istio In Production
Part 1 in a series describing what the HelloFresh team learned from running Istio in production.


EKS Service Accounts Explained
A few months ago AWS released the ability to add IAM permissions to pods. This article analyzes the AWS implementation, along with some comments on what the author believe they did right and what they did wrong.


The right way of accessing Azure services from inside your Azure Kubernetes Cluster
How to set up Azure Access Directory Pod Identities inside your cluster. Covering concepts behind AAD Pod Identity, security, and deployment steps.


Azure Ad Introduction For Red Teamers
This article briefly presents Azure AD and explores the different attacking paths this new cloud environment offers to pentesters and red teamers.


Finding evil in AWS: A key pair to remember
Tale from an incident involving the use of compromised AWS access keys, covering how the problem was identified, what was observed, and the lessons learned along the way.


Raft - Understandable Distributed Consensus
This is really useful: learn how the RAFT protocol (used by etcd, Consul, etc.) works with this interactive walk-through.

Tools


Whispers
Whispers is a static code analysis tool designed for parsing various common data formats in search of hardcoded credentials and dangerous functions. Whispers can run in the CLI or you can integrate it in your CI/CD pipeline.


Announcing Terraform Foundational Policy Library Preview
HashiCorp announced the preview release of the Terraform Foundational Policies Library. The repository contains a library of Sentinel policies, developed by HashiCorp, that can be consumed directly within the Terraform Cloud platform.


ScoutSuite 5.8.0
NCC released ScoutSuite 5.8.0 on Github, with improved support for AWS (KMS, Secrets Manager), Azure (App Service Web Apps, Security Center), GCP, and OCI.

From the cloud providers


AWS Icon  EKS managed node groups allow fully private cluster networking
Amazon Elastic Kubernetes Service (EKS) managed node groups now allow fully private cluster networking by ensuring that only private IP addresses are assigned to EC2 instances managed by EKS.


AWS Icon  Use AWS Firewall Manager and VPC security groups to protect your applications hosted on EC2 instances
You can use AWS Firewall Manager to centrally configure and manage VPC security groups across all your AWS accounts. This post will take you through the step-by-step instructions to apply common security group rules, audit your security groups, and detect unused and redundant rules in your security groups across your AWS environment.


AWS Icon  Data Residency: AWS Policy Perspectives
Whitepaper: Learn how to meet security requirements, regardless of where data is stored.


GCP Icon  Security, simplified: Making Shielded VM the default for Compute Engine
Google made Unified Extensible Firmware Interface (UEFI) and Shielded VMs the default for everyone using Google Compute Engine, at no additional charge.


GCP Icon  Improving your security posture with centralized secrets management
Secret Manager is a generally available centralized secrets management solution hosted on Google Cloud. This post looks at some popular third-party tools and services, and shows you how Secret Manager can help create, manage, and access secrets in those systems.

Website
Twitter
Buy me a coffee
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.