This week's articles
Privilege Escalation in Google Cloud Platform
Similar to what they did for AWS in the past, this blog post from the RhinoSecurity team aims to provide a source for privilege escalation techniques, this time for Google Cloud Platform (there is also a part 2 which covers non-IAM related methods). If you are not interested in the details of each privilege escalation, consider jumping on the new privilege escalation scanner for GCP.
Secure your team's code with code scanning and secret scanning
Code scanning is now available as a GitHub-native experience. With code scanning enabled, every 'git push' is scanned for new potential security vulnerabilities, and results are displayed directly in your pull request. In addition, secret scanning is also now available for private repositories.
How to monitor OPA Gatekeeper with Prometheus metrics
If you have deployed OPA Gatekeeper, monitoring this admission controller is as relevant as monitoring the rest of the Kubernetes control plane components. If something breaks here, Kubernetes won't deploy new pods in your cluster; and if it's slow, your cluster scale performance will degrade.
Monitor and Notify on AWS Account Root User Activity and Other Security Metrics
Organizations usually end up piping all cloud API logs to a SIEM (Elasticsearch, Splunk, etc.) and creating alerts based on user and service activity, but what about personal accounts? This article shares a monitoring setup "on a budget" to use in private AWS account. In addition, the companion GitHub repo provides a Terraform module that creates a multi-regional Trail, connects it with a CloudWatch Log Group, and creates a number of metric filters and metric alerts to receive SNS notifications for high noise actions.
aws-vault Vulnerable to DNS Rebinding Attacks
aws-vault's EC2 metadata service proxy is vulnerable to DNS rebinding attacks. Web pages you visit might be able to steal your AWS credentials if you have the server running on localhost.
|
|
Tools
cloudsplaining
An AWS IAM security assessment tool which scans accounts for violations of Least Privilege and identifies policies that can lead to Privilege Escalation, Data Exfiltration, Resource Exposure, and Infrastructure Modification. It also generates a nice HTML report that can help with triaging and remediation, as well as identifying high-value IAM principals to target during a penetration test.
Splunk Attack Range
The Attack Range is a detection development platform which allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk.
|
|
From the cloud providers
Amazon CloudWatch now monitors Prometheus metrics - Now in Beta
You can use Amazon CloudWatch to monitor Prometheus metrics from Amazon Elastic Kubernetes Service (EKS) and Kubernetes clusters. With this new feature, DevOps teams can automatically discover services for containerized workloads such as AWS App Mesh, NGINX, and Java/JMX.
Windows Server containers on GKE now GA
Google launched the preview of Windows Server container support in Google Kubernetes Engine (GKE) earlier this year, which is now generally available for production use.
Azure Security Center enhancements
At Ignite 2019, Microsoft announced the preview of more than 15 new features for Azure Security Center. This blog provides an update for the features that are now generally available to all customers.
|
|
Thanks for reading!
|
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌 If you have questions, comments, or feedback, let me know on Twitter ( @lancinimarco / @CloudSecList), or at feedback.cloudseclist.com! Thanks, Marco
|
|
|