Release Date: 10/05/2020 | Issue: 36
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


Privilege Escalation in Google Cloud Platform
Similar to what they did for AWS in the past, this blog post from the RhinoSecurity team aims to provide a source for privilege escalation techniques, this time for Google Cloud Platform (there is also a part 2 which covers non-IAM related methods). If you are not interested in the details of each privilege escalation, consider jumping on the new privilege escalation scanner for GCP.


Secure your team's code with code scanning and secret scanning
Code scanning is now available as a GitHub-native experience. With code scanning enabled, every 'git push' is scanned for new potential security vulnerabilities, and results are displayed directly in your pull request. In addition, secret scanning is also now available for private repositories.


Following the CloudTrail: Generating strong AWS security signals with Sumo Logic
A blog post explaining how the Expel team uses a SIEM (in this example, Sumo Logic) to generate security leads from AWS signals. The post also shares some detection use cases (with examples) to try out in your own environment, regardless of what SIEM you use.


Validate Kubernetes API Versions With Conftest
How to use Conftest and Open Policy Agent for validating Kubernetes API versions, leveraging the CI pipeline to notify on the usage of deprecated APIs.


How to monitor OPA Gatekeeper with Prometheus metrics
If you have deployed OPA Gatekeeper, monitoring this admission controller is as relevant as monitoring the rest of the Kubernetes control plane components. If something breaks here, Kubernetes won't deploy new pods in your cluster; and if it's slow, your cluster scale performance will degrade.


Monitor and Notify on AWS Account Root User Activity and Other Security Metrics
Organizations usually end up piping all cloud API logs to a SIEM (Elasticsearch, Splunk, etc.) and creating alerts based on user and service activity, but what about personal accounts? This article shares a monitoring setup "on a budget" to use in private AWS account. In addition, the companion GitHub repo provides a Terraform module that creates a multi-regional Trail, connects it with a CloudWatch Log Group, and creates a number of metric filters and metric alerts to receive SNS notifications for high noise actions.


aws-vault Vulnerable to DNS Rebinding Attacks
aws-vault's EC2 metadata service proxy is vulnerable to DNS rebinding attacks. Web pages you visit might be able to steal your AWS credentials if you have the server running on localhost.

Tools


cloudsplaining
An AWS IAM security assessment tool which scans accounts for violations of Least Privilege and identifies policies that can lead to Privilege Escalation, Data Exfiltration, Resource Exposure, and Infrastructure Modification. It also generates a nice HTML report that can help with triaging and remediation, as well as identifying high-value IAM principals to target during a penetration test.


Splunk Attack Range
The Attack Range is a detection development platform which allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk.

From the cloud providers


AWS Icon  IAM Access Analyzer flags unintended access to S3 buckets shared through access points
To help you identify buckets that can be accessed publicly or from other AWS accounts or organizations, IAM Access Analyzer now analyzes access point policies in addition to bucket policies and bucket ACLs. This helps you find unintended access to S3 buckets that use access points.


AWS Icon  AWS IAM introduces updated policy defaults for IAM user passwords
To improve the default security for all AWS customers, AWS is adding a default password policy for IAM users in AWS accounts. This update will be made globally to the IAM service on August 3rd, 2020.


AWS Icon  Amazon CloudWatch now monitors Prometheus metrics - Now in Beta
You can use Amazon CloudWatch to monitor Prometheus metrics from Amazon Elastic Kubernetes Service (EKS) and Kubernetes clusters. With this new feature, DevOps teams can automatically discover services for containerized workloads such as AWS App Mesh, NGINX, and Java/JMX.


GCP Icon  Windows Server containers on GKE now GA
Google launched the preview of Windows Server container support in Google Kubernetes Engine (GKE) earlier this year, which is now generally available for production use.


GCP Icon  Understanding forwarding, peering, and private zones in Cloud DNS
How to use some of Google's DNS constructs to connect multiple zones to your on-premises DNS infrastructure, using a combination of zones, peering, and forwarding.


Azure Icon  Azure Security Center enhancements
At Ignite 2019, Microsoft announced the preview of more than 15 new features for Azure Security Center. This blog provides an update for the features that are now generally available to all customers.

Website
Twitter
Buy me a coffee
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.