Release Date: 24/05/2020 | Issue: 38
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


AWS Security Maturity Roadmap 2020
If you are involved with AWS security, then the Security Maturity Roadmap from @SummitRoute is a must read. Scott has now updated the Roadmap for 2020, reflecting changes in services and functionalities released by AWS.


Unauthenticated SNS subscription removal
Publicly exposing SNS Topics can introduce a whole range of issues. In this case, exposing the "subscriptionID" publicly will grant anyone (even without authentication) permissions to remove subscriptions from the topic. The countermeasure? Set the "AuthenticateOnUnsubscribe" flag.


Weaponizing AWS ECS Task Definitions to Steal Credentials From Running Containers
How to leverage containers to exploit AWS ECS Task Definitions in Pacu.


Performing Image Scanning on Admission Controller with OPA
Sometimes the image you scan, is not the same you deploy in your Kubernetes cluster. This article explains to use image scanning on admission controllers to scan your container images on-demand, right before your workloads are scheduled in the cluster.


Azure Kubernetes Security Best Practices Part 1 of 4: Designing Secure Clusters and Container Images
This post launches a four-part series going over best practices for creating and operating secure AKS clusters and the containerized applications that run on them. Part 1 focuses on what you need to know when planning and creating your AKS clusters.


Kubernetes Pod Security Standards
The enforcement and policy-based definition of cluster requirements of security contexts has previously been achieved using Pod Security Policies. However, numerous means of policy enforcement have arisen that augment or replace the use of PodSecurityPolicy. The intent of these Standards is to detail recommended Pod security profiles, decoupled from any specific instantiation.


Open source continuous integration for Elastalert rules
Blog post introducing elastalert-ci, a CircleCI-compatible convenience image that you can use to test your Elastalert rules. The CI configuration spins up an Elasticsearch container and an Elastalert container, uploads provided test data to the Elasticsearch container, and then runs the rules that are provided to it.


A Red Team Tale
Interesting thread on how a red team stole AWS credentials starting from physical access to a laptop via a retail store.


RCE in Google Cloud Deployment Manager
Write-up of an interesting RCE bug found on Google Cloud Deployment Manager.

Tools


dockle
Container image linter for Security, helping build the best-practice Docker image.


container-scan
A GitHub action to help you scan your docker image for vulnerabilities, leveraging Trivy and Dockle.


dagda
Dagda is a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities.


terragoat
Vulnerable-by-design training tool for Terraform. For more information, you can check the companion blog post.


ElasticPot
A honeypot simulating a vulnerable Elasticsearch server opened to the Internet.

From the cloud providers


AWS Icon  Introducing the Amazon EKS Best Practices Guide for Security
The Amazon EKS Best Practices Guide for Security helps configure every component of a cluster for high security. The guide covers a broad range of topics including pod security, network security, incident response, and compliance.


AWS Icon  New Digital Course on AWS Security, Identity, and Compliance Now Available
Amazon released the Getting Started with AWS Security, Identity, and Compliance course. This free, on-demand course will teach you about the security pillar of the Well-Architected Framework. It also covers key services used in identity and access management, detective controls, infrastructure protection, and data protection categories.


AWS Icon  Easily control the naming of individual IAM role sessions
AWS IAM now has a new "sts:RoleSessionName" condition element for the Security Token Service (STS), that makes it easy for AWS account administrators to control the naming of individual IAM role sessions.


AWS Icon  AWS Secrets Manager is now FedRAMP compliant
You can now use AWS Secrets Manager to manage secrets for applications that are subject to Federal Risk and Authorization Management Program (FedRAMP) Moderate and High baselines, in the Commercial and AWS GovCloud (US) Regions, respectively.


AWS Icon  Spring 2020 SOC reports now available with 122 services in scope
AWS released the spring 2020 SOC reports, covering period 10/1/2019 to 03/31/2020, with six new services in scope, for a total of 122 total services in scope. These SOC reports are now available through AWS Artifact in the AWS Management Console. The SOC 3 report can also be downloaded as a PDF.


GCP Icon  Config Sync overview
Config Sync allows cluster operators to manage single clusters, multi-tenant clusters, and multi-cluster Kubernetes deployments using files, stored in a Git repository.


Azure Icon  Monitor your Azure workload compliance with Azure Security Benchmark
It is now possible to track and monitor your compliance with the Azure Security Benchmark across your Azure environment in Azure Security Center.

Website
Twitter
Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.