This week's articles
Unauthenticated SNS subscription removal
Publicly exposing SNS Topics can introduce a whole range of issues. In this case, exposing the "subscriptionID" publicly will grant anyone (even without authentication) permissions to remove subscriptions from the topic. The countermeasure? Set the "AuthenticateOnUnsubscribe" flag.
Performing Image Scanning on Admission Controller with OPA
Sometimes the image you scan, is not the same you deploy in your Kubernetes cluster. This article explains to use image scanning on admission controllers to scan your container images on-demand, right before your workloads are scheduled in the cluster.
Kubernetes Pod Security Standards
The enforcement and policy-based definition of cluster requirements of security contexts has previously been achieved using Pod Security Policies. However, numerous means of policy enforcement have arisen that augment or replace the use of PodSecurityPolicy. The intent of these Standards is to detail recommended Pod security profiles, decoupled from any specific instantiation.
Open source continuous integration for Elastalert rules
Blog post introducing elastalert-ci, a CircleCI-compatible convenience image that you can use to test your Elastalert rules. The CI configuration spins up an Elasticsearch container and an Elastalert container, uploads provided test data to the Elasticsearch container, and then runs the rules that are provided to it.
A Red Team Tale
Interesting thread on how a red team stole AWS credentials starting from physical access to a laptop via a retail store.
|
|
Tools
dockle
Container image linter for Security, helping build the best-practice Docker image.
container-scan
A GitHub action to help you scan your docker image for vulnerabilities, leveraging Trivy and Dockle.
dagda
Dagda is a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities.
ElasticPot
A honeypot simulating a vulnerable Elasticsearch server opened to the Internet.
|
|
From the cloud providers
AWS Secrets Manager is now FedRAMP compliant
You can now use AWS Secrets Manager to manage secrets for applications that are subject to Federal Risk and Authorization Management Program (FedRAMP) Moderate and High baselines, in the Commercial and AWS GovCloud (US) Regions, respectively.
Config Sync overview
Config Sync allows cluster operators to manage single clusters, multi-tenant clusters, and multi-cluster Kubernetes deployments using files, stored in a Git repository.
|
|
Thanks for reading!
|
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌 If you have questions, comments, or feedback, let me know on Twitter ( @lancinimarco / @CloudSecList), or at feedback.cloudseclist.com! Thanks, Marco
|
|
|