Release Date: 31/05/2020 | Issue: 39
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


The Octopus Scanner Malware: Attacking the open source supply chain
Post-mortem of a real world OSS supply chain attack, where GitHub uncovered malware designed to enumerate and backdoor NetBeans projects, and which used the build process and its resulting artifacts to spread itself.


Deploy Any Resource With The New Kubernetes Provider for HashiCorp Terraform
HashiCorp announced the alpha release of a new version of the Kubernetes Provider for Terraform. The kubernetes-alpha provider lets you package, deploy, and manage all Kubernetes resources, including Custom Resource Definitions, using HashiCorp Configuration Language (HCL).


From Azure AD to Active Directory (via Azure) – An Unanticipated Attack Path
Very detailed post describing how a compromised Global Administrator (O365) account could compromise any/all Azure VMs (including hosted Domain Controllers), with minimal/no logging.


AWS Client Side Monitoring
The AWS SDK has a feature called Client Side Monitoring (CSM) that can be enabled by setting an environment variable which causes all AWS API calls to be recorded. This is mostly undocumented outside of the SDK source code.


Attacking CloudGoat 2
A step-by-step walkthrough of CloudGoat 2.0 scenarios.


Using Gatekeeper in Kubernetes
Gatekeeper is a validating admission controller which makes use of Open Policy Agent (OPA) to allow Kubernetes administrators to implement policies for ensuring compliance and best practices in their cluster.


Kubernetes Pod Security Policies with Open Policy Agent
Building on the previous article, Gatekeeper is now seen as a potential alternative to Pod Security Policy. This article shows how Open Policy Agent can implement Pod Security Policies.


How to setup secret management in Kubernetes with HashiCorp Vault
In this hands-on article, you will learn how to setup Vault with Kubernetes.

Tools


Kubetap
Kubectl plugin to interactively proxy Kubernetes Services with ease.


container-diff
container-diff is a tool for analyzing and comparing (diffing) container images.


docker-slim
docker-slim minifies container images by analysing what is actually used at runtime, and throwing away the rest. Not a replacement for scratch builds entirely, but a useful stepping-stone towards them which also reduces the attack surface of your container.


kube-janitor
Kubernetes Janitor cleans up (deletes) Kubernetes resources after a configured TTL.


talisman
By hooking into the pre-push hook provided by Git, Talisman validates the outgoing changeset for things that look suspicious - such as authorization tokens and private keys.

From the cloud providers


AWS Icon  Enabling AWS Security Hub integration with AWS Chatbot
How to configure AWS Chatbot to send findings from AWS Security Hub to Slack. Security Hub gives you a comprehensive view of your security high-priority alerts and security posture across your AWS accounts.


AWS Icon  EC2 Instance Connect now supports Attribute Based Access Control
It is now possible to use Attribute-based access control (ABAC) with EC2 Instance Connect (EIC) to define SSH access permissions based on attributes.


AWS Icon  Introducing server-side encryption of ephemeral storage using AWS Fargate-managed keys in AWS Fargate
Ephemeral storage for AWS Fargate tasks now uses server side encryption for easier PCI DSS and HIPAA compliance.


AWS Icon  NIST Cybersecurity Framework (CSF): Aligning to the NIST CSF in the AWS Cloud
Whitepaper to learn how you can align your company's security strategy in AWS to the framework's 5 pillars - Identify, Protect, Detect, Respond & Recover.


GCP Icon  Zero-trust remote admin access for Windows VMs on Compute Engine
IAP Desktop is a Windows application that allows you to manage multiple Remote Desktop Protocol (RDP) connections to Windows VM instances running on Google Cloud.


GCP Icon  Expanding our work with the open source security community
Google just announced a new bug bounty on a hardened kubernetes cluster.


Azure Icon  Configure customer-managed keys for your Azure Cosmos account with Azure Key Vault
How to configure customer-managed keys with Azure Key Vault for Azure CosmosDB.

Website
Twitter
Buy me a coffee
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.