Release Date: 07/06/2020 | Issue: 40
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

This week's articles

Best practices for monitoring GCP audit logs
Nice primer on GCP audit logs, which covers their structure, best practices for using them to monitor GCP security, and how to export them from GCP.

Privilege Escalation in Google Cloud Platform's OS Login
Write-up which explains in detail how OS Login works and then outlines three methods of privilege escalation. The first two (via LXD and via Docker) are straightforward and use previously-known methods to abuse the OS Login implementation. The third (hijacking the metadata server) is brand new, a bit more complex, and probably the most interesting to read.

Comparison of Kubernetes managed services
A spreadsheet which compares many different features of Kubernetes managed services such as Google Kubernetes Engine (GKE), Elastic Kubernetes Service (EKS) and Azure Kubernetes (AKS).

Actionable threat hunting in AWS
Chris Farris invaluable notes from his talk SEC339 at re:Invent 2019. The focus is on the Preparation & Identification aspects of the SANS Incident Response framework.

When it's not only about a Kubernetes CVE...
When Kubernetes is deployed in a managed environment, the controller manager is handled by the cloud provider but the request for asking volume creation is emitted from the internal cloud provider network. This can be exploited (CVE-2020–8555) to access the cloud provider's internal resources and to enable several other attacks, such as dumping internal credentials and performing privilege escalation.

SSRF AWS Bypasses to access metadata endpoint
And they also fit in a tweet.


starboard - Kubernetes-native security tool kit
Starboard integrates security tools into a Kubernetes environment, so that users can find and view the risks that relate to different resources in a Kubernetes-native way. Starboard provides custom security resources definitions and a Go module to work with a range of existing security tools, as well as a kubectl-compatible command-line tool and an Octant plug-in that make security reports available through familiar Kubernetes tools.

Kuberhealthy is a Kubernetes operator for running synthetic checks as pods.

From the cloud providers

AWS Icon  How to perform automated incident response in a multi-account environment
A very educational use case blog on implementing an Automated Incident Response in a Multi-Account AWS Environment. This scenario incorporates GuardDuty alerts, Config findings, Systems Manager automation runbooks, SNS notifications and centralized reporting in SecurityHub.

AWS Icon  Tighten S3 permissions for your IAM users and roles using access history of S3 actions
Last accessed information for IAM got extended to include S3 management actions, and now reports the last time a user or role used an S3 action. This granular access information helps analyze access, identify unused S3 actions, and remove them confidently.

AWS Icon  AWS Systems Manager Explorer now adds support for a delegated administrator account to view operational data across multiple accounts and regions
The master account from the organization can now designate one member account within the same organization as a delegated administrator. The delegated administrator can aggregate data from across multiple accounts and Regions, then search and filter this data in the AWS console or by using the AWS SDK or CLI.

GCP Icon  How to find—and use—your GKE logs with Cloud Logging
An overview of how logging works in GKE, and how to configure, find, and interact effectively with the GKE logs stored in Cloud Logging.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.