Release Date: 14/06/2020 | Issue: 41
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


Denial of Wallet Attacks on AWS
Scott Piper compiled some thoughts on Denial of Wallet attacks on AWS (attacks where the goal is to increase the financial burden on the victim).


GKE Kubelet TLS Bootstrap Privilege Escalation
Kubernetes has a wide range of attack vectors, and many common attacks are on the Kubernetes attack matrix. The RhinoSecurity team explored the GKE Kubelet TLS Bootstrap privilege escalation attack, starting with compromised CGP credentials, then stole TLS Bootstrap credentials by listing Compute Engine instances, generated and submitted CSRs, acted as worker nodes, stole secrets and gained cluster admin access in a GKE cluster.


How we use HashiCorp Nomad
Interesting article from Cloudflare which walks through the reliability model of services running in more than 200 edge cities worldwide.


Monitoring AWS Fargate with Prometheus and Sysdig
Fargate does not allow privileged pods. So, how can you monitor Fargate and other serverless services if you can’t install agents on them? You'll need to rely on an intermediary like AWS CloudWatch.


Unsecured databases attacked 18 times per day
Someone did set up an Elasticsearch honeypot and watched it destroyed. Over three dozen attacks occurred before the database was even indexed by search engines like Shodan / BinaryEdge.


Legacy LVFS S3 bucket takeover and CVE-2020-10759 fwupd signature verification bypass
Two vulnerabilities that, if chained together, would have allowed an attacker to claim a dangling S3 bucket to offer malicious firmware updates to Linux desktops and servers running legacy versions of fwupd.


Mitigating CVE-2020-10749 in Kubernetes Environments
A vulnerability that might enable a man-in-the-middle attack on Kubernetes clusters, CVE-2020-10749, was disclosed a few days ago. The vulnerability allows for man-in-the-middle (MITM) attacks, where an attacker can intercept network traffic to a pod in a Kubernetes cluster and impersonate it to clients.

Tools


Starboard Octant Plugin
Octant plugin for Starboard, which provides visibility into vulnerability assessment reports for Kubernetes workloads stored as custom security resources.


amazon-s3-find-and-forget
A solution to selectively find and erase records from data lakes stored on Amazon S3. This solution can assist data lake operators to handle data erasure requests, for example, pursuant to the European General Data Protection Regulation (GDPR).


k8s-audit-log-inspector
Want to study how k8s audit logs work? This repo provides a Vagrant box configuration that: sets up microk8s with audit logging configured, sets up Elasticsearch and Kibana, and sets up filebeat to watch the microk8s audit logs and ship them to Elastic.


Adaz: Active Directory Hunting Lab in Azure
Project that allows to easily spin up Active Directory labs in Azure with domain-joined workstations, Windows Event Forwarding, Kibana, and Sysmon using Terraform/Ansible.

From the cloud providers


AWS Icon  How Goldman Sachs builds cross-account connectivity to their Amazon MSK clusters with AWS PrivateLink
Post presenting patterns for accessing an Amazon Managed Streaming for Apache Kafka cluster across an AWS account or VPC boundaries using AWS PrivateLink. In addition, the post discusses the pattern that Goldman Sachs (TxB) chose for their cross-account access, the reasons behind their decision, and how TxB satisfies its security requirements with Amazon MSK.


AWS Icon  Software Package Management with AWS CodeArtifact
Amazon introduced AWS CodeArtifact, a secure, scalable, and cost-effective artifact management service for software development. Today, CodeArtifact can be used with popular build tools and package managers such as Maven and Gradle (for Java), npm and yarn (for Javascript), and pip and twine (for Python).


AWS Icon  AWS Shield Threat Landscape report is now available
The AWS Shield Threat Landscape Report (TLR) provides a summary of threats detected by AWS Shield. This includes rules and mitigations for services like AWS Managed Rules for AWS WAF and AWS Shield Advanced.


AWS Icon  AWS Shield Advanced now supports proactive response to events
AWS Shield Advanced now allows proactive engagement from the DDoS Response Team (DRT) when a DDoS event is detected. When you turn on proactive engagement, the DRT will directly contact you if an Amazon Route 53 health check associated with your protected resource becomes unhealthy during an event that's detected by Shield Advanced.


AWS Icon  AWS achieves its first PCI 3DS attestation
AWS has achieved its first PCI 3-D Secure (3DS) certification. Financial institutions and payment providers are implementing EMV 3-D Secure services to support application-based authentication, integration with digital wallets, and browser-based e-commerce transactions. Although AWS doesn’t perform 3DS functions directly, the AWS PCI 3DS attestation of compliance enables customers to attain their own PCI 3DS compliance for their services running on AWS.


AWS Icon  How to integrate formal proofs into software development
Curious on how to integrate formal proofs into software development? An ICSE research paper from the AWS Automated Reasoning Group describes lessons learned from a code-level verification project.


GCP Icon  Supporting your compliance journey with Compliance Resource Center
Google announced an updated Compliance Resource Center . It provides on-demand access to helpful resources to support your compliance efforts, verify technical compliance and control requirements, and help you understand region- and industry-specific regulations.


GCP Icon  Google Cloud firewalls adds new policy and insights
Google added some new firewall features, like hierarchical firewall policies and firewall insights.


GCP Icon  Introducing table-level access controls in BigQuery
The new BigQuery table-level access controls (table ACLs) enable to control data and share it at an even finer granularity. Table ACLs also bring closer compatibility with other data warehouse systems where the base security primitives include tables—allowing migration of security policies more easily.


GCP Icon  5 ways to enhance your cloud storage security and data protection
In short: turn on uniform bucket-level access, enable domain-restricted sharing, encrypt data with Cloud KMS, audit data with Cloud Audit Logging, and secure data with VPC Service Controls.

Website
Twitter
Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.