Release Date: 28/06/2020 | Issue: 43
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


Access Keys in AWS Lambda
In depth look at AWS Access Keys inside a Lambda function, from how they are populated into the function's execution context, how long they last, how to exfiltrate and use them, and how to detect a compromised access key.


Securely Access AWS Services from Google Kubernetes Engine (GKE)
Blog post analysing challenges and potential solutions for cross-cloud access.


Container Vulnerability Scanning Fun
Exploratory post focused on assessing vulnerabilities of container images for outdated operating system packages.


Misconfigured Kubeflow workloads are a security risk
Post from the Azure Security Center (ASC) which reveals a new campaign targeting Kubeflow, a machine learning toolkit for Kubernetes.


Validating Kubernetes YAML for best practice and policies
Article comparing six static tools to validate and score Kubernetes YAML files for best practices and compliance.


Chart of AWS APIs by service
Interesting chart created by Scott Piper, which shows the counts of APIs by AWS service, grouped by categories from the web console.


Fixing 5 common AWS IAM errors
Cause and resolution for five common AWS IAM errors.


Supporting the Evolving Ingress Specification in Kubernetes 1.18
Walk through of what's new in the new Ingress specification, what it means for applications, and how to upgrade to an ingress controller that supports this new specification.


Understanding Istio in sketchnotes (11 Part Series)
Part 1 of 11 in a series of sketchnotes which aims to spread knowledge about Kubernetes and Istio.


Implementing LDAP authentication for Kubernetes
How to implement LDAP authentication for Kubernetes with the Webhook Token authentication plugin. The article also includes a tutorial taking you from zero to the complete system with step-by-step instructions.


A Complete Step by Step Guide to Implementing a GitOps Workflow with Flux
Other step by step walkthrough on how to setup common services in a Kubernetes cluster using a GitOps workflow.


A Basic CI/CD Pipeline for Serverless Apps
A tutorial for setting up a basic CI/CD pipeline for serverless applications with SAM, CircleCI, and GitHub.

Tools


cloudformation-guard
A set of tools to check AWS CloudFormation templates for policy compliance using a simple, policy-as-code, declarative syntax.


secrets-store-csi-driver-provider-azure
Azure Key Vault provider for Secret Store CSI driver allows to get secret contents stored in Azure Key Vault instance and use the Secret Store CSI driver interface to mount them into Kubernetes pods.


aardvark
Aardvark is a multi-account AWS IAM Access Advisor API.


rode
Rode provides the collection, attestation and enforcement of policies in your software supply chain.


regula
Tool that evaluates Terraform infrastructure-as-code for potential AWS, Azure, and Google Cloud security misconfigurations and compliance violations prior to deployment using Open Policy Agent/Rego.

From the cloud providers


AWS Icon  Accreditation models for secure cloud adoption
AWS released new recommendations to support decision makers in any sector considering or planning for secure cloud adoption. Accreditation Models for Secure Cloud Adoption provides best practices with respect to cloud accreditation to help organizations capitalize on the security benefits of commercial cloud computing.


AWS Icon  Managing backups at scale in your AWS Organizations using AWS Backup
AWS Backup offers a centralized, managed service to back up data across AWS services in the cloud and on premises using AWS Storage Gateway.


AWS Icon  Using AWS SSO with Okta, Active Directory, and AWS SSO Identities
How to use the Okta Universal Directory with AWS SSO and provision Okta users and groups into AWS SSO.


AWS Icon  How to create SAML providers with AWS CloudFormation
Repeatable and automated solution for deploying a unified identity management structure across all of your AWS environments.


AWS Icon  Realize Policy-as-Code with AWS Cloud Development Kit through Open Policy Agent
Integrated with AWS CDK, OPA can help realize Policy-as-Code capabilities that tests the changes before AWS CDK makes changes in your AWS environment.


GCP Icon  Introducing Pub/Sub as a new notification channel in Cloud Monitoring
Google announced a new notification channel type for Cloud Monitoring via Cloud Pub/Sub. Now in beta, this integration lets you create automated and programmatic workflows in response to alerts.


Azure Icon  Announcing the Azure DevOps Provider for Terraform
HashiCorp and Microsoft announced the release of Azure DevOps Provider 0.0.1 for Terraform. With this provider, you will be able to manage Azure DevOps resources like projects, CI/CD pipelines, and build policies through Terraform.

Website
Twitter
Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.