Release Date: 12/07/2020 | Issue: 45
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


27 Things AWS Can Do to Reduce Cloud Security Misconfigurations
Some thoughts on some simple UI tweaks and UX updates that can help reduce the frequency of cloud security incidents stemming from misconfigurations.


Reducing Our Attack Surface with AppSec Platform
Automated scanning platform that continuously discovers public web assets, performs port scanning, fingerprinting, and other useful reconnaissance, and launches light security scanning to identify potential risks — all built upon free open source tools and low-cost AWS services. I love this kind of ChatOps approach!


Minimum Viable Kubernetes
Interesting post which investigates what the absolute bare minimum "Kubernetes cluster" actually looks like. (It's going to be a lot more minimal than setting up Kubernetes the hard way.)


Accelerated Feedback Loops when Developing for Kubernetes with Conftest
The general-purpose approach that the Open Policy Agent has taken, and the user experience that Conftest provides, enables near unlimited use cases for policy-based validation.


Kubernetes observability tutorial: Metrics collection and analysis
Post exploring how to monitor all aspects of your applications running in Kubernetes, including: ingesting and analysing logs, collecting performance and health metrics, monitoring application performance with Elastic APM.


Restricting Flux permissions
By default, the Flux helm chart sets the RBAC (Role-Based Access Control) permissions to a cluster role with the ability to do anything. This post explores how to lock down flux permissions to "just enough" so to keep the cluster as secure as possible.


Terraform Automation With Argo on Kubernetes
Part 1 in a series showing the basics of how to automate Terraform with Argo. Part 2 introduces Consul and Vault for security and Terraform templating.


Blast from the past: Cross Site Scripting on the AWS Console
Writeup of an XSS found on the AWS console via EC2 tagging.

Tools


copilot-cli
The AWS Copilot CLI is a tool for developers to build, release and operate production ready containerized applications on Amazon ECS and AWS Fargate.


sinker
Syncs container images from one registry to another. This is useful in cases when you rely on images that exist in a public container registry, but need to pull from a private registry.


cloudtracker
CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.


actionhero
Action Hero is a sidecar style utility to assist with creating least privilege IAM Policies for AWS. Action Hero provides a means to capture all required permissions during the more permissive iterations to make it easier to create an IAM role with just the required permissions.


aws-billing-slack-lambda
Simple AWS Lambda-powered Slack bot that reports your AWS Costs for the current month to a channel.


kconmon
A Kubernetes node connectivity tool that preforms frequent tests (tcp, udp and dns), and exposes Prometheus metrics that are enriched with the node name, and the locality information (such as zone), enabling you to correlate issues between availability zones or nodes.


k8s-diagrams
A collection of diagrams about Kubernetes and created for trainings, talks and articles. Written in PlantUML and can be adjusted easily.

From the cloud providers


AWS Icon  Identity Round Robin
"Identity Round Robin" is a collection of identity workshops covering a range of identity and access management topics. These topics cover identity in general, not just the AWS IAM service. Some of the services covered include AWS IAM, AWS CloudTrail, Amazon CloudWatch Events, Amazon S3, AWS Lambda, Amazon Macie, Amazon Inspector AWS Security Hub and Amazon GuardDuty.


AWS Icon  New PCI DSS on AWS Compliance Guide provides essential information for implementing compliant applications
AWS released the Payment Card Industry Data Security Standard (PCI DSS) 3.2.1 on AWS Compliance Guide. The guide is an overview of concepts and principles for building PCI DSS compliant applications. Each section is thoroughly referenced to source AWS documentation to meet PCI DSS reporting requirements.


AWS Icon  Spring 2020 PCI DSS report now available with 124 services in scope
The Spring 2020 PCI DSS attestation of compliance covers 124 services that can be used to securely architect Cardholder Data Environments (CDEs) in AWS. A full list of services can be found in the Services in Scope by Compliance Program page.


AWS Icon  Container Networking Security Issue (CVE-2020-8558)
AWS released a security bulletin to notify customers of a security issue, recently disclosed by the Kubernetes community, affecting Linux container networking (CVE-2020-8558). This issue may allow containers running on the same host, or adjacent hosts (hosts running in the same LAN or layer 2 domain), to reach TCP and UDP services bound to localhost (127.0.0.1). Customer action is required, and the recommendation is to update to the latest AMI.


AWS Icon  What is a cyber range and how do you build one on AWS?
Post sharing concepts for building a cyber range in AWS. It covers the networking components of a cyber range, then how to control access to it.


AWS Icon  How to use G Suite as an external identity provider for AWS SSO
How to set up G Suite as an external identity provider in AWS Single Sign-On (SSO), as well as how to configure permissions for your users, and how they can access different accounts.


GCP Icon  Your gcloud command-line questions answered in printable cheat sheet
The gcloud command-line tool cheat sheet is available as a one-page sheet, an online resource, and quite fittingly, a command itself, "gcloud cheat-sheet".


Azure Icon  Azure Kubernetes Service now supports confidential workloads
Azure Kubernetes Service (AKS) now supports confidential workloads through integration with DCsv2-series SKU node pools. Enclaves can now be used in containers to secure access to private data.


Azure Icon  Secure pods with Azure Policy
Microsoft released Azure policies to secure pods in AKS. You can deny requests based on pod capabilities and audit for runtime violations.


Azure Icon  Container runtime configuration
Microsoft introduced containerd support (as a preview) in AKS.

Website
Twitter
Buy me a coffee
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.