Release Date: 26/07/2020 | Issue: 47
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


Announcing Clutch, the Open-source Platform for Infrastructure Tooling
Lyft released Clutch, an open-source UI and API platform for infrastructure tooling. Clutch empowers engineering teams to build, run, and maintain user-friendly workflows that also incorporate domain-specific safety mechanisms and access controls. Clutch ships with several features for managing platforms such as AWS, Envoy, and Kubernetes with an emphasis on extensibility so it can host features for any component in the stack.


Analyzing IAM Policies at Scale with Parliament
The most efficient and repeatable method for finding misconfigurations in IAM policies and roles is to automate the detection process using existing libraries. This blog explores how the Parliament library can be run to detect if a policy is malformed, identify unknown permissions that do not exist within the platform, and callout resource mismatches when resources and permissions do not apply to each other.


So I Heard You Want to Learn Kafka
An attempt to try to help security professionals approach Kafka, by walking through the journey I undertook to get the basics first, and later to focus on the security aspects of it. (disclaimer: I did write this post)


Container Breakouts – Part 2: Privileged Container
Second post of a container breakout series. After the discussion on how to escape from a system with access only to the root directory, this part dives into privileged containers.


Basic Kubernetes Privilege Escalation
Let's say you got a reverse shell from a process running in a Kubernetes environment. This guide details the basic steps you can take to escalate your privileges within Kubernetes.


Secure your AWS ECS Microservices with Consul Service Mesh
Blog looking at a Consul service mesh pattern for applications in ECS. This example is running on EC2 instances under an ECS managed cluster, but could be easily modified to run Fargate workloads as well.


Azure Arc enabled Kubernetes: Digital Ocean Kubernetes in Azure
This post explains how to connect a Kubernetes cluster running in Digital Ocean to your Azure Subscription by leveraging Azure Arc.


Introducing Sinker: A tool to sync container images from one registry to another
In last week's issue I linked to sinker in the Tools section. This week, the Plex team released a blog post explaining why they built it and how they leverage it in their pipelines.


Detect CVE-2020-8557 using Falco
How to leverage Falco to detect someone trying to exploit CVE-2020-8557, a recently discovered vulnerability affecting the kubelet.


Announcing HashiCorp Vault 1.5
HashiCorp announced the general availability of HashiCorp Vault 1.5. The feature that probably impacts the most users is around rate limiting and quotas (in the OSS version). For enterprise users, there is also a Splunk App so you can get better monitoring/logging out of the box.

Tools


aws-recon
Recon helps build a comprehensive inventory of the security-related metadata in an AWS account. The output is standard JSON, so it can be used in automation pipelines or feed into other tools for further analysis.


gcp-iam-role-permissions
Repo keeping track of all primitive and predefined GCP IAM Roles and their permissions. Resyncs nightly to help track changes as they are made.


infracost
Get cost estimates from a Terraform project.


kube-forensics
kube-forensics allows a cluster administrator to dump the current state of a running pod and all its containers so that security professionals can perform off-line forensic analysis.


litmus
Litmus is a toolset to do chaos engineering in a kubernetes native way. Litmus provides CRDs for developers and SREs to inject, orchestrate and monitor chaos to find weaknesses in Kubernetes deployments.

From the cloud providers


AWS Icon  How to use AWS Organizations to simplify security at enormous scale
Service control policies (SCPs) in AWS Organizations offers central control over permissions for all accounts in an organization, which helps ensure that accounts stay within an organization's access control guidelines.


AWS Icon  Introducing The CIS Amazon EKS Benchmark
AWS announced a new Center for Internet Security (CIS) benchmark for Amazon Elastic Kubernetes Service (EKS). This new benchmark is optimized to help accurately assess the security configuration of Amazon EKS clusters, including security assessments for nodes to help meet security and compliance requirements.


AWS Icon  Adding HTTP Security Headers Using [email protected] and Amazon CloudFront
How to, using [email protected] and Amazon CloudFront, add response headers that are specifically targeted to improve the security and privacy of both viewers and content providers.


AWS Icon  AWS Secrets Manager has been IRAP assessed and accepted for PROTECTED level
AWS Secrets Manager has been Information Security Registered Assessors Program (IRAP) assessed and accepted at the PROTECTED level. Now, you can use AWS Secrets Manager to store secrets that are required to meet the Information Security Manual (ISM) control objectives.


GCP Icon  Traffic Director and gRPC—proxyless services for your service mesh
With Traffic Director support for proxyless gRPC services, it is now possible to bring proxyless gRPC applications to proxy-based service mesh or even have a fully proxyless service mesh.


GCP Icon  Service Account credentials management
Some techniques and mechanisms you can apply to improve your security posture.


Azure Icon  Microsoft Azure Well-Architected Framework
The Azure Well-Architected Framework is a set of guiding tenets that can be used to improve the quality of a workload. The framework consists of five pillars of architecture excellence: Cost Optimization, Operational Excellence, Performance Efficiency, Reliability, and Security.


Azure Icon  Five Best Practices for Cloud Security
Overview providing a snapshot of five best practices for cloud security: identity and access control, security posture management, apps and data security, threat protection, and network security.


Azure Icon  Azure operational security checklist
Before deploying cloud applications in production it is useful to have a checklist to assist in evaluating your application against a list of essential and recommended operational security actions for you to consider.

Website
Twitter
Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.