Release Date: 02/08/2020 | Issue: 48
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


Modern Cloud Governance
If you break down your cloud program into three core functions (development, security, and finance), you can see how each manages an aspect of your cloud: cost, risk and agility.


Introducing Domain-Oriented Microservice Architecture
This piece explains DOMA (Domain-Oriented Microservice Architecture), the concerns that led to the adoption of this architecture for Uber, its benefits for platform and product teams, and some advice for teams who want to adopt this architecture.


Introduction to Istio access control
In-depth post from the BanzaiCloud team discussing Istio's access control model, AuthorizationPolicies.


Kubernetes - Pod Security Policies
How to do a full deployment of Pod Security Policies from Square, with everything locked down and how to grant exceptions.


Mitigating Spectre and Other Security Threats: The Cloudflare Workers Security Model
An in-depth look at the security of Cloudflare Workers.


Behind the scenes in the Expel SOC: Alert-to-fix in AWS
Interesting behind the scenes in the Expel SOC, as they went from alert-to-fix in AWS.


Container Breakouts - Part 3: Docker Socket
Third and last post in a series about container breakouts, which shows container breakout techniques that can be performed if a container is started with a mounted Docker socket.


CRD is just a table in Kubernetes
Detailed blog post on how to create and interact with custom CRDs.


Leveraging DevSecOps Practices to Secure Red Team Infrastructure
Post discussing how automated policy enforcement using OPA can help secure any kind of infrastructures, including Red Team Architectures.


Introducing Custom Workspace Permissions
HashiCorp announced new Custom Workspace Permissions for Terraform Cloud. Terraform Cloud Organization owners can now specify custom permissions for each workspace using a newly designed UI.


CloudWatch Alarms
Someone managed to figure a way out to make CloudWatch Alarms not confusing by ignoring the AWS Documentation and describing it in their own words.


Azure Functions and App Service Authentication with Auth0 and other OpenID Connect providers
A walkthrough on how to integrate an OpenID Connect provider (Auth0) with Azure Functions.

Tools


AWS IAM Permissions Guardrails
A collection of SCPs that you can use to protect all accounts under your Organization.


AWS Incident Response
This project explores useful CloudTrail events that support incident response and detection of misconfigurations.


aks-checklist
The AKS Checklist is a (tentatively) exhaustive list of all elements you need to think of when preparing a cluster for production. It is based on all common best practices agreed around Kubernetes or documented in the AKS Best Practices from Microsoft.


stash
Stash is a cloud native data backup and recovery solution for Kubernetes workloads.

From the cloud providers


AWS Icon  AWS Security Hub launches new automated security controls
AWS Security Hub has released 7 new automated security controls for the AWS Foundational Security Best Practices standard and 12 new controls for PCI DSS.


AWS Icon  Amazon Fraud Detector is now Generally Available
Amazon Fraud Detector is a fully managed service that makes it easy to identify potentially fraudulent online activities such as online payment fraud and the creation of fake accounts.


AWS Icon  How to use resource-based policies in the AWS Secrets Manager console to securely access secrets across AWS accounts
AWS Secrets Manager now allows to create and manage resource-based policies using the Secrets Manager console. At the same time, Secrets Manager is now able to identify and prevent creation of resource policies that grant overly broad access to secrets across AWS accounts.


AWS Icon  How to lower costs by automatically deleting and recreating HSMs
How to automate the deletion and recreation of HSMs when you do not have a requirement for high availability. Using this approach of deleting HSMs and restoring them from backups on a predefined schedule can help lower your monthly CloudHSM costs.


GCP Icon  New Private Service Connect simplifies secure access to services
Google announced Private Service Connect in alpha, which allows you to create service endpoints in consumer VPCs that provide private connectivity and policy enforcement, allowing to connect services across different networks and organizations. With Private Service Connect, traffic stays private and secure over Google's global network.


GCP Icon  Authorization enforcement for Cloud Run
This article illustrates how to secure each REST operation exposed by services running on Cloud Run.


Azure Icon  Kubernetes: Up and Running, Second Edition
Free Kubernetes O'Reilly e-book on the basics and getting started with Kubernetes.


Azure Icon  Azure security best practices and patterns
Security best practices to use when designing, deploying, and managing cloud solutions by using Azure.

Website
Twitter
Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.