Release Date: 09/08/2020 | Issue: 49
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


Network access for private clusters
Very interesting article going into the problem of providing network connectivity between Kubernetes clusters and other internal tools (like deployment pipelines).


Certificate management on Istio
Post focusing on the differences an Istio service mesh makes in regard to certificate management on Kubernetes. The primary difference is the method of solving the ACME HTTP-01 challenge. Solving this challenge involves routing an HTTP request from the ACME server (the Certificate Authority) to the cert-manager challenge solver pod.


Cloud Encryption is worthless! Click here to see why...
When evaluating your cloud security posture priorities, encryption should be at the bottom of your list. First, get your IAM house in order.


How we migrated Dropbox from Nginx to Envoy
Nice post from the Dropbox team, talking about the old Nginx-based traffic infrastructure, its pain points, and the benefits they gained by migrating to Envoy. They also briefly touch on the migration process, its current state, and some of the problems encountered on the way.


File Integrity Monitoring: Detecting suspicious file activity inside a container
Blog exploring suspicious file activity inside a container, as well as how to effectively implement a file integrity monitoring (FIM) workflow.


Implementing a GitOps UI with Spotify's Backstage
How to use Spotify's open source framework, Backstage, to create a GitOps plugin with a UI that can be offered through a developer portal.


GitHub Actions self-hosted runners on Google Cloud
Patterns for configuring and maintaining GitHub Actions self-hosted runners on Google Cloud.


Open Sourcing the etcd Security Audit
The etcd team has successfully completed a 3rd party security audit, performed by Trail of Bits. No major issue was found in the core components of etcd.


Sandboxing and Workload Isolation
Evaluation of a few different isolation techniques, with a focus on Firecracker.


Manage Active Directory Objects with the New Windows AD Provider for HashiCorp Terraform
HashiCorp announced the preview of a Windows Active Directory (AD) provider for Terraform. Windows administrators can now automate configuration of Active Directory and ease the management of enterprise systems.

Tools


AWS Exposable Resources
Repo maintaining a list of all AWS resources that can be publicly exposed, and eventually, those that can be shared with untrusted accounts.


CloudShell
Azure Cloud Shell is a browser-based shell environment which enables Azure customers to manage and configure their Azure services. It provides a host of tools, including Azure CLI, Azure PowerShell, Ansible, Terraform, Chef, Puppet Bolt, kubectl, and many more.


lsh
Run interactive shell commands on AWS Lambda.


kubefs
Mount kubernetes metadata storage as a filesystem.


kip
Kip is a Virtual Kubelet provider that allows a Kubernetes cluster to transparently launch pods onto their own cloud instances. The kip pod is run on a cluster and will create a virtual Kubernetes node in the cluster.


CONVEX
CONVEX is a group of CTFs that are independently deployable into participant Azure environments.


dast-operator
DAST (Dynamic application security testing) is a Kubernetes operator that leverages OWASP ZAP to make automated basic web service security testing.

From the cloud providers


AWS Icon  Using Amazon GuardDuty to Protect Your S3 Buckets
The anomaly and threat detection for S3 activities that was previously available in Macie has now been enhanced and reduced in cost by over 80% as part of GuardDuty. This new capability enables GuardDuty to continuously monitor and profile S3 data access events and S3 configurations to detect suspicious activities.


AWS Icon  Assess your security posture to identify and remediate security gaps susceptible to ransomware
The Self-Service Security Assessment is a CloudFormation template that includes a dedicated VPC with two subnets, one NAT Gateway, one EC2 instance, and one S3 bucket. Once deployed, open source projects Prowler and ScoutSuite are downloaded and installed within the EC2 instance and begin locally scanning AWS accounts using AWS APIs to run more than 256 point-in-time checks.


AWS Icon  Logical Separation on AWS Whitepaper: Moving Beyond Physical Isolation in the Era of Cloud Computing
This paper examines the topic of logical separation for customers using AWS, discussing a multi-pronged approach to build logical security mechanisms that meet and often exceed the security results of physical separation and other on-premises security approaches.


AWS Icon  Migrating your rules from AWS WAF Classic to the new AWS WAF
How to migrate your rules from AWS WAF Classic to the new AWS Web Application Firewall.


AWS Icon  Best Practices for Securing Amazon EMR
This post walks you through some of the principles of Amazon EMR (a managed Hadoop framework) security, including encryption, authentication, and network access.


GCP Icon  Preventing lateral movement in Google Compute Engine
To implement a defense in depth approach for Compute Engine there are a few things you should do, like isolate your production resources from the internet, disable the use of default service accounts, limit access to service account credentials, use OS Login to manage access to VMs, apply the principle of least-privilege, and collect logs and monitor your system.


GCP Icon  Introducing CAS: Securing applications with private CAs and certificates
Google announced Certificate Authority Service (CAS), a highly scalable and available service that simplifies and automates the management and deployment of private CAs.


Azure Icon  Moving Windows Server to Microsoft Azure to Enable Compliance
Free e-book discussing how to manage compliance, privacy, and security when migrating Windows Server workloads to Azure.

Website
Twitter
Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.