Release Date: 16/08/2020 | Issue: 50
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


Styra Academy
Free online course on Rego policy authoring which teaches how to enforce authorization policy across your cloud-native stack.


NIST Special Publication 800-207: Zero Trust Architecture
NIST released their view on Zero-Trust Architecture, with a document containing an abstract definition of zero trust architecture (ZTA), and giving general deployment models and use cases where zero trust could improve an enterprise's overall information technology security posture.


Anatomy of AWS Lambda
Article taking a closer look on the anatomy of the AWS Lambda functions and the processes that are happening below the surface. If you are not super-familiar with Lambda, I highly recommend this post which provides a very well-thought introduction.


Overcoming Terraform state locking issues with ECS tasks
Post explaining how the Simply Business team runs Terraform within AWS ECS tasks to overcome some issues they've encountered with Terraform's state file locking. The solution is to check for the status of running ECS tasks and recently exited tasks. If no tasks related to the same project are found, a Terraform action (plan or apply) can be executed.


Request Affinity with Istio
The Cash App team explaining how the ability to deterministically load balance requests with Istio helped them to greatly improve performance and stability for one of their unusual services.


Using Splunk to Detect Abuse of AWS Permanent and Temporary Credentials
How to detect if an attacker is abusing temporary credentials in your AWS accounts using Splunk.


Abusing AWS Connection Tracking
How to abuse Connection Tracking in AWS to persist connections on a host, even when a more restrictive security group is put in place as a result of incident response.


GitHub Availability Report: July 2020
Lessons learned from an incident resulting in a degraded state of availability for GitHub.com. In this case, a container was configured with an "ImagePullPolicy" of "Always", which instructed Kubernetes to fetch a new container image every time. However, due to a routine DNS maintenance operation that had been completed earlier, clusters were unable to successfully reach the registry resulting in Pods failing to start.


New AWSCompromisedKeyQuarantine policy
Very interesting new managed IAM policy named "AWSCompromisedKeyQuarantine". As pointed out by Scott Piper, it looks like the same policy has been applied to folks that ended up with an access key on Github.


A few thoughts on the $80 million fine from the Capital One Breach
Useful thread from Kinnaird, regarding the $80 million fine from the Capital One Breach. The best section for me: "Many orgs will put a lot of thought into the privileges behind their user roles, but not nearly enough behind their machine roles".


Zero-trust CI/CD with GitLab and Cloudflare Access
Walkthrough using Cloudflare Access and Argo Tunnel to add a zero trust security layer to GitLab.


Automate registry scanning with Harbor & Sysdig
How to transparently automate image scanning on every push to a Harbor registry.


Getting Started with Kubernetes - etcd
A great 101 on getting started with etcd, from the Alibaba team.


Introducing ebpf.io - Learn everything about eBPF
eBPF is a revolutionary technology that can run sandboxed programs in the Linux kernel without changing kernel source code or loading kernel modules. This new website aims to be a hub for documentation, tutorials, reference guides, and more.

Tools


Cloudkeeper - Housekeeping for Clouds
Cloudkeeper is a standalone CLI tool that periodically collects a list of resources in cloud accounts, provides metrics about them, and can clean them up.


AWS Auto Remediate
Open source application to instantly remediate common security issues through the use of AWS Config.


GitHub Action for Azure Policy Compliance Scan
It is now possible to trigger on-demand Azure policy compliance evaluations from GitHub workflows.


k8s-snapshots
k8s-snapshots creates and expires snapshots according to annotations to your PersistentVolume or PersistentVolumeClaim resources.


Goldpinger
Debugging tool for Kubernetes which tests and displays connectivity between nodes in the cluster. It runs as a DaemonSet on Kubernetes and produces Prometheus metrics that can be scraped, visualised and alerted on.


Dostainer - Kubernetes Resource Exhaustion PoC Container
Container bundling some cluster-internal K8s DoS attacks, that can be used to demonstrate resource exhaustion from within a Kubernetes cluster.

From the cloud providers


AWS Icon  Quickly build STIG-compliant Amazon Machine Images using Amazon EC2 Image Builder
How to build a golden Windows operating system image that follows the Security Technical Implementation Guides (STIGs) compliance guidelines using Amazon EC2 Image Builder.


AWS Icon  Automate Amazon Athena queries for PCI DSS log review using AWS Lambda
How to use AWS Lambda to automate PCI DSS (v3.2.1) evidence generation, and daily log review to assist with your ongoing PCI DSS activities.


AWS Icon  AWS Lambda now provides IAM condition keys for VPC settings
You can now govern the VPC settings for your Lambda functions using IAM condition keys. Using these condition keys, you can enforce that users only deploy functions that are connected to a VPC.


GCP Icon  Achieve least privilege with less effort using IAM Recommender
IAM Recommender is now generally available to provide in-context and actionable changes to IAM policies that move your project towards least privilege.


GCP Icon  Google Cloud security best practices center
Best practices providing specific, informed guidance on helping secure Google Cloud deployments and describing recommended configurations, architectures, suggested settings, and other operational advice.


GCP Icon  Logs-based Security Alerting in Google Cloud: Detecting attacks in Cloud Identity
Series of blog posts covering some cloud-native technologies you can use to detect security threats and alert on logs in Google Cloud. The end result is an end-to-end logs-based security alerting pipeline in GCP.


GCP Icon  Now it's personal: Containerizing Java applications with Jib
When it comes to building Docker images for Java applications, Jib can turn any Java app into a space-efficient, optimized container image. Google has now introduced the Jib Plugin Extension Framework, which allows you to tweak every aspect of the image you want to build.


Azure Icon  Monitoring Azure Kubernetes Service (AKS) with Azure Sentinel
How to use Azure Sentinel to monitor your AKS clusters for security incidents, with a particular focus on the following detection sources that you can integrate into Sentinel: Azure Security Center (ASC) AKS threat protection, Azure Diagnostics logs, Third party tool alert integration.


Azure Icon  Ingesting log files from AWS S3 using AWS Lambda
How to create an AWS Lambda function running PowerShell to ingest data into Azure Sentinel.


Azure Icon  Azure Database for MySQL data encryption with a customer-managed key
Data encryption with customer-managed keys for Azure Database for MySQL enables you to bring your own key (BYOK) for data protection at rest.

Website
Twitter
Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.