Release Date: 23/08/2020 | Issue: 51
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


Introducing Policy As Code: The Open Policy Agent (OPA)
CNCF deep-dive series on how to use Open Policy Agent to unify security policy enforcement across your entire set of Kubernetes clusters.


Attacking Azure & Azure AD, Part II
New post on attacking AzureAD Service Principals, Intune, and documenting an Azure Logic App primitive. Also introducing the complete re-write of PowerZure.


Death from Above: Lateral Movement from Azure to On-Prem AD
Post explaining what Hybrid Azure Join is, target enumeration, and how to abuse Intune/Endpoint Manager to execute code as SYSTEM on target systems.


Terraform Cloud Agents
How to setup Terraform Cloud Agent and how to run configurations in on-prem environments without any firewall rule modifications.


Logging in Kubernetes: EFK vs PLG Stack
Article going through two popular stacks - EFK (Elasticsearch) and PLG (Loki) - and understand their architecture and differences.


Simplify Kubernetes Resource Access Control using RBAC Impersonation
Tutorial proposing a way to "mimic" group memberships using stock Kubernetes authorization features.


Monitoring AWS Lambda with Prometheus and Sysdig
How to monitor AWS Lambda by leveraging existing Prometheus ingestion with Sysdig.


Connect Kubernetes Applications to Azure Resources with Managed Service Identities
How to authenticate an application running in a Kubernetes cluster to Azure resources through Managed Service Identities (MSI), without having to pass around any secret data.


Authenticating to GKE without gcloud
If you're using Google Kubernetes Engine and deploying to it from headless environments like CI/CD, you're probably installing the gcloud command-line tool (perhaps every time) you run a build. This post shows that there's way to authenticate to GKE clusters without the gcloud CLI!


How to Dump OOMKilled Process on Kubernetes
How to dump memory, before the "OOMKilled" signal, with docker-preoomkiller.


Announcing New Collections on HashiCorp Learn
HashiCorp Learn has been redesigned to improve performance and provide better tools for navigation and content discovery, which includes reorganizing content from simple learning tracks to more flexible collections, with their own landing pages.

Tools


Krane
Krane is a simple Kubernetes RBAC static analysis tool. It identifies potential security risks in K8s RBAC design and makes suggestions on how to mitigate them.


SkyArk
SkyArk focuses on mitigating the new threat of Cloud Shadow Admins in AWS and Azure, and helps organizations to discover, assess and protect cloud privileged entities.


rego-policies
Collection of Rego policies.


Vector
A lightweight and ultra-fast router for building observability pipelines. Compared to Logstash and friends, Vector improves throughput by ~10X while significantly reducing CPU and memory usage.


Dragonfly
Dragonfly is an open source intelligent P2P based image and file distribution system. Its goal is to tackle distribution problems in cloud native scenarios.


http-desync-guardian
An anti-DESYNC rust library developed at AWS, designed to analyze HTTP requests to prevent HTTP Desync attacks, balancing security and availability. It classifies requests into different categories and provides recommendations on how each tier should be handled.


kube-fluentd-operator
Auto-configuration of Fluentd daemon-set based on Kubernetes metadata.

From the cloud providers


AWS Icon  Introducing the AWS Controllers for Kubernetes (ACK)
AWS Controllers for Kubernetes (ACK) is a new tool that lets you directly manage AWS services from Kubernetes. ACK makes it simple to build scalable and highly-available Kubernetes applications that utilize AWS services. ACK is available as a developer preview on GitHub.


AWS Icon  Securing resource tags used for authorization using a service control policy in AWS Organizations
How you can use attribute-based access controls (ABAC) in AWS to help provision simple, maintainable access controls to different projects, teams, and workloads as your organization grows.


AWS Icon  Certificate Authority now supports Private CA sharing
AWS Certificate Manager (ACM) Private Certificate Authority (CA) now supports sharing a Private CA with any AWS account or within your organization. This eliminates the need to provision duplicate resources in every account in a multi-account environment, reducing the cost and complexity of managing those resources in every account.


AWS Icon  Privacy conscious cloud migrations: mapping the AWS Cloud Adoption Framework to the NIST Privacy Framework
This post will help you make privacy-conscious cloud migration decisions by mapping the National Institute of Standards and Technology (NIST) Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management (NIST Privacy Framework) to the AWS Cloud Adoption Framework (AWS CAF).


GCP Icon  New GKE Dataplane V2 increases security and visibility for containers
Introducing GKE Dataplane V2, a dataplane that harnesses the power of eBPF and Cilium, an open source project that makes the Linux kernel Kubernetes-aware using eBPF.


GCP Icon  GKE best practices: Day 2 operations for business continuity
Recommendations and best practices to help the applications running on your GKE cluster to stay happy and healthy.


GCP Icon  Assess the security of Cloud deployments with InSpec for GCP
InSpec-GCP version 1.0 is now generally available, and two new Chef InSpec profiles have been released, containing controls for GCP CIS Benchmark version 1.1.0 and the PCI DSS version 3.2.1.


GCP Icon  21 new ways we're improving observability with Cloud Ops
Google added 21 new features to Cloud Operations, the observability suite launched earlier this year, which gives you access to operations capabilities directly from the Google Cloud Console.


GCP Icon  Understanding IP address management in GKE
Under the hood look at how IP addressing works in GKE, some common IP addressing problems and GKE features to help solve them.

Website
Twitter
Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.