Release Date: 06/09/2020 | Issue: 53
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Hi everyone! With this issue (number 53) we are entering in the second year of CloudSecList! ๐ŸŽ‰
I would like to start with an experiment: in this issue I've added #tags alongside each article, and I would like your feedback: do you think they are useful? Or maybe not so much?
Please let me know on Twitter! ๐Ÿ™

This week's articles


Tracking Moving Clouds: How to continuously track cloud assets with Cartography
How to leverage Cartography and Elasticsearch to continuously monitor all cloud assets in your estate and alert on any instance of drift. (Disclaimer: I did write this post).   #aws   #gke   #elastic   #cartography


Why You Should Enable GKE Shielded Nodes Today
When Shielded GKE Nodes is enabled, the GKE control plane cryptographically verifies that every node in the cluster is a virtual machine running in a managed instance group in Google's data center and that the kubelet is only getting the certificate for itself. But Shielded GKE Nodes addresses a much bigger problem.   #gcp   #k8s   #defense


Privilege Escalation in AWS Elastic Kubernetes Service (EKS) by compromising the instance role of worker nodes
Post discussing the risks of the AWS Instance Metadata service in AWS Elastic Kubernetes Service (EKS) clusters. In particular, it demonstrates that compromising a pod in the cluster can have disastrous consequences on resources in the AWS account if access to the Instance Metadata service is not explicitly blocked.   #aws   #k8s   #attack


Intricacies of IAM Conditions
In-depth look at some of the intricacies present when using IAM Conditions, with examples and tips to keep in mind when scoping out IAM roles.   #gcp   #iam


How to share an encrypted SQS queue across an AWS Organizational Unit
Article stepping through the problem and solution of using policy conditions to provide "just enough" access to services running in different accounts in an AWS organizational unit such as "dev", while encrypting data at rest.   #aws   #build


Introducing GitHub Container Registry
GitHub Container Registry introduces easy sharing across organizations, fine-grained permissions, and free, anonymous downloads for public container images. Perfect timing, since many people started pondering alternatives for DockerHub cause of the recent limitations they just announced.   #github   #announcement


How we threat model
High level summary of how Threat Models are handled at GitHub.   #github   #process


Secure at every step: What is software supply chain security and why does it matter?
High level post digging into what the term "software supply chain security" means, why it matters, and how you can help secure your project's supply chain.   #github   #process


Use HashiCorp Vault AWS engine with multiple accounts
Post breaking down how the Vault secrets engine works and how to use it to dynamically create credentials across multiple AWS accounts using the assume_role feature.   #aws   #vault   #build


Escalating to Domain Admin in Azure AD Domain Services
How to escalate to Domain Admin in Azure AD Domain Services (Microsoft's hosted Active Directory) leveraging Shay Ber's DNSAdmin trick. Interesting thing about this is customers are not supposed to have or be able to get Domain Admin rights.   #azure   #attack


Istio ingress controller as an API gateway
Post discussing the Istio ingress gateway, and examining its feature set compared to typical API gateway features.   #istio   #k8s   #explain


A Guide to Cloud Cost Optimization with HashiCorp Terraform
Interesting guide showing how to use Terraform to make budget compliance more automated.   #terraform   #build


Everything You Need to Know about Route 53 Resolver Query Logging
Post diving into the mechanics of how this new feature works.   #aws   #explain


Scaling Kubernetes Networking With EndpointSlices
EndpointSlices are a new API that provides a scalable and extensible alternative to the Endpoints API. EndpointSlices track IP addresses, ports, readiness, and topology information for Pods backing a Service.   #k8s   #explain

Tools


Gatekeeper v3.1.0
First stable release of Gatekeeper v3 is out!.


detection-rules
Rules for Elastic Security's detection engine. Interesting to see a section dedicated to AWS, and another dedicated to Azure.


helm-freeze
helm-freeze helps you to declare the charts you want to use in a desired version and download them locally. This to freeze/lock them directly in your Git repository.


lambda-middleware
A collection of middleware for AWS lambda functions.


kubernetes-examples
Minimal self-contained examples of standard Kubernetes features and patterns in YAML.


govuk-aws
The GOV.UK repository for their Migration to AWS, open-sourcing their infrastructure and associated tooling.

From the cloud providers


#AWS   Announcing the General Availability of Bottlerocket
AWS announced the General Availability of Bottlerocket, a new open source Linux-based Operating System (OS) purpose-built to run containers. Bottlerocket includes only the software needed to run containers and comes with a transactional update mechanism. AWS-provided Bottlerocket images are available for Amazon EKS (GA) and Amazon ECS (Preview).


#AWS   How to use trust policies with IAM roles
How to use IAM roles to build trust policies that work at scale, providing guardrails to control access to resources in your organization.


#AWS   Amazon CloudFront announces real-time logs
Amazon CloudFront now supports real-time log delivery of CloudFront access logs via Kinesis Data Streams. The real-time logs contain detailed information about viewer requests that CloudFront receives.


#AWS   New third-party test compares Amazon GuardDuty to network intrusion detection systems
A new whitepaper is available that summarizes the results of tests by Foregenix comparing Amazon GuardDuty with network intrusion detection systems (IDS) on threat detection of network layer attacks.


#AWS   Defense in depth using AWS Managed Rules for AWS WAF
How you can use recent enhancements in AWS WAF to manage a multi-layer web application security enforcement policy. The post is in two parts. This first part describes AWS Managed Rules for AWS WAF and how it can be used to provide defense in depth. The second part shows how to apply AWS Managed Rules for WAF.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini