Release Date: 06/09/2020 | Issue: 53
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Hi everyone! With this issue (number 53) we are entering in the second year of CloudSecList! 🎉
I would like to start with an experiment: in this issue I've added #tags alongside each article, and I would like your feedback: do you think they are useful? Or maybe not so much?
Please let me know on Twitter! 🙏

This week's articles

Tracking Moving Clouds: How to continuously track cloud assets with Cartography
#aws, #gke, #elastic, #cartography
How to leverage Cartography and Elasticsearch to continuously monitor all cloud assets in your estate and alert on any instance of drift. (Disclaimer: I did write this post).

Why You Should Enable GKE Shielded Nodes Today
#gcp, #k8s, #defense
When Shielded GKE Nodes is enabled, the GKE control plane cryptographically verifies that every node in the cluster is a virtual machine running in a managed instance group in Google's data center and that the kubelet is only getting the certificate for itself. But Shielded GKE Nodes addresses a much bigger problem.

Privilege Escalation in AWS Elastic Kubernetes Service (EKS) by compromising the instance role of worker nodes
#aws, #k8s, #attack
Post discussing the risks of the AWS Instance Metadata service in AWS Elastic Kubernetes Service (EKS) clusters. In particular, it demonstrates that compromising a pod in the cluster can have disastrous consequences on resources in the AWS account if access to the Instance Metadata service is not explicitly blocked.

Intricacies of IAM Conditions
#gcp, #iam
In-depth look at some of the intricacies present when using IAM Conditions, with examples and tips to keep in mind when scoping out IAM roles.

How to share an encrypted SQS queue across an AWS Organizational Unit
#aws, #build
Article stepping through the problem and solution of using policy conditions to provide "just enough" access to services running in different accounts in an AWS organizational unit such as "dev", while encrypting data at rest.

Introducing GitHub Container Registry
#github, #announcement
GitHub Container Registry introduces easy sharing across organizations, fine-grained permissions, and free, anonymous downloads for public container images. Perfect timing, since many people started pondering alternatives for DockerHub cause of the recent limitations they just announced.

How we threat model
#github, #process
High level summary of how Threat Models are handled at GitHub.

Secure at every step: What is software supply chain security and why does it matter?
#github, #process
High level post digging into what the term "software supply chain security" means, why it matters, and how you can help secure your project's supply chain.

Use HashiCorp Vault AWS engine with multiple accounts
#aws, #vault, #build
Post breaking down how the Vault secrets engine works and how to use it to dynamically create credentials across multiple AWS accounts using the assume_role feature.

Escalating to Domain Admin in Azure AD Domain Services
#azure, #attack
How to escalate to Domain Admin in Azure AD Domain Services (Microsoft's hosted Active Directory) leveraging Shay Ber's DNSAdmin trick. Interesting thing about this is customers are not supposed to have or be able to get Domain Admin rights.

Istio ingress controller as an API gateway
#istio, #k8s, #explain
Post discussing the Istio ingress gateway, and examining its feature set compared to typical API gateway features.

A Guide to Cloud Cost Optimization with HashiCorp Terraform
#terraform, #build
Interesting guide showing how to use Terraform to make budget compliance more automated.

Everything You Need to Know about Route 53 Resolver Query Logging
#aws, #explain
Post diving into the mechanics of how this new feature works.

Scaling Kubernetes Networking With EndpointSlices
#k8s, #explain
EndpointSlices are a new API that provides a scalable and extensible alternative to the Endpoints API. EndpointSlices track IP addresses, ports, readiness, and topology information for Pods backing a Service.


Gatekeeper v3.1.0
First stable release of Gatekeeper v3 is out!.

Rules for Elastic Security's detection engine. Interesting to see a section dedicated to AWS, and another dedicated to Azure.

helm-freeze helps you to declare the charts you want to use in a desired version and download them locally. This to freeze/lock them directly in your Git repository.

A collection of middleware for AWS lambda functions.

Minimal self-contained examples of standard Kubernetes features and patterns in YAML.

The GOV.UK repository for their Migration to AWS, open-sourcing their infrastructure and associated tooling.

From the cloud providers

AWS Icon  Announcing the General Availability of Bottlerocket
AWS announced the General Availability of Bottlerocket, a new open source Linux-based Operating System (OS) purpose-built to run containers. Bottlerocket includes only the software needed to run containers and comes with a transactional update mechanism. AWS-provided Bottlerocket images are available for Amazon EKS (GA) and Amazon ECS (Preview).

AWS Icon  How to use trust policies with IAM roles
How to use IAM roles to build trust policies that work at scale, providing guardrails to control access to resources in your organization.

AWS Icon  Amazon CloudFront announces real-time logs
Amazon CloudFront now supports real-time log delivery of CloudFront access logs via Kinesis Data Streams. The real-time logs contain detailed information about viewer requests that CloudFront receives.

AWS Icon  New third-party test compares Amazon GuardDuty to network intrusion detection systems
A new whitepaper is available that summarizes the results of tests by Foregenix comparing Amazon GuardDuty with network intrusion detection systems (IDS) on threat detection of network layer attacks.

AWS Icon  Defense in depth using AWS Managed Rules for AWS WAF
How you can use recent enhancements in AWS WAF to manage a multi-layer web application security enforcement policy. The post is in two parts. This first part describes AWS Managed Rules for AWS WAF and how it can be used to provide defense in depth. The second part shows how to apply AWS Managed Rules for WAF.

View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.