Release Date: 13/09/2020 | Issue: 54
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


Security September: Escaping CodeBuild - The compromise that wasn't
#aws, #attack
Can you break out of the CodeBuild container? Where will you end up?.


Abusing dynamic groups in Azure AD for privilege escalation
#azure, #attack
Blog presenting a new technique for escalating privileges within Azure environments through the abuse of dynamic groups in Azure Active Directory.


How To Enforce Kubernetes Network Security Policies Using OPA
#k8s, #defend, #opa
Deep-dive on how to enforce systematic Kubernetes network security policies with Open Policy Agent.


Monitoring Kubernetes in Production
#k8s, #defend
The challenges of monitoring Kubernetes, both the infrastructure platform and the running workloads, and an overview of Kubernetes monitoring tools.


Announcing the Sentinel Playground
#hashicorp, #announcement
HashiCorp introduced Sentinel Playground, which offers access to a zero-install development environment to learn and experiment with policy as code without having to install and maintain runtime environments on your own machines.


Making Sense of Kubernetes RBAC and IAM Roles on GKE
#k8s, #gcp, #explain
Interesting post exploring the relationship between Google Cloud IAM and Kubernetes RBAC.


Using HashiCorp Vault with Google Confidential Computing
#hashicorp, #vault, #gcp
HashiCorp Vault is now validated on Google Cloud Platform's Confidential Computing service. Confidential Computing allows HashiCorp Vault to operate in environments with resilient host based security that adds additional protection through the use of memory encryption.


What's new in Kubernetes 1.19?
#k8s, #explain
Detailed list of what's new in Kubernetes 1.19. Of the 34 enhancements in this version, 10 are completely new, 8 are graduating to Stable, 2 are management changes on the Kubernetes project, and the other 14 are existing features that kept improving.


Discovering Running Pods By Using DNS and Headless Services in Kubernetes
#k8s, #explain
Post covering what headless services are, how do they work, and how do they integrate with DNS resolution.


Seccomp in Kubernetes — Part 3: The new syntax plus some Advanced topics
#k8s, #defend
Yet another post on mastering the art of creating seccomp profiles for your workloads, this time around covering the new Seccomp GA syntax and some other advanced topics.


Easier Troubleshooting of cert-manager Certificates
#k8s, #build
Post exploring the newest addition to the kubectl plugin of cert-manager, "kubectl cert-manager status certificate", a command designed to make the troubleshooting experience of cert-manager problems easier.


Puppet Assessment Techniques
#puppet, #attack
Blog post aiming to raise security awareness and summarize useful attack and audit techniques for an internal black and whitebox infrastructure assessment of a Puppet Enterprise landscape.

Tools


cdkgoat
Vulnerable by Design AWS CDK repository.


cfngoat
Vulnerable by Design Cloudformation repository.


terragoat
Vulnerable by Design Terraform repository.


grype
A vulnerability scanner for container images and filesystems.


capsule
Capsule is a Kubernetes multi-tenant Operator. It aggregates multiple namespaces assigned to an organization or group of users in a lightweight abstraction called Tenant. Within each tenant, users are free to create their namespaces and share all the assigned resources between the namespaces of the tenant.

From the cloud providers


AWS Icon  Introducing the AWS Best Practices for Security, Identity, & Compliance Webpage and Customer Polling Feature
AWS released the Best Practices for Security, Identity, & Compliance webpage of the new AWS Architecture Center, containing recommendations for security design principles, workshops, and educational materials.


AWS Icon  Amazon EKS now supports assigning EC2 security groups to Kubernetes pods
EKS customers can now leverage EC2 security groups to secure applications with varying network security requirements on shared cluster compute resources. Network security rules that span pod to pod and pod to external AWS service traffic can be defined in a single place with EC2 security groups, and applied to individual pods and applications with Kubernetes native APIs.


AWS Icon  API Gateway HTTP APIs now supports Lambda and IAM authorization options
In addition to the previously supported OIDC/OAuth2 authorization option, it is now possible to secure Amazon API Gateway HTTP APIs using two new authorization options: Lambda authorizers and IAM authorizers.


AWS Icon  How to configure an LDAPS endpoint for Simple AD
How to configure an LDAPS (LDAP over SSL or TLS) encrypted endpoint for Simple AD so that you can extend Simple AD over untrusted networks.


GCP Icon  Expanding Google Cloud's Confidential Computing portfolio
Google expanded the Google Cloud Confidential Computing portfolio with the announcement of Confidential GKE Nodes and of Confidential VMs.


GCP Icon  Google Cloud API Gateway is now available in public beta
Google announced the beta of API Gateway, a fully-managed Google Cloud offering that lets you create, secure, and monitor APIs for your serverless workloads.


GCP Icon  Designing Secure Data Pipelines with VPC Service Controls
This blog post describes an example of how to build a Data Platform using Cloud Functions, Dataflow, Google Cloud Storage and Bigquery with VPC Service Controls.


Azure Icon  Azure DDoS Protection connector in Public Preview for Azure Sentinel
If you are using Azure DDoS Standard Protection, you can now ingest this via a custom connector into your Azure Sentinel workspace.


Azure Icon  How to integrate vulnerability management in Azure Sentinel
Blog explaining how to ingest and analyse vulnerability data in Azure Sentinel. In the article, Tenable is used as an example, but the same approach can be used with any other Threat & Vulnerability Management (TVM) platform.


Azure Icon  Select an Azure data store for your application
Handy flowchart to select a candidate data store for any kind of workload.


Azure Icon  Choose an Azure compute service for your application
Interesting flowchart to help you to choose a compute service for your application.

Website
Twitter
Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.