Release Date: 20/09/2020 | Issue: 55
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


What are these 'reserved' set of security-credentials in AWS?
#aws, #explain
An interesting post investigating instance-identity security credentials, which can be generated using the metadata instance on every EC2 instance in AWS, even when no role is attached to the instance.


Record AWS API calls to improve IAM Policies
#aws, #iam, #defend
Have you ever looked at an IAM policy and wondered: Is it really necessary to grant access to this specific action? CloudTrail can help here, but there is something better: Record API calls with Client Side Monitoring.


Exploring Cloud Trust Relationships: AWS
#aws, #explain
First in a series exploring mapping trust in different cloud providers. This post looks at 11 different aws security scanning tools and talks about some pros and cons with each.


Preventing malicious use of Weave Scope
#k8s, #defend
Intezer and Microsoft reported this week that TeamTNT hackers are using Weave Scope to aid their intrusions. As Weave Scope is an administration tool, it has powerful capabilities making it important for any installation to be secured. This blog covers both how Scope is used and how you can prevent it being misused by securing it in any Kubernetes installation.


Falco Default Rule Bypass
#k8s, #falco, #defend
Darkbit discovered a bypass for a Falco default rule, whereby cleverly named images running as privileged and/or mounting sensitive paths can avoid generating alerts. It is recommended to update your "falco_rules.yaml" to the latest version.


Falco Update: What's new in Falco?
#k8s, #falco, #explain
CNCF post describing the top five new features released in Falco 0.25 (like rules improvements, gRPC for alerts, and more).


Using AWS IoT for mutual TLS in a web application
#aws, #develop
Is there a way to support a client certificate-based "device trust" feature natively in AWS? Turns out you can use X.509 client certificates to authenticate your Chrome browser to AWS using AWS IoT.


Automate Secret Injection into CI/CD Workflows with the GitHub Action for Vault
#hashicorp, #vault, #ci/cd, #develop
The Vault GitHub Action allows you to take advantage of secrets sourced from your HashiCorp Vault infrastructure for things like static and dynamic secrets and inject these secrets into your GitHub workflows.


Managing HashiCorp Consul Access Control Lists with Terraform & Vault
#hashicorp, #terraform, #vault, #develop
How to generate dynamic Consul tokens with HashiCorp Vault and define access control lists (ACLs) as code using the Consul provider for Terraform.


HashiCorp Terraform Cloud Audit Logging with Splunk
#hashicorp, #terraform, #defend
Walkthrough of the integration between Terraform Cloud Audit Logging with Splunk.


Purchased Microsoft 365 E5, Now What?
#microsoft, #defend
The Microsoft 365 E5 suite is essentially a large amount of products Microsoft offers for the Enterprise environment, more focused towards the security and compliance areas. The purchasing of E5 licensing means an organization now has unlocked a lot of Microsoft products and the common question seen afterwards is, "where do I start?".


How to Protect Office 365 with Azure Sentinel
#microsoft, #defend
Approaches to onboard Office 365 and related services into Azure Sentinel and the benefit of built-in solutions that a Cloud based SIEM bring.


CNCF End User Technology Radar - Continuous Delivery
#ci/cd, #develop
The CNCF End User Community was asked to describe what their companies recommend for different solutions: Adopt, Trial, Assess or Hold. This table shows how the End User companies rated each technology.

Tools


Announcing Kritis Signer
A new Kritis tool, Kritis Signer, has been released. It is a command-line tool that simplifies attestation creation for a container image.


iam-policies-cli
A CLI tool for building simple to complex IAM policies based on CloudFormation templates.


aws-lambda-api-call-recorder
Record all AWS SDK calls in NodeJS based Lambda functions, and analyze the data in Athena.


kubectl-fuzzy
kubectl-fuzzy uses fzf(1)-like fuzzy-finder to do partial or fuzzy search of Kubernetes resources. Instead of specifying full resource names to kubectl commands, you can choose them from an interactive list that you can filter by typing a few characters.


whalescan
Whalescan is a vulnerability scanner for Windows containers, which performs several benchmark checks, as well as checking for CVEs/vulnerable packages on the container. It also checks the config and Docker files for misconfigurations.


syft
CLI tool and library for generating a Software Bill of Materials from container images and filesystems.

From the cloud providers


AWS Icon  Using Gatekeeper as a drop-in Pod Security Policy replacement in Amazon EKS
Gatekeeper is emerging as the standard way to have preventative controls of what is allowed within Kubernetes clusters including Amazon EKS.


AWS Icon  Role-based access control using Amazon Cognito and an external identity provider
How to integrate Amazon Cognito with an external IdP by deploying a demo web application that integrates with an external IdP via SAML 2.0.


AWS Icon  Amazon S3 bucket owner condition helps to validate correct bucket ownership
Amazon S3 now provides bucket owner condition, allowing you to validate the AWS Account ID of the owner of an S3 bucket. Bucket owner condition helps you to easily verify that the S3 buckets that you interact with are owned by expected AWS Accounts.


AWS Icon  AWS Single Sign-On adds account assignment APIs and AWS CloudFormation support to automate multi-account access management
AWS Single Sign-On (SSO) adds new account assignment APIs and AWS CloudFormation support to automate access across AWS Organizations accounts.


AWS Icon  AWS Organizations now supports tagging, tag-on-create and Attribute-Based Access Control (ABAC)
It is now possible to attach tags to Organizational Units (OUs), the organization's root and policies, enabling you to identify, classify, or categorize resources in an Organization.


AWS Icon  Integrating AWS CloudFormation security tests with AWS Security Hub and AWS CodeBuild reports
Post introducing a method for integrating open source tools that find potentially insecure patterns in your AWS CloudFormation templates with both AWS Security Hub and AWS CodeBuild reports.


GCP Icon  GCP-2020-012: Container escape CVE that affects GKE envs where pods have NET_RAW
A vulnerability was recently discovered in the Linux kernel, described in CVE-2020-14386, that may allow container escape to obtain root privileges on the host node. All GKE nodes are affected. Pods running in GKE Sandbox are not able to leverage this vulnerability.


GCP Icon  New capabilities for Assured Workloads for Government
Customers who require FedRAMP Moderate support will also be able to leverage Assured Workloads, which is now generally available (GA).


GCP Icon  Auto-launching Packet Mirroring for application monitoring
Tutorial showing how to use Cloud Logging, Pub/Sub, and Cloud Functions to auto-enable Packet Mirroring so that you can monitor and troubleshoot traffic flows in your Virtual Private Cloud (VPC) network.


Azure Icon  Overview of load-balancing options in Azure
Interesting flowchart to help you choose load balancing options for your workloads.

Website
Twitter
Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.