Release Date: 04/10/2020 | Issue: 57
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles

EKS Pod Identity Webhook Deep-Dive
#aws, #explain
Really interesting deep dive on the EKS Pod Identity Webhook (gives IAM roles to pods) to understand how it works, specifically for non-EKS clusters.

AWS Access Key ID formats
#aws, #explain
@__steele figured out the encoding for most AWS access key IDs, but there are some exceptions.

AWS IAM explained for Red and Blue teams
#aws, #explain
Article trying to shine some light on IAM, as well as some ways to enumerate it with different tools.

Exploiting fine-grained AWS IAM permissions for total cloud compromise: a real world example
#aws, #attack
Real case study of how to enumerate and use IAM permissions to your advantage. It covers manually enumerating IAM policies and roles, as well as automated tools that can do it for you (part 1, part 2).

Offensive Terraform Modules
#aws, #attack
Collection of (automated) offensive attack modules defined as Infrastructure as Code (IAC).

Fitness Validation For Your Kubernetes Apps: Policy As Code
#k8s, #opa, #build
A hands-on coding journey to implement "Policy As Code" and validate the fitness of your Kubernetes Application against the cluster policies.

Enforce Ingress Best Practices Using OPA
#k8s, #opa, #build
How to define policies that ensure that no bad Ingress definitions will be deployed to a Kubernetes cluster.

Fancy privileged Docker container escapes
#docker, #explain, #attack
Slides from a talk deep diving into namespaces, cgroups, capabilities, seccomp, and AppArmor/SELinux.

Detecting Microsoft 365 and Azure Active Directory Backdoors
#azure, #defend
Mandiant study regarding an uptick in incidents involving Microsoft 365 (M365) and Azure Active Directory (Azure AD). Most of these incidents are the result of a phishing email coercing a user to enter their credentials used for accessing M365 into a phishing site.

Artifactory Hacking guide
#saas, #attack
Guide containing pentest notes regarding JFrog Artifactory, useful to understand some of the attacks that can be performed against it.

Docker Open Sources Compose for Amazon ECS and Microsoft ACI
#docker, #announcement
Docker open sourced the code for the Amazon ECS and Microsoft ACI Compose integrations. This is the first time that Docker has made Compose available for the cloud, allowing developers to take their Compose projects they were running locally and deploy them to the cloud by simply switching context.

How to monitor Istio, the Kubernetes service mesh
#k8s, #istio, #defend
How to deploy and monitor Istio in a Kubernetes cluster to connect, secure, and configure advanced routing for microservices.

Envoy Proxy on Windows Containers
#microsoft, #build
Recently the Envoy proxy announced the Alpha version for the Windows platform! You can find the announcement here and the instructions to take part in the Windows Alpha here.

GitHub code scanning is now available
#github, #announcement, #build
GitHub code scanning is a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production. And it is free for public repositories.

Rootless containers with Podman: The basics
#docker, #explain, #build
Article explaining the benefits of using containers and Podman (a daemonless, open source, Linux-native tool that provides a command-line interface similar to the docker container engine), introduce rootless containers and why they are important, and then shows how to use rootless containers with Podman with an example.

A Linux sysadmin's introduction to cgroups
#docker, #explain
First article of a four-part series covering cgroups and resource management, defining cgroups and how they help with resource management and performance tuning.

Introducing API Shield
#cloudflare, #announcement, #defend
Post from Cloudflare introducing "API Shield", a free offering to secure APIs through the use of strong client certificate-based identity and strict schema-based validation.


Kubernetes utility for observing the current versions of images running in the cluster, as well as the latest available upstream. These checks get exposed as Prometheus metrics to be viewed on a dashboard, or soft alert cluster operators.

Kubei is a vulnerabilities scanning tool that allows users to get a risk assessment of their kubernetes clusters. Kubei scans all images that are being used in a Kubernetes cluster, including images of application pods and system pods.

Script to automate initial triage/enumeration on a set of AWS keys. The goal is to speed up and automate the manual steps of running AWS CLI commands to determine whether these keys in question are valid and if so what those keys have access to.

Script that allows to create on demand disposable OpenVPN endpoints on AWS.

Tool which shows which Profiles in a Salesforce instance have become desynced from an Organization in terms of password and session policies, highlighting any deviations.

kconnect is a CLI utility that can be used to discover and securely access Kubernetes clusters across multiple operating environments.

An initiative to share cloud templates and scripts to deploy network environments to simulate adversaries, generate/collect data and learn more about adversary tradecraft from a defensive perspective.

From the cloud providers

AWS Icon  Amazon S3 Update Three New Security & Access Control Features
AWS launched security & access control features designed to give you even more control and flexibility over S3: Object Ownership (you can now ensure that newly created objects within a bucket have the same owner as the bucket), Bucket Owner Condition (you can now confirm the ownership of a bucket when you create a new object or perform other S3 operations), Copy API via Access Points (you can now access S3's Copy API through an Access Point).

AWS Icon  Anomaly Detection and alerting now available in AWS Cost Management
To help better control costs and save time in investigating anomalous spend, AWS announced the launch of Cost Anomaly Detection (Preview). This blog post walks through how to enable this function.

AWS Icon  Enhance programmatic access for IAM users using a YubiKey for multi-factor authentication
How to use a YubiKey token for MFA with the AWS Command Line Interface (AWS CLI) to create temporary credentials with the permissions that developers need to perform tasks.

AWS Icon  Design patterns to access cross-account secrets stored in AWS Secrets Manager
This post discusses cross-account design options and considerations for managing Amazon RDS secrets that are stored in AWS Secrets Manager.

AWS Icon  How to get read-only visibility into the AWS Control Tower console
How to create a custom permission set to get (read-only) visibility into the AWS Control Tower console, while still enforcing the principle of least privilege.

AWS Icon  Isolating network access to your AWS Cloud9 environments
How to create isolated AWS Cloud9 environments for your developers without requiring ingress (inbound) access from the internet.

GCP Icon  All together now: Fleet-wide monitoring for your Compute Engine VMs
Cloud Monitoring now gives you zero-config, out-of-the-box visibility into your entire Compute Engine VM fleet, with quick access to advanced Monitoring features such as installing the Cloud Monitoring agent and configuring fleetwide alerts.

Azure Icon  Azure TLS certificate changes
Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the current CA certificates do not comply with one of the CA/Browser Forum Baseline requirements.

Azure Icon  Watching the Watchers: Monitoring Azure Sentinel Query Activity for Malicious Activity
A new feature was recently added to Log Analytics (the technology the underpins Azure Sentinel's log storage and query capabilities), that allows you to capture an audit log of all queries run against a workspace.

Azure Icon  Auditing Azure Sentinel activities
How you can audit your organization's SOC if you are using Azure Sentinel and how to get the visibility you need with regard to what activities are being performed within your Sentinel environment.

Azure Icon  Moving Windows Server to Microsoft Azure to Enable Compliance
How to facilitate regulatory compliance when you migrate your Windows Server workloads to Azure.

Azure Icon  Security capabilities in Azure Kubernetes Service on Azure Stack HCI
Post describing the security capabilities of Azure Kubernetes on Azure Stack HCI (AKS-HCI), an on-premises implementation of AKS.

Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.