Release Date: 04/10/2020 | Issue: 57
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

This week's articles


EKS Pod Identity Webhook Deep-Dive
Really interesting deep dive on the EKS Pod Identity Webhook (gives IAM roles to pods) to understand how it works, specifically for non-EKS clusters.   #aws   #explain


AWS Access Key ID formats
@__steele figured out the encoding for most AWS access key IDs, but there are some exceptions.   #aws   #explain


AWS IAM explained for Red and Blue teams
Article trying to shine some light on IAM, as well as some ways to enumerate it with different tools.   #aws   #explain


Exploiting fine-grained AWS IAM permissions for total cloud compromise: a real world example
Real case study of how to enumerate and use IAM permissions to your advantage. It covers manually enumerating IAM policies and roles, as well as automated tools that can do it for you (part 1, part 2).   #aws   #attack


Offensive Terraform Modules
Collection of (automated) offensive attack modules defined as Infrastructure as Code (IAC).   #aws   #attack


Fitness Validation For Your Kubernetes Apps: Policy As Code
A hands-on coding journey to implement "Policy As Code" and validate the fitness of your Kubernetes Application against the cluster policies.   #k8s   #opa   #build


Enforce Ingress Best Practices Using OPA
How to define policies that ensure that no bad Ingress definitions will be deployed to a Kubernetes cluster.   #k8s   #opa   #build


Fancy privileged Docker container escapes
Slides from a talk deep diving into namespaces, cgroups, capabilities, seccomp, and AppArmor/SELinux.   #docker   #explain   #attack


Detecting Microsoft 365 and Azure Active Directory Backdoors
Mandiant study regarding an uptick in incidents involving Microsoft 365 (M365) and Azure Active Directory (Azure AD). Most of these incidents are the result of a phishing email coercing a user to enter their credentials used for accessing M365 into a phishing site.   #azure   #defend


Artifactory Hacking guide
Guide containing pentest notes regarding JFrog Artifactory, useful to understand some of the attacks that can be performed against it.   #saas   #attack


Docker Open Sources Compose for Amazon ECS and Microsoft ACI
Docker open sourced the code for the Amazon ECS and Microsoft ACI Compose integrations. This is the first time that Docker has made Compose available for the cloud, allowing developers to take their Compose projects they were running locally and deploy them to the cloud by simply switching context.   #docker   #announcement


How to monitor Istio, the Kubernetes service mesh
How to deploy and monitor Istio in a Kubernetes cluster to connect, secure, and configure advanced routing for microservices.   #k8s   #istio   #defend


Envoy Proxy on Windows Containers
Recently the Envoy proxy announced the Alpha version for the Windows platform! You can find the announcement here and the instructions to take part in the Windows Alpha here.   #microsoft   #build


GitHub code scanning is now available
GitHub code scanning is a developer-first, GitHub-native approach to easily find security vulnerabilities before they reach production. And it is free for public repositories.   #github   #announcement   #build


Rootless containers with Podman: The basics
Article explaining the benefits of using containers and Podman (a daemonless, open source, Linux-native tool that provides a command-line interface similar to the docker container engine), introduce rootless containers and why they are important, and then shows how to use rootless containers with Podman with an example.   #docker   #explain   #build


A Linux sysadmin's introduction to cgroups
First article of a four-part series covering cgroups and resource management, defining cgroups and how they help with resource management and performance tuning.   #docker   #explain


Introducing API Shield
Post from Cloudflare introducing "API Shield", a free offering to secure APIs through the use of strong client certificate-based identity and strict schema-based validation.   #cloudflare   #announcement   #defend

Tools


version-checker
Kubernetes utility for observing the current versions of images running in the cluster, as well as the latest available upstream. These checks get exposed as Prometheus metrics to be viewed on a dashboard, or soft alert cluster operators.


Kubei
Kubei is a vulnerabilities scanning tool that allows users to get a risk assessment of their kubernetes clusters. Kubei scans all images that are being used in a Kubernetes cluster, including images of application pods and system pods.


aws_key_triage_tool
Script to automate initial triage/enumeration on a set of AWS keys. The goal is to speed up and automate the manual steps of running AWS CLI commands to determine whether these keys in question are valid and if so what those keys have access to.


autovpn
Script that allows to create on demand disposable OpenVPN endpoints on AWS.


SFPolDevChk
Tool which shows which Profiles in a Salesforce instance have become desynced from an Organization in terms of password and session policies, highlighting any deviations.


kconnect
kconnect is a CLI utility that can be used to discover and securely access Kubernetes clusters across multiple operating environments.


SimuLand
An initiative to share cloud templates and scripts to deploy network environments to simulate adversaries, generate/collect data and learn more about adversary tradecraft from a defensive perspective.

From the cloud providers


#AWS   Amazon S3 Update Three New Security & Access Control Features
AWS launched security & access control features designed to give you even more control and flexibility over S3: Object Ownership (you can now ensure that newly created objects within a bucket have the same owner as the bucket), Bucket Owner Condition (you can now confirm the ownership of a bucket when you create a new object or perform other S3 operations), Copy API via Access Points (you can now access S3's Copy API through an Access Point).


#AWS   Anomaly Detection and alerting now available in AWS Cost Management
To help better control costs and save time in investigating anomalous spend, AWS announced the launch of Cost Anomaly Detection (Preview). This blog post walks through how to enable this function.


#AWS   Enhance programmatic access for IAM users using a YubiKey for multi-factor authentication
How to use a YubiKey token for MFA with the AWS Command Line Interface (AWS CLI) to create temporary credentials with the permissions that developers need to perform tasks.


#AWS   Design patterns to access cross-account secrets stored in AWS Secrets Manager
This post discusses cross-account design options and considerations for managing Amazon RDS secrets that are stored in AWS Secrets Manager.


#AWS   How to get read-only visibility into the AWS Control Tower console
How to create a custom permission set to get (read-only) visibility into the AWS Control Tower console, while still enforcing the principle of least privilege.


#AWS   Isolating network access to your AWS Cloud9 environments
How to create isolated AWS Cloud9 environments for your developers without requiring ingress (inbound) access from the internet.


#GCP   All together now: Fleet-wide monitoring for your Compute Engine VMs
Cloud Monitoring now gives you zero-config, out-of-the-box visibility into your entire Compute Engine VM fleet, with quick access to advanced Monitoring features such as installing the Cloud Monitoring agent and configuring fleetwide alerts.


#AZURE   Azure TLS certificate changes
Microsoft is updating Azure services to use TLS certificates from a different set of Root Certificate Authorities (CAs). This change is being made because the current CA certificates do not comply with one of the CA/Browser Forum Baseline requirements.


#AZURE   Watching the Watchers: Monitoring Azure Sentinel Query Activity for Malicious Activity
A new feature was recently added to Log Analytics (the technology the underpins Azure Sentinel's log storage and query capabilities), that allows you to capture an audit log of all queries run against a workspace.


#AZURE   Auditing Azure Sentinel activities
How you can audit your organization's SOC if you are using Azure Sentinel and how to get the visibility you need with regard to what activities are being performed within your Sentinel environment.


#AZURE   Moving Windows Server to Microsoft Azure to Enable Compliance
How to facilitate regulatory compliance when you migrate your Windows Server workloads to Azure.


#AZURE   Security capabilities in Azure Kubernetes Service on Azure Stack HCI
Post describing the security capabilities of Azure Kubernetes on Azure Stack HCI (AKS-HCI), an on-premises implementation of AKS.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini