Release Date: 11/10/2020 | Issue: 58
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


Using AWS Lambda Extensions to Accelerate AWS Secrets Manager Access
#aws, #build
Square developed and open sourced an extension that pre-fetches secrets from AWS Secrets Manager. By prefetching it is possible to eliminate the overhead introduced by calls to Secrets Manager, thus making secrets available immediately for Lambda function invocations.


Use AWS Lambda Extensions to Securely Retrieve Secrets From HashiCorp Vault
#aws, #vault, #build
HashiCorp announced the public preview of a HashiCorp Vault AWS Lambda extension, utilizing the newly announced AWS Lambda Extensions API (also in public preview) to securely retrieve secrets from HashiCorp Vault.


Firebase: Google Cloud's Evil Twin
#gcp, #attack
Whitepaper digging deep into Firebase and its security flaws.


Enter the Vault: Authentication Issues in HashiCorp Vault
#aws, #gcp, #vault, #attack
Project Zero found two vulnerabilities in HashiCorp Vault and its integration with AWS and GCP, which can lead to an authentication bypass in configurations that use the aws and gcp auth methods. Both vulnerabilities (CVE-2020-16250/16251) were addressed by HashiCorp and are fixed in Vault versions 1.2.5, 1.3.8, 1.4.4 and 1.5.1 released in August.


Privilege Escalation and Lateral Movement on Azure
#azure, #attack
Some techniques for how a red team can gain a foothold and then escalate their privileges and move laterally within an Azure environment by using the Azure RBAC module.


CloudFormer review part I - The stack
#aws, #attack
A security review of AWS CloudFormer (beta), a tool created by AWS that helps create CloudFormation templates of existing resources within an account.


Mapping CIS Controls to Cloud
#defend
Building a public cloud security program from scratch is a lot of work. There are a ton of things you need to do and figuring out what you need to do and the priority is critical.


Monitoring Google Cloud with the Elastic Stack and Google Operations
#gcp, #defend
How to set up a pipeline to stream data from Google Operations (ex Stackdriver) to the Elastic Stack so to can analyze Google Cloud logs alongside other observability data.


A visual introduction to AWS Lambda permissions
#aws, #explain
Article explaining with visual examples the AWS Lambda permission model, focusing on cross-account access and the principle of least privilege.


Build end-to-end CI/CD capabilities directly in GitHub
#azure, #build
Online workshops teaching how to build end-to-end continuous integration (CI) and continuous deployment (CD) capabilities directly in GitHub repositories using GitHub Actions.


Dynamic Secrets Retrieval in Azure App Service with HashiCorp Vault
#azure, #vault, #build
How to integrate Vault with Azure Active Directory and managed identities, and also use this authentication method to access dynamic short-lived secrets for a MySQL database.


Verify your Kubernetes Cluster Network Policies: From Faith to Proof
#istio, #defend
Implement a technical check that verifies implemented security measurements. In case of network policies, try to establish a blocked network connection. Keep the checks as simple as possible and propagate the results in the existing monitoring solution.

Tools


aws-iamctl
IAMCTL is a tool that you can use to extract the IAM roles and policies from two accounts, compare them, and report out the differences and statistics. You can also have a look at the companion blog post.


gcpviz
gcpviz is a visualization tool that takes input from Cloud Asset Inventory, creates relationships between assets and outputs to a format compatible with graphviz.

From the cloud providers


AWS Icon  AWS Lambda Extensions: a new way to integrate Lambda with operational tools (in preview)
AWS introduced "Extensions" for Lambda, a new way for tools to more easily integrate deeply into the Lambda execution environment to control and participate in Lambda’s lifecycle. They use the Extensions API, a new HTTP interface, to register for lifecycle events and get greater control during function initialization, invocation, and shutdown. As of today, it is possible to use extensions for the following tools: AppDynamics, Check Point, Datadog, Dynatrace, Epsagon, HashiCorp, Lumigo, New Relic, Thundra, Splunk, AWS AppConfig, and CloudWatch Lambda Insights.


AWS Icon  Designing a secure container image registry
Post outlining a design that can be used or modified to fit Amazon Elastic Container Registry (Amazon ECR) to the requirements of your organization.


AWS Icon  AWS Security Hub launches a new user interface for security standards
AWS Security Hub improved how it displays details for security standards, which are collections of automated security checks based on industry and regulatory frameworks like the Center for Internet Security's (CIS) AWS Foundational Benchmarks, the Payment Card Industry Data Security Standard (PCI DSS), and AWS' own Foundational Security Best Practices.


GCP Icon  Creating a CI/CD Environment for Serverless Containers on Google Cloud Run with GitHub Actions
Using GitHub Actions to test and deploy Docker containers on Google Cloud Run.

Website
Twitter
Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.