Release Date: 01/11/2020 | Issue: 61
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


How to configure a production-grade AWS account structure using Gruntwork AWS Landing Zone
#aws, #build, #defend
Walkthrough of the process for configuring a production-grade AWS account structure, including how to manage multiple environments, users, permissions, and audit logging. In addition, this post discusses how to implement a Landing Zone solution that lets spin up new AWS accounts that all implement a security baseline that enforces company policies.


SOC 2 compliance for containers and Kubernetes security
#k8s, #defend
Useful tips to implement SOC 2 compliance for containers and Kubernetes.


Vault Recommended Patterns
#vault, #build
Recommended Patterns for Vault users like Unseal, usage of AppRole, etc.


Deploying Terraform Enterprise in Air Gapped Environments
#terraform, #build
How to use the features built into Terraform Enterprise that help manage infrastructure as code in air gapped networks.


Security hardening for GitHub Actions
#ci/cd, #defend
Good security practices for using GitHub Actions features.


Code Scanning a GitHub Repository using GitHub Advanced Security within an Azure DevOps Pipeline
#azure, #defend
GitHub Advanced Security now supports the ability to analyze code for semantic vulnerabilities from within third-party CI pipelines (previously available exclusively with GitHub Actions). This post walks through a simple implementation of Code Scanning in an Azure DevOps CI pipeline with a node application using the YAML editor.


Image scanning for Google Cloud Build
#gcp, #docker, #defend
How to add inline image scanning to a Google Cloud Build pipeline and how to customize scanning policies to stop the build if a high-risk vulnerability is detected.


Building Azure Cyber Ranges for Learning and Fun
#azure, #attack, #defend
Post introducing some Cyber Range options that automatically deploy into Microsoft Azure: Azure HELK, Azure Velociraptor, PurpleCloud.


AWS and their Billions in IPv4 addresses
#aws, #explain
Interesting study on AWS IP allocation. It seems like they have allocated roughly 53 Million IPv4 addresses to existing AWS services, out of the total of all their IPv4 addresses combined (~100 Million). Just over $2.5 billion worth of IPv4 addresses, not bad!.


Getting started with IPv6 on AWS
#aws, #explain
Very well thought post which outlines facts to take into account in case you were wondering of adopting IPv6 within your VPCs.

Tools


dfimage
Reverse-engineer a Dockerfile from a Docker image.


falcosidekick
A simple daemon for enhancing available outputs for Falco. It takes a falco's event and forwards it to different outputs.


aws-secure-environment-accelerator
The AWS Secure Environment Accelerator is a tool designed to help deploy and operate secure multi-account AWS environments on an ongoing basis. The configuration file enables the completely automated deployment of customizable architectures within AWS without changing a single line of code.

From the cloud providers


AWS Icon  AWS Nitro Enclaves - Isolated EC2 Environments to Process Confidential Data
AWS Nitro Enclaves has launched. You can now create secure and highly-isolated enclaves attached to an EC2 instance, with integration with KMS and ACM too.


AWS Icon  Announcing SSL/TLS certificates for Amazon EC2 instances with AWS Certificate Manager (ACM) for Nitro Enclaves
ACM now supports host-terminated TLS on EC2 via Nitro Enclaves. Use TLS on an EC2 host without the pain of managing the certificate.


AWS Icon  Introducing the AWS Load Balancer Controller
The ALB Ingress Controller is now the AWS Load Balancer Controller, and includes support for both Application Load Balancers and Network Load Balancers. The new controller enables you to simplify operations and save costs by sharing an Application Load Balancer across multiple applications in your Kubernetes cluster, as well as using a Network Load Balancer to target pods running on AWS Fargate.


AWS Icon  AWS Shield now provides global and per-account event summaries to all AWS customers
AWS Shield now provides global and per-account event summaries to all AWS customers. These summaries provide you an overview of all events detected by AWS Shield, such as Distributed Denial of Service (DDoS) attacks and other volumetric anomalies, for each of your accounts and for all events detected and mitigated on AWS.


AWS Icon  Streamline existing IAM Access Analyzer findings using archive rules
IAM Access Analyzer generates comprehensive findings to help you identify resources that grant public and cross-account access. Now, you can also apply archive rules to existing findings, so you can better manage findings and focus on the findings that need your attention most.


AWS Icon  How to configure Duo multi-factor authentication with Amazon Cognito
How to use Amazon Cognito custom authentication flow to integrate Duo MFA into a sign-in flow.


AWS Icon  Amazon API Gateway now supports disabling the default REST API endpoint
Amazon API Gateway now supports disabling the default, auto-generated REST API endpoint. This feature is intended for customers who use custom domain names for REST APIs and want to ensure that all traffic to their API only goes through the custom domain name and not the default endpoint.


GCP Icon  What you can learn in our Q4 2020 Google Cloud Security Talks
Google Cloud Security Talks is a live online event on November 18th, with talks focusing on cloud security topics like the latest Google Cloud security announcements, network security, Confidential Computing, and Security Command Center.


GCP Icon  New Cloud Shell Editor: Get your first cloud-native app running in minutes
Google introduced a new version of the Cloud Shell Editor, immediately available in preview on ide.cloud.google.com and powered by the Eclipse Theia IDE platform. This new version extends Cloud Shell with an online development environment that includes: Cloud-native development via Cloud Code plugin support, language support for Go/Java/ .Net/Python/NodeJS, and additional features such as integrated source control and support for multiple projects.


GCP Icon  Cloud Key Management Service deep dive
Google recently released a new Cloud Key Management Service Deep Dive whitepaper to help you make informed decisions about cloud key management. Discussing Google Cloud’s Key Management Service (Cloud KMS) platform and generally available key management capabilities, this paper can help you understand the options you have to protect your keys and other sensitive information you store in Google Cloud.


GCP Icon  Improving security and governance in PostgreSQL with Cloud SQL
Google announced a Cloud IAM integration and the enablement of PostgreSQL Audit Extension (pgAudit), both available in preview for Cloud SQL for PostgreSQL.

Website
Twitter
Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.