Release Date: 08/11/2020 | Issue: 62
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


IAM whatever you say IAM
#aws, #defend
Cartography introduced "Resource Permission Relationships": using the graph to evaluate a principal's resulting accesses to critical assets within your environments.


The state of ABAC on AWS
#aws, #defend
SummitRoute describes the limitations of AWS related to tagging, and the steps AWS needs to take to improve this situation.


12 Container image scanning best practices to adopt in production
#docker, #ci/cd, #defend
Blog covering many image scanning best practices and tips that can help adopting an effective container image scanning strategy.


When LIST is a Lie in Kubernetes
#k8s, #attack
For the Secrets resource, the "LIST" verb is a lie. When you "list" a secret, it goes out to the Kubernetes API, pulls down all the secrets including individual secret values themselves. This is a known and documented issue but many environments continue to rely on "LIST" to prevent access to secrets, compared to the "GET" verb.


Nuking all Azure Resource Groups under all Azure subscriptions
#azure, #attack
How to nuke every resource group under every Microsoft Azure subscription, with examples on how to do it with Terraform's null_resource and local-exec provisioner.


Consuming Public Content
#docker, #build, #ci/cd
The Docker TOS updates give us an opportunity to focus on the larger challenges with consuming public content. If you depend on public content, it is recommended to configure a workflow that imports the content, security scans the content based on your organization's scanning policies, runs functional and integration tests to assure this most recent version of the content meets all expectations, then promote the validated content to a location your team(s) can utilize.


ACM for Nitro Enclaves - How Secure Are They?
#aws, #explain
Good overview on the "shape" of AWS Nitro Enclaves and how private material is protected. They even tried to access an ACM private key, but show how attestation prevents that.


Automating Kubernetes Security Reporting with Starboard Operator by Aqua
#k8s, #defend
Aqua announced a new Starboard Operator that automates the generation of security reports in your K8s cluster. Using Starboard Operator, you can rely on the tools you're already familiar with, like kubectl, to easily access security information about your running workloads.


Widespread injection vulnerabilities in Actions
#ci/cd, #attack
Project Zero identified an interesting design flaw in Github Actions. Actions that print untrusted data to STDOUT are vulnerable to an injection attack that can be turned into code exec.


Detections as code: reliably scaling your detections library
#k8s, #defend
A few ideas for all those who are building a detection team, showing how to get more than code review out of the "detections-as-code" model, and really make use of the power of committed, automatically parseable detection rules.

Tools


aws-container-images-toolkit
A collection of tools to statically and dynamically identify public container images that are hosted on Docker Hub.


shield-advanced
Scripts and Lambdas to help with automated deployment of AWS Shield Advanced and engagement of the DRT during a DDoS incident.


azure_cis_scanner
Security Scanner based on CIS benchmark 1.1 inspired by Scout2.


kube-linter
KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.


response
Monzo's real-time incident response and reporting tool.


Flux version 2
Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy. Flux version 2 ("v2") is built from the ground up to use Kubernetes' API extension system, and to integrate with Prometheus and other core components of the Kubernetes ecosystem.

From the cloud providers


AWS Icon  Advice for customers dealing with Docker Hub rate limits, and a Coming Soon announcement
Big news about Amazon ECR: within weeks there will be support for public images as well.


AWS Icon  Amazon CloudWatch launches Metrics Explorer
Amazon CloudWatch launches Metrics Explorer, a tag-based dashboard tool that enables customers to filter, aggregate, and visualize operational health and performance metrics by tags.


AWS Icon  HashiCorp Vault on Amazon EKS
This Quick Start sets up a flexible, scalable environment on EKS, and launches HashiCorp Vault using HashiCorp Vault Helm chart into the configuration of your choice.


GCP Icon  Hack your own custom domains for Container Registry
How to develop and run a serverless reverse proxy to customize the behavior of your registry, such as serving your images publicly on your custom domain name instead of gcr.io.

Website
Twitter
Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.