Release Date: 15/11/2020 | Issue: 63
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


Announcing OpenCSPM - An Open-Source Cloud Security Posture Management and Workflow Platform
#aws, #gcp, #defend, #announcement
OpenCSPM is an open-source platform developed by Darkbit that aims to make continuous cloud security posture assessments of cloud environments a practical reality for security and compliance teams alike. It offers a unique approach to manage the firehose of security and compliance check results that even modest AWS and GCP environments can surface, and its control definitions allow for simple yet powerful levels of introspection of its graph data model.


Announcing Curiefense: An Open-Source Security Platform
#k8s, #defend, #announcement
Curiefense is a free, open-source, web security platform that extends Envoy Proxy to include WAF, Bot Management, application-layer DDoS, & more.


Blind Spots in the Cloud
#aws, #gcp, #defend
High-level post reviewing logging and visibility options offered by AWS and GCP, and discussing blind spots and how to eliminate them.


Announcing HashiCorp Vault 1.6
#vault, #announcement
This release features Integrated Storage enhancements, a new Key Management Secrets Engine, Transform Secrets Engine updates, and more.


Terraform 0.14 Adds the Ability to Redact Sensitive Values in Console Output
#terraform, #ci/cd
Terraform 0.14 allows users to define values as "sensitive", making it easier to redact sensitive information in Terraform workflows.


Deploying changes to your Auth0 accounts with GitHub Actions
#ci/cd, #build
How the Auth0 Deploy CLI and GitHub Actions can be used to export the configuration of your environment and then import this same configuration on your other environments.


How to monitor coreDNS
#kubernetes, #defend
How to monitor coreDNS: how to get metrics out of it, and what to look for.


Connecting Securely to Google Compute Engine VMs without a Public IP or VPN
#gcp, #build
How to use GCP's Identity-Aware Proxy (IAP) to establish secure RDP, SSH, and VNC connections to VMs on GCE that don't have a public IP or VPN connectivity.


CloudGoat ECS_EFS_Attack Walkthrough
#aws, #attack
Walkthrough covering the CloudGoat attack simulation "ecs_efs_attack", teaching how to pivot through AWS Elastic Container Service and gain access to AWS Elastic File Share.

Tools


terraform-deployment-pentesting
Collection of tiny Terraform modules that can be used to do dangerous things in a CI/CD pipeline.


cmd-tutorial
Tutorial walking through provisioning some VMs on GCP so to kick the tires on Cmd, an utility to track and control users in production.

From the cloud providers


AWS Icon  Introducing AWS Gateway Load Balancer
AWS announced the general availability of AWS Gateway Load Balancer (GWLB), a service that makes it easy and cost-effective to deploy, scale and manage the availability of third-party virtual appliances such as firewalls, intrusion detection and prevention systems and deep packet inspection systems in the cloud.


AWS Icon  What is AWS Nitro Enclaves?
Get started with AWS Nitro Enclaves. From EC2 instances, you can create isolated execution environments that are separate, hardened VMs.


AWS Icon  AWS Lambda now makes it easier to send logs to custom destinations
You can now send logs from AWS Lambda functions directly to a destination of your choice by using AWS Lambda Extensions. It is currently possible to use extensions that send logs to the following providers: Datadog, New Relic, Sumo Logic, Honeycomb, Lumigo, and Coralogix.


AWS Icon  Lightsail Containers: An Easy Way to Run your Containers in the Cloud
Amazon added the possibility to deploy container-based workloads on Lightsail. You can now deploy your container images to the cloud with the same simplicity and the same bundled pricing Amazon Lightsail provides for your virtual servers.


GCP Icon  Enabling Customer-Managed Encryption Keys (CMEK)
It is now possible to use your own encryption keys for secrets stored in GCP SecretManager with CMEK.


GCP Icon  Health checking your gRPC servers on GKE
Google open sourced a project called grpc-health-probe, a command-line tool to assess health of a gRPC server.


GCP Icon  It's not DNS: Ensuring high availability in a hybrid cloud environment
Post discussing some redundancy mechanisms you can employ to ensure that Cloud DNS is always available to handle your DNS requests.


Azure Icon  Using Azure Data Explorer for long term retention of Azure Sentinel logs
How to use Azure Data Explorer (ADX) as a secondary log store.

Website
Twitter
Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.