Release Date: 29/11/2020 | Issue: 65
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.

This week's articles


AWS Control Tower By Example
#aws, #build
A hands-on walk-through of the the easiest way to set up and govern a secure, compliant, multi-account AWS environment based on best practices.


Setting up personal G Suite backups on AWS
#aws, #build
How to leverage a nightly ECS container with an attached EFS (which itself is backed up via AWS Backup) for backing up your personal Gmail and GDrive automatically.


A Vault Policy Masterclass
#vault, #explain
Deep dive into how to use ACLs and templating policies as guardrails, with concrete policy examples.


Understanding the Boundary Identity and Access Management Model
#boundary, #explain
Learn how the domain model works in HashiCorp Boundary and how it approaches IAM.


Logging to Azure from an AKS Cluster
#azure, #defend
How to use Azure Monitor for containers to automatically transfer container logs to a Log Analytics workspace.


Using SSL certificates from Let's Encrypt in your Kubernetes Ingress via cert-manager
#k8s, #build
Walkthrough of the process of automating the issuance and renewal of certificates provided by Let's Encrypt for Kubernetes Ingress using the cert-manager add-on.


Integrating Vault secrets into Jupyter notebooks for incident response and threat hunting
#vault, #defend
How to use Vault to store secrets and integrate the ability to retrieve secrets from Vault with Jupyter Notebooks to assist in automating security operations.


Rootless Containers
#docker
Single-purpose website for tracking the progress of rootless container support in various projects.

Tools


attack-guardduty-navigator
A MITRE ATT&CK Navigator export for AWS GuardDuty Findings.


awesome-azure-security
A curated list of awesome Microsoft Azure Security tools, guides, blogs, and other resources.


k8s-security-policies
Repository providing a security policies library that is used for securing Kubernetes clusters configurations. The security policies are created based on CIS Kubernetes benchmark and rules defined in Kubesec.io.


cloudquery
cloudquery transforms your cloud infrastructure into queryable SQL tables for easy monitoring, governance and security.


IAMFinder
IAMFinder enumerates and finds users and IAM roles in a target AWS account. See relevant blog post.

From the cloud providers


AWS Icon  Code Signing, a Trust and Integrity Control for AWS Lambda
With Code Signing for Lambda, administrators can configure Lambda functions to only accept signed code on deployment. When developers deploy signed code to such functions, Lambda checks the signatures to ensure the code is not altered or tampered. It is also already supported by Terraform.


AWS Icon  Investigate VPC flow with Amazon Detective
How to use the new VPC flow feature in Detective to investigate findings from Amazon GuardDuty.


AWS Icon  Set up centralized monitoring for DDoS events and auto-remediate noncompliant resources
How to set up centralized monitoring for Shield Advanced–protected resources across multiple AWS accounts by using Firewall Manager and Security Hub. This enables you to manage resources that are out of compliance from your security policy and to view DDoS events that are detected across multiple accounts in a single view.


AWS Icon  Automatically update security groups for Amazon CloudFront IP ranges using AWS Lambda
How to create an AWS Lambda function to automatically update Amazon VPC security groups with CloudFront service IP ranges to permit only CloudFront to access the origin.


AWS Icon  AWS Security Hub integrates with AWS Organizations for simplified security posture management
AWS Security Hub is now integrated with AWS Organizations, making it possible to delegate any account in an organization as the Security Hub administrator and centrally view security findings from up to 5,000 AWS accounts.


AWS Icon  How to deploy the AWS Solution for Security Hub Automated Response and Remediation
How to automate the cross-account response and remediation lifecycle from executing the remediation action to resolving the findings in Security Hub and notifying users of the remediation via SNS.


AWS Icon  Zero Trust architectures: An AWS perspective
AWS discussing their guiding principles for Zero Trust, and how they have woven these principles into the fabric of the AWS cloud.


GCP Icon  Serverless load balancing with Terraform: The hard way
With the Cloud Balancing integration for serverless platforms, you can now fine tune lower levels of your networking stack. This article explains the use cases for this type of set up and builds an HTTPS load balancer for Cloud Run from the ground up using Terraform.

Website
Twitter
View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.