Release Date: 06/12/2020 | Issue: 66
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.

This week's articles


Evilginx-ing into the cloud: How we detected a red team attack in AWS
#aws, #defend
Another interesting walk through from the Expel team on a red team exercise they recently spotted in a customer's AWS cloud environment.


Don't Panic: Kubernetes and Docker
#k8s, #explain
Kubernetes is deprecating Docker as a container runtime after v1.20. You do not need to panic. Itโ€™s not as dramatic as it sounds. For a more detailed explanation, I do recommend: "Wait, Docker is deprecated in Kubernetes now? What do I do?".


Amazon EKS Distro
#aws, #k8s, #build
EKS Distro is a distribution of the same version of Kubernetes deployed by Amazon EKS, which you can use to manually create your own Kubernetes clusters anywhere you choose.


Vault Learning Resources: Vault 1.6 Release Highlights
#vault, #explain
New step-by-step tutorials demonstrate the features introduced in Vault 1.6, like the Key Management Secrets Engine, and how to Tokenize Data with the Transform Secrets Engine.


Kubernetes Audits Introduction
#k8s, #explain
Blog post going over Kubernetes audits: What are they exactly? How are they constructed? Where do they originate? How and to where do they go?.


Cracking kubernetes node proxy (aka kube-proxy)
#k8s, #explain
To have a better understanding of the node proxier model, this post goes through design and implementation of a custom "kube-proxy".


Authentication between microservices using Kubernetes identities
#k8s, #explain, #build
Service Account Token Volume projection allows you to associate non-global, time-bound and audience bound service tokens to your Kubernetes workloads.


The revenge of system:masters, return of the AKS
#azure, #k8s, #attack
A couple of takeaways if your organization is planning to use Azure AKS. First up if your clusters are AAD enabled, be very careful with who has rights to use the "--admin" switch on the "get-credentials" command. Secondly, do not expose your clusters directly on the Internet to reduce the likely impact of this.


Privilege Escalation in AKS Clusters
#azure, #k8s, #attack
Read access to ConfigMaps by default allowed privilege escalation in Microsoft's Kubernetes AKS.


AKS lacks support for rotating cluster-admin credential
#azure, #k8s, #attack
Nice catch from @raesene: whenever an admin leaves you need to rotate the cluster CA keys if you want to remove their access to the cluster.


A better Kubernetes, from the ground up
#k8s
What we would do differently if we built something new, from the ground up, with no regard for compatibility with Kubernetes?

Tools


s3_objects_check
Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files.


opstrace
Opstrace deploys secure, horizontally-scalable open source observability in your own cloud account, combining open APIs with the simple user experience of a large service provider.


audit2rbac
audit2rbac takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.


connaisseur
Connaisseur is an admission controller for Kubernetes that integrates Image Signature Verification into a cluster, as a means to ensure that only valid images are being deployed. Comes with a related blog post.

From the cloud providers


AWS Icon  AWS Lambda now supports container images as a packaging format
You can now package your functions as container images and use familiar container development tools to build Lambda applications.


AWS Icon  Amazon Elastic Container Registry Public: A New Public Container Registry
ECR Public allows you to store, manage, share, and deploy container images for anyone to discover and download globally.


AWS Icon  Announcing Cloud Audit Academy AWS-specific for audit and compliance teams
Amazon announced the launch of Cloud Audit Academy AWS-specific (CAA AWS-specific). This is a new, accelerated training program for auditing AWS Cloud implementations, and is designed for auditors, regulators, or anyone working within a control framework.


GCP Icon  Monitor and secure your containers with new Container Threat Detection
Google announced the general availability of Container Threat Detection (a built-in service in Security Command Center Premium tier) to help monitor and secure container deployments in GCP.


GCP Icon  Expanding our commitment to secure Internet routing
Google sharing details about steps they have taken to protect Google's network against vulnerabilities in the internet routing system, how they are moving forward, and the importance of collaborating with the wider community.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them ๐Ÿ™

If you have questions, comments, or feedback, just reply to this email orย let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser ยฉ 2019-present
The Cloud Security Reading List by SecurityBite LTD.