Release Date: 06/12/2020 | Issue: 66
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

This week's articles


Evilginx-ing into the cloud: How we detected a red team attack in AWS
Another interesting walk through from the Expel team on a red team exercise they recently spotted in a customer's AWS cloud environment.   #aws   #defend


Don't Panic: Kubernetes and Docker
Kubernetes is deprecating Docker as a container runtime after v1.20. You do not need to panic. It’s not as dramatic as it sounds. For a more detailed explanation, I do recommend: "Wait, Docker is deprecated in Kubernetes now? What do I do?".   #k8s   #explain


Amazon EKS Distro
EKS Distro is a distribution of the same version of Kubernetes deployed by Amazon EKS, which you can use to manually create your own Kubernetes clusters anywhere you choose.   #aws   #k8s   #build


Vault Learning Resources: Vault 1.6 Release Highlights
New step-by-step tutorials demonstrate the features introduced in Vault 1.6, like the Key Management Secrets Engine, and how to Tokenize Data with the Transform Secrets Engine.   #vault   #explain


Kubernetes Audits Introduction
Blog post going over Kubernetes audits: What are they exactly? How are they constructed? Where do they originate? How and to where do they go?.   #k8s   #explain


Cracking kubernetes node proxy (aka kube-proxy)
To have a better understanding of the node proxier model, this post goes through design and implementation of a custom "kube-proxy".   #k8s   #explain


Authentication between microservices using Kubernetes identities
Service Account Token Volume projection allows you to associate non-global, time-bound and audience bound service tokens to your Kubernetes workloads.   #k8s   #explain   #build


The revenge of system:masters, return of the AKS
A couple of takeaways if your organization is planning to use Azure AKS. First up if your clusters are AAD enabled, be very careful with who has rights to use the "--admin" switch on the "get-credentials" command. Secondly, do not expose your clusters directly on the Internet to reduce the likely impact of this.   #azure   #k8s   #attack


Privilege Escalation in AKS Clusters
Read access to ConfigMaps by default allowed privilege escalation in Microsoft's Kubernetes AKS.   #azure   #k8s   #attack


AKS lacks support for rotating cluster-admin credential
Nice catch from @raesene: whenever an admin leaves you need to rotate the cluster CA keys if you want to remove their access to the cluster.   #azure   #k8s   #attack


A better Kubernetes, from the ground up
What we would do differently if we built something new, from the ground up, with no regard for compatibility with Kubernetes?   #k8s

Tools


s3_objects_check
Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files.


opstrace
Opstrace deploys secure, horizontally-scalable open source observability in your own cloud account, combining open APIs with the simple user experience of a large service provider.


audit2rbac
audit2rbac takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.


connaisseur
Connaisseur is an admission controller for Kubernetes that integrates Image Signature Verification into a cluster, as a means to ensure that only valid images are being deployed. Comes with a related blog post.

From the cloud providers


#AWS   AWS Lambda now supports container images as a packaging format
You can now package your functions as container images and use familiar container development tools to build Lambda applications.


#AWS   Amazon Elastic Container Registry Public: A New Public Container Registry
ECR Public allows you to store, manage, share, and deploy container images for anyone to discover and download globally.


#AWS   Announcing Cloud Audit Academy AWS-specific for audit and compliance teams
Amazon announced the launch of Cloud Audit Academy AWS-specific (CAA AWS-specific). This is a new, accelerated training program for auditing AWS Cloud implementations, and is designed for auditors, regulators, or anyone working within a control framework.


#GCP   Monitor and secure your containers with new Container Threat Detection
Google announced the general availability of Container Threat Detection (a built-in service in Security Command Center Premium tier) to help monitor and secure container deployments in GCP.


#GCP   Expanding our commitment to secure Internet routing
Google sharing details about steps they have taken to protect Google's network against vulnerabilities in the internet routing system, how they are moving forward, and the importance of collaborating with the wider community.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! πŸ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
Β© 2019-present CloudSecList Β· Marco Lancini