Release Date: 24/01/2021 | Issue: 71
The Cloud Security Reading List is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.
🎁 Second addition of the year!
With this issue, I've added a new section dedicated to CloudSecDocs.com, and where I will link to new pages as I add them.
If you have feedback (either on this addition, or on the mailing list in general), please do reach out on Twitter!

This week's articles


82% of companies unknowingly give 3rd parties access to all their cloud data
#aws, #gcp, #azure, #iam
The Wiz team conducted a research of permissions provided to 3rd party vendors in cloud environments and the results should be a wake-up call. In the majority of cases these permissions are there for no reason: the vendor doesn't actually need them, and the customers aren't even aware that they gave them to the vendor.


GCP OAuth Token Hijacking in Google Cloud
#gcp, #attack
If an attacker compromises an engineer's workstation, they can easily steal and abuse cached credentials, even if MFA is enabled (Part 1, Part 2).


Bad Pods: Kubernetes Pod Privilege Escalation
#k8s, #attack
What are the risks associated with overly permissive pod creation in Kubernetes? This post describes 8 insecure pod configurations and the corresponding methods to perform privilege escalation. The accompanying repository can also help penetration testers and administrators better understand common misconfiguration scenarios.


Getting into a bind with Kubernetes
#k8s, #iam
The "bind" verb is a useful piece of Kubernetes RBAC configuration, but it's also one of the lesser known. As it can enable privilege escalation, it's an important thing to check for when creating or auditing roles.


The Power of Kubernetes RBAC LIST
#k8s, #iam
One of the potential surprises for newcomers to Kubernetes RBAC is what the subtle, but extremely important differences are between the GET and LIST verbs. This even translates to Google Cloud's IAM permission model with GKE clusters with opportunities for unintended consequences.


Google Kubernetes Engine IAM Roles
#k8s, #gcp, #iam
What separates the GKE IAM Roles "Kubernetes Engine Developer" from "Kubernetes Engine Admin"? In most cases, not that much.


A Deeper Look at GKE Basic Auth
#gcp, #iam
If you are running GKE Clusters with Basic Authentication, you'll want to consider removing those credentials from your clusters. This post aims to outline the risks and considerations for remediation.


Google Cloud IAM Custom Role and Permissions Debugging Tricks
#gcp, #iam
An approach for creating and verifying least-privilege custom IAM Roles using the gcloud sdk Docker image, Data Access Logging, and the IAM Policy Troubleshooter.


Don't Forget to Restrict Outbound Traffic with Terraform and Sentinel
#terraform, #aws, #defend
How Sentinel policies in Terraform can ensure outbound access in security groups and firewalls is restricted.


Boosting Container Security with Rootless Containers
#docker, #build
Why you should be avoiding root in containers, what rootless containers are, and how they are going to help.

Tools


adidas-devops-maturity-framework
Based in the C.A.L.M.S. definition of DevOps, the framework defines a set of capabilities and guidelines that, when adopted, increase efficiency, effectiveness, and happiness of the team.


website-openid-proxy
Service which provides authenticated access to a static website hosted in an s3 bucket.


terraform_aws_scp
This repo is a collection of AWS Service Control Policies (SCPs) written in Terraform to be used in AWS Organizations.


leapp
Leapp is a DevTool Desktop App designed to manage and secure Cloud Access in multi-account environments. It's a tool that securely stores your access information in a secure place and generates temporary credential sets to access your Cloud from your local machine.


OPA v0.26.0
OpenPolicyAgent v0.26.0 just got released. New features include support for WASM, OAuth2/OIDC, auth plugins, opa bench, etc.

CloudSecDocs


AWS Service Control Policies (SCPs)
New page added: including a general description of CSPs and some useful samples.

From the cloud providers


AWS Icon  Amazon ECS now supports VPC Endpoint policies
Amazon Elastic Container Service (ECS) now lets you attach IAM resource policies to VPC Endpoints. This allows you to control access to your ECS resources from VPC Endpoints, helping you meet compliance and regulatory requirements.


AWS Icon  Introducing Federated Amazon EKS Clusters on AWS
Federated Amazon EKS Clusters on AWS is a new AWS Solutions Implementation that automates the deployment and federation of two EKS clusters across multiple AWS Regions, configuring highly available, low latency, and easily scalable applications.


GCP Icon  Enforcing least privilege by bulk-applying IAM recommendations
How to analyze IAM recommendations across all your projects and bulk-apply those recommendations for an entire project using a set of commands in Cloud Shell.


Azure Icon  Vulnerability assessment for on-premise and multi-cloud machines in Azure Security Center is now GA
You can now use Azure Defender for servers to consolidate your vulnerability management program across all of your Azure and non-Azure assets.


Azure Icon  What's new: Dedicated clusters for Azure Sentinel
If you ingest over 1Tb per day into your Azure Sentinel workspace and/or have multiple Azure Sentinel workspaces in your Azure enrolment, you may want to consider migrating to a dedicated cluster, a recent addition to the deployment options for Azure Sentinel.


Alibaba Cloud Icon  Redefining Security in 2021
Article capturing and listing the security solutions provided by Alibaba Cloud.


Alibaba Cloud Icon  Empower Online Businesses with Alibaba Cloud Anti-DDoS, WAF, CDN and Cloud Firewall
Step-by-step guide for securing your online business with Alibaba Cloud CDN and security products.

Website
Twitter
Sponsor Me
View this email in your browser Copyright © 2019-present The Cloud Security Reading List.