This week's articles
82% of companies unknowingly give 3rd parties access to all their cloud data
#aws, #gcp, #azure, #iam
The Wiz team conducted a research of permissions provided to 3rd party vendors in cloud environments and the results should be a wake-up call. In the majority of cases these permissions are there for no reason: the vendor doesn't actually need them, and the customers aren't even aware that they gave them to the vendor.
Bad Pods: Kubernetes Pod Privilege Escalation
#k8s, #attack
What are the risks associated with overly permissive pod creation in Kubernetes? This post describes 8 insecure pod configurations and the corresponding methods to perform privilege escalation. The accompanying repository can also help penetration testers and administrators better understand common misconfiguration scenarios.
Getting into a bind with Kubernetes
#k8s, #iam
The "bind" verb is a useful piece of Kubernetes RBAC configuration, but it's also one of the lesser known. As it can enable privilege escalation, it's an important thing to check for when creating or auditing roles.
The Power of Kubernetes RBAC LIST
#k8s, #iam
One of the potential surprises for newcomers to Kubernetes RBAC is what the subtle, but extremely important differences are between the GET and LIST verbs. This even translates to Google Cloud's IAM permission model with GKE clusters with opportunities for unintended consequences.
Google Kubernetes Engine IAM Roles
#k8s, #gcp, #iam
What separates the GKE IAM Roles "Kubernetes Engine Developer" from "Kubernetes Engine Admin"? In most cases, not that much.
A Deeper Look at GKE Basic Auth
#gcp, #iam
If you are running GKE Clusters with Basic Authentication, you'll want to consider removing those credentials from your clusters. This post aims to outline the risks and considerations for remediation.
|
|
Tools
adidas-devops-maturity-framework
Based in the C.A.L.M.S. definition of DevOps, the framework defines a set of capabilities and guidelines that, when adopted, increase efficiency, effectiveness, and happiness of the team.
website-openid-proxy
Service which provides authenticated access to a static website hosted in an s3 bucket.
terraform_aws_scp
This repo is a collection of AWS Service Control Policies (SCPs) written in Terraform to be used in AWS Organizations.
leapp
Leapp is a DevTool Desktop App designed to manage and secure Cloud Access in multi-account environments. It's a tool that securely stores your access information in a secure place and generates temporary credential sets to access your Cloud from your local machine.
OPA v0.26.0
OpenPolicyAgent v0.26.0 just got released. New features include support for WASM, OAuth2/OIDC, auth plugins, opa bench, etc.
|
|
From the cloud providers
Amazon ECS now supports VPC Endpoint policies
Amazon Elastic Container Service (ECS) now lets you attach IAM resource policies to VPC Endpoints. This allows you to control access to your ECS resources from VPC Endpoints, helping you meet compliance and regulatory requirements.
What's new: Dedicated clusters for Azure Sentinel
If you ingest over 1Tb per day into your Azure Sentinel workspace and/or have multiple Azure Sentinel workspaces in your Azure enrolment, you may want to consider migrating to a dedicated cluster, a recent addition to the deployment options for Azure Sentinel.
|
|
Thanks for reading!
|
If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌 If you have questions, comments, or feedback, let me know on Twitter ( @lancinimarco / @CloudSecList), or at feedback.cloudseclist.com! Thanks, Marco
|
|
|