Release Date: 31/01/2021 | Issue: 72
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.

This week's articles


The CSA Cloud Controls Matrix (CCM) V4: Raising the cloud security bar to the next level
#defend, #build
The Cloud Security Alliance released version 4 of the Cloud Controls Matrix (CCM). The upgrade from CCM v3.0.1 to v4 has been imperative considering the evolution of the cloud security landscape, both from the technical and legal and regulatory standpoint. There was also a need for organizations to make the implementation of security and privacy controls more efficient and streamline compliance.


Bringing Your A-Game: Availability for Security People
#defend, #build
An overview of why infosec teams stand to substantially benefit from rediscovering the importance of availability within their mandate, and why it's imperative they do so.


Intercept SSM Agent Communications
#aws, #attack
Leveraging SSM for post-exploitation: with access to an EC2 instance you can block EC2 Messages (like send-command) and SSM sessions, send arbitrary responses, or snoop on communications.


Kubernetes Honey Token
#k8s, #defend
How to use an artisanally crafted Kubernetes Service Account as a Honeytoken.


Test an S3 bucket policy using the AWS IAM Simulator
#aws, #defend
How to use the AWS IAM Simulator to test an S3 bucket policy attached to a bucket in your AWS account.


How We Escaped Docker in Azure Functions
#azure, #attack
Vulnerability in Azure Functions which would allow an attacker to escalate privileges and escape the Azure Functions Docker container to the Docker host. Microsoft has determined that the vulnerability has no security impact on Function users as the Docker host itself is protected by a Hyper-V boundary.


Publishing Checkov Terraform Quality Checks to Azure DevOps Pipelines
#azure, #build
Step by step explanation on how to integrate Checkov Terraform quality checks into Azure DevOps pipelines.


Using Jenkins, Vault, Terraform, Ansible, and Consul to Deliver an End-to-End CI/CD Pipeline
#ci/cd, #build
A series focusing on best practices around the automation of infrastructure provisioning and application deployment. It covers the concepts of Infrastructure as Code, CI/CD, secrets management, dynamic secrets, the secret zero problem, service mesh, and more.


Falco vs. AuditD from the HIDS perspective
#k8s, #monitor
How Falco and AuditD compare from a Host Intrusion Detection perspective. Bear in mind this post has been written by Sysdig.

Tools


gcp_sa_lister
Crawls your GCP Org and returns service accounts that have not been used in the past 90 days.


k8s-mirror
Creates a local mirror of a Kubernetes cluster in a docker container to support offline reviewing.


Cloud Scout
Cloud Scout is a plugin which works on top of BloodHound, leveraging its visualization capabilities in order to visualize cross platform attack paths.


go-containerregistry
Go library and CLIs for working with container registries. It also lets you build your own layers and images programmatically.

From the cloud providers


AWS Icon  Security Overview of AWS Lambda
Amazon released a whitepaper presenting a deep dive into the AWS Lambda service through a security lens. It provides a well-rounded picture of the service, which is useful for new adopters, and deepens understanding of Lambda for current users.


AWS Icon  Discover, review, and remediate unintended access to Secrets Manager secrets using IAM Access Analyzer
AWS IAM Access Analyzer now analyzes AWS Secrets Manager resource-based policies to help you discover secrets that can be accessed publicly or from other accounts or organizations.


AWS Icon  Amazon GuardDuty enhances security incident investigation workflows through new integration with Amazon Detective
Amazon GuardDuty has added Amazon Detective hyperlink pivots to make it even easier to jump from a GuardDuty security finding into a pre-populated Amazon Detective investigation experience.


AWS Icon  Using Route 53 Private Hosted Zones for Cross-account Multi-region Architectures
This blog presents an architecture that provides a unified view of the DNS while allowing different AWS accounts to manage subdomains. It utilizes PHZs with overlapping namespaces and cross-account multi-region VPC association for PHZs to create an efficient, scalable, and highly available architecture for DNS.


AWS Icon  AWS Certificate Manager Private Certificate Authority now supports additional certificate customization
AWS Certificate Manager (ACM) Private Certificate Authority (CA) now supports additional customization options for issuing CA and end entity certificates to meet additional use cases such as identity certificates, including smart card certificates. Customers can now include certificate attributes via API calls at the time of issuance in addition to inclusion in the certificate signing request (CSR).


AWS Icon  Sudo Security Issue (CVE-2021-3156)
AWS infrastructure and services are not affected by this issue. As a general security best practice, it is recommended that Amazon EC2 customers running Amazon Linux update their operating systems to install the latest version of sudo.


GCP Icon  Assess the security of Google Kubernetes Engine (GKE) with InSpec for GCP
Google announced the GKE CIS 1.1.0 Benchmark InSpec profile, which allows you to assess Google Kubernetes Engine (GKE) clusters against security controls recommended by CIS.


GCP Icon  Take the first step toward SRE with Cloud Operations Sandbox
Cloud Operations Sandbox is an open-source tool that helps you learn SRE practices from Google and apply them on cloud services using Google Cloud’s operations suite (formerly Stackdriver).


GCP Icon  Designing and deploying a data security strategy with Google Cloud
Google released a new white paper Designing and deploying a data security strategy with Google Cloud that shares a view of how to deploy a modern and effective data security program.


GCP Icon  Lifecycle of a container on Cloud Run
Post explaining the entire lifecycle of a container on Cloud Run, from starting to serving and shutting down.

Website
Twitter
View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.