Release Date: 14/03/2021 | Issue: 78
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.

This week's articles


ConsoleMe: A Central Control Plane for AWS Permissions and Access
#aws, #build, #defend
ConsoleMe is a central control plane for AWS that provides an easier way to manage AWS permissions and access across multiple accounts.


Remote Workstations for the Discerning Artists
#aws, #build
Interesting post describing how Netflix provisions the so called "Netflix Workstations", which are remote workstations that allow content creators to get to work wherever they are.


Attacking Kubernetes Clusters Through Your Network Plumbing: Part 1
#k8s, #attack
An attacker can take advantage of the CNI in a misconfigured and unsecured Kubernetes cluster to execute attacks and bypass various mitigation methods.


Deploying Terraform Enterprise in a Highly Secure Environment at Morgan Stanley
#terraform, #explain
How Morgan Stanley overcame multiple challenges while migrating to Terraform, while complying with strict security regulations.


Detecting and hunting threats in AWS Cloudtrail logs and events with machine learning
#aws, #monitor
An in-depth look at detection techniques through cloud API logs analysis, as well as exploring two real-world incidents in order to better understand how threats can slip through conventional detection methods.


The case for and against Amazon Cognito
#aws, #explain
Should you consider Amazon Cognito in your project? This post got the pros & cons for you, and many of the painpoints you need to consider.


Helm 2nd Security Audit
#k8s, #defend
Helm has now completed a second security audit, funded by the CNCF. The first audit focused on the source code for the Helm client along with the process Helm uses to handle security. The second audit, performed by Trail of Bits, looked at the source code for the Helm client along with a threat model for the use of Helm.


Cloud Native Security Checklist
#k8s, #iac, #defend
Checklist from PaloAlto offering best practices that can help an organization develop a comprehensive cloud native security strategy.


Export GCP resources into Terraform
#gcp, #terraform, #iac
Did you create resources in GCP via gcloud or the console but want to turn it into Terraform? Now you can export the config with: "gcloud alpha resource-config bulk-export --resource-format=terraform".


Q1/Q2 2021 OPA Roadmap
#opa, #build
The OpenPolicyAgent roadmap has been updated. Delta bundles, persistent store, type checking, policy metadata and a new Go SDK just a few of many planned improvements.

Tools


Dostainer - Kubernetes Resource Exhaustion PoC Container
This container contains three scripts to demonstrate resource exhaustion from within a Kubernetes clusters: allocate all remaining RAM, allocate all remaining disk space, and fork bomb.


AzureAD-Attack-Defense
Collection of various common attack scenarios on Azure Active Directory and how they can be mitigated or detected.


policy-bot
A GitHub App that enforces approval policies on pull requests.

CloudSecDocs


AWS - Logging
A collection of resources discussing logging strategies in AWS.

From the cloud providers


AWS Icon  Demystifying KMS keys operations, bring your own key (BYOK), custom key store, and ciphertext portability
How to select the right AWS cryptographic services and tools for your application using KMS keys, custom key store, and ciphertext portability.


AWS Icon  Validate access to your S3 buckets before deploying permissions changes with IAM Access Analyzer
IAM Access Analyzer now allows to preview and validate public and cross-account access before deploying permission changes. For example, you can validate whether your S3 bucket would allow public access before deploying your bucket permissions.


AWS Icon  AWS Security Hub adds 25 new controls to its Foundational Security Best Practices standard
AWS Security Hub has released 25 new controls for its Foundational Security Best Practice standard. These controls conduct fully automatic checks against security best practices for API Gateway, Cloudfront, DynamoDB, EC2, EFS, ES, RDS, RedShift, SNS, ELB, and KMS.


AWS Icon  How to replicate secrets in AWS Secrets Manager to multiple Regions
AWS Secrets Manager now allows to replicate secrets across multiple AWS Regions. This post shows how to automatically replicate a secret and access it from the recovery Region to support a disaster recovery plan.


GCP Icon  A guide to data protection offerings in Google Cloud
Storage and backup administrators have a key role to play in cloud adoption, and Google Cloud has developed a number of data protection offerings to help administrators excel in their role and meet operational and compliance requirements.


GCP Icon  Introducing Cloud Code Secret Manager Integration
Secret Manager is a Google Cloud service that provides a secure and convenient method for storing API keys, passwords, certificates, and other sensitive data. Secret Manager provides a central place and single source of truth to manage, access, and audit secrets across Google Cloud. Integrating Cloud Code with secret manager brings the powerful capabilities of both these tools together. Cloud Code makes it easy to create and manage your secrets right from within your preferred IDE, whether that be VS Code, IntelliJ, or Cloud Shell Editor.


GCP Icon  Testing Cloud SQL failover: Where to begin
Some of the key metrics to monitor when testing failover to optimize your application's performance, including the number of database connections, queries per second, CPU and memory utilization of the instance, read/write IOPS, and peak replication lag.


Azure Icon  Azure Sentinel and Microsoft 365 Defender incident integration
Microsoft released a deeper integration between Azure Sentinel and Microsoft 365 Defender, making it easier to harness the breadth of SIEM alongside the depth of XDR.


Azure Icon  Announcing preview of Azure Trusted Launch for virtual machines
Microsoft introduced Azure Trusted Launch, which allows administrators to deploy virtual machines with verified and signed bootloaders, OS kernels, and a boot policy that leverages the Trusted Launch Virtual Trusted Platform Module (vTPM) to measure and attest to whether the boot was compromised.


Alibaba Cloud Icon  One-Stop Management for Cloud Security: Alibaba Cloud Security Center
Alibaba Cloud Security Center is an all-in-one security management platform that can centrally-manage all of the security systems associated with your Alibaba Cloud account. The Security Center can identify and analyze security threats on the fly. If a threat is detected, the Security Center automatically sends an alert to the administrator.


Alibaba Cloud Icon  Securing Ends with Data Encryption for the Cloud
This article explains the Alibaba Cloud Data Encryption Service and its usage scenarios.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them πŸ™

If you have questions, comments, or feedback, just reply to this email orΒ let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser Β© 2019-present
The Cloud Security Reading List by SecurityBite LTD.