Release Date: 28/03/2021 | Issue: 80
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

Cloud Cyber Resilience Report: Evolving Risks, Insecure Defaults, Watering Hole Threats
As cloud native technologies, such as serverless, containers, and service mesh experience explosive growth, it’s apparent that organizations see cloud native as the future. Accurics latest research identified some common trends, such as a move of Identity and Access Management into Infrastructure as Code, rapid adoption of CSP-managed services, and insecure default configurations for many resource types.
This report examines the top cloud infrastructure risks, provides practical advice and best practices to avoid common misconfigurations that kill productivity.
Read the report.

This week's articles


Secure access to 100 AWS accounts
#aws, #defend
Segment's journey towards designing a scalable IAM architecture.


Thread on CI security
#ci/cd, #defend
Many useful insights from Dino Dai Zovi on how to properly harden your CI infrastructure to make supply chain attacks more difficult to pull off.


What Architects Need to Know About Networking on AWS
#aws, #explain
Blog, walking through the importance of managing your network, and presenting a network structure for full control over your cloud resources.


Presenting the Risk: Do You Know About this AWS Authorization Bypass?
#aws, #defend
In AWS IAM, even if a group has an explicit "Deny", this will only impact Group actions, and not User actions, opening organizations up to misconfiguration and vulnerabilities.


Continuous AWS IAM Security Best Practices
#aws, #defend
Walkthrough on how to automate, validate and monitor AWS IAM Security best practices with CloudQuery.


10 Kubernetes Security Context settings you should understand
#k8s, #explain
Cheatsheet taking a look at the various "securityContext" settings, explore what they mean and how you should use them.


Trying out Cosign
#docker, #build
How to setup a Github Action to build and sign an image with Cosign.


Using Open Policy Agent with Strimzi and Apache Kafka
#opa, #kafka
Blog looking at Kafka authorization using Open Policy Agent. It explains the advantages and disadvantages of using it, compare it with other supported authorization methods and look at some interesting ways it can be used.


How to monitor multi-cloud Kubernetes with Prometheus and Grafana
#k8s, #monitor
How to connect services running in multiple, isolated, Kubernetes clusters spread across cloud providers or running on-premises with Inlets.


Argo CD v2.0-rc1 is here
#ci/cd, #build
The Argoproj team announced the first release candidate for Argo CD v2.0. This post explains the new Argo CD user interface features, Kubernetes resource syncing and diffing enhancements.

Tools


red-shadow
Scan your AWS IAM Configuration for shadow admins in AWS IAM based on misconfigured deny policies not affecting users in groups.


s3-account-search
Find the account ID an S3 bucket belongs too. You can also read the companion blog post.


kubestriker
Kubestriker performs numerous in depth checks on kubernetes infra to identify the security misconfigurations and challenges that devops engineers/developers are likely to encounter when using Kubernetes, especially in production and at scale.


argocd-image-updater
Tool to automatically update the container images of Kubernetes workloads which are managed by Argo CD. In a nutshell, it will track image versions specified by annotations on the Argo CD Application resources and update them by setting parameter overrides using the Argo CD API. You can also check the companion blog post.


magpie
Magpie is a free, open-source framework and a collection of community developed plugins that can be used to build complete end-to-end security tools such as a Cloud Security Posture Manager.

CloudSecDocs


Secrets
A collection of tools useful for secrets management, as well as hooks and scanners handy for preventing and detecting leaked secrets.

If you want to get your product or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
📨 [email protected] 📨

From the cloud providers


AWS Icon  Organizing Your AWS Environment Using Multiple Accounts
In-depth guide on how to set up an AWS multi-account environment, full of advice and examples from AWS engineers and customer experts.


AWS Icon  Approaches for authenticating external applications in a machine-to-machine scenario
Post aiming to help you decide which approach is best to securely connect your applications, either residing on premises or hosted outside of AWS, to your AWS environment when no human interaction comes into play. The post goes through the various alternatives available and highlights the pros and cons of each.


AWS Icon  Now you can use AWS CloudTrail to log data-plane API activity in DynamoDB tables
Now you can use AWS CloudTrail to log data-plane API activity to monitor, alarm, and archive item-level activity in your Amazon DynamoDB tables. You can use this information about item-level activity as part of an audit, to help address compliance requirements, and monitor which IAM users, roles, and permissions are being used to access your table data.


AWS Icon  AWS Security Hub integrates with Amazon Macie to automatically ingest sensitive data findings
AWS Security Hub is now integrated with Amazon Macie to automatically ingest sensitive data findings from Macie. Security Hub previously ingested policy findings from Macie, and this integration adds sensitive data findings.


AWS Icon  How to automate SCAP testing with AWS Systems Manager and Security Hub
How to automate OpenSCAP's STIG testing and integrate the findings with AWS Security Hub to improve your view of your IT systems' compliance status.


GCP Icon  Announcing Network Connectivity Center
With Network Connectivity Center, you can connect and manage VPNs, interconnects, third-party routers and SD-WAN across on-prem and cloud networks.


GCP Icon  Building and debugging locally
It is now possible to run Google Cloud Build builds locally on your laptop with: "$ cloud-build-local --dryrun=false --config=cloudbuild.yaml".


GCP Icon  Policy Simulator
Policy Simulator lets you see how an IAM policy change might impact a member's access before you commit to making the change. You can use Policy Simulator ensure that the changes you're making won't cause a member to lose access that they need.


GCP Icon  You make the rules with authentication controls for Cloud Storage
Once you've got your data into Cloud Storage, it's time for an important conversation about authentication. This post reviews some critical components for determining who has access to that data.


Azure Icon  Strengthen and optimize compliance in Azure Security Center
The Regulatory Compliance dashboard in Azure Security Center is an excellent tool for helping organizations understand their compliance posture relative to industry standards.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.