Release Date: 04/04/2021 | Issue: 81
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

You don't know what's in your cloud environment!
We're focused so much on execution and delivery that we don't attend to our cyber assets and their relationships. This interconnectedness is what makes a business run... but it also makes us vulnerable to attackers. Auto discover your cyber assets relationships across your entire infrastructure with JupiterOne.
Read 3 Steps for Continuous Improvement in Cloud Security and get visibility into your entire cloud infrastructure by signing up for a free JupiterOne account now.

This week's articles


State of Cloud Security Concerns, Challenges, and Incidents
#explain
Survey which tried to understand current and estimated future cloud usage, determine the current security concerns during cloud adoption and deployment, identify the security tools organizations are using to address security concerns, and understand occurrences and causes of cloud-related security incidents.


Enabling Autonomous Teams With Policy Enforcement At Yubico
#opa, #build
Slides from a KubeCon Cloud Native Security Day 2020 talk discussing Yubico's journey towards automatic policy enforcement with Open Policy Agent.


How to secure multi-tenant applications with AppSync and Cognito
#aws, #build
A common requirement in multi-tenant applications is to support roles within each tenant. These are usually well-defined roles in your application and a user would fall into one of these roles within his/her tenant. So you not only have to isolate data access by the tenant but also restrict access to certain operations by role.


Top 6 considerations for integrating cloud security and GitOps
#ci/cd, #build
How to leverage GitOps to continuously enforce cloud security guardrails as infrastructure is developed, delivered, and deployed.


AWS S3 security with CloudTrail and Falco
#aws, #monitor
How to enhance AWS S3 security and how to enable CloudTrail audit events for this service. The post also explains how to perform AWS Thread Detection with Cloudtrail and introduces a free to use Sysdig Cloud Connector, so you can detect suspicious activity and react as soon as possible.


Azure Managed Identities with the HashiCorp Stack: Part 1
#azure, #build
Part 1 of a series which demonstrates how to use Terraform to provision a Managed Identity resource and authenticate with Azure, as well as showing how Packer can take advantage of Managed Identities.


Detections of Past, Present, and Future
#defend
Post discussing an often overlooked component of building detections: the "when" in time a detection covers.


Kubernetes Lab on Baremetal
#k8s, #build
My personal approach to deploy my own Kubernetes Lab on baremetal, and on an Intel NUC in particular (disclaimer: I did write this post).


Kafka Without ZooKeeper: A Sneak Peek At the Simplest Kafka Yet
#kafka, #build
Confluent announced that the early access of the KIP-500 code has been committed to trunk and is expected to be included in the upcoming 2.8 release. For the first time, you can run Kafka without ZooKeeper.


Cloud Storage Security: Attacking & Auditing
#aws, #attack
How to attack and audit cloud storage services such as AWS S3, Azure, and Google storage/bucket.

Tools


kics
Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code.


terraform-azurerm-tfstate-backend
Terraform module that provisions an Azure Storage account to store the terraform.tfstate file and a Key Vault to store the customer-managed encryption key.


botocove
A simple decorator for functions to run them against all AWS accounts in an organization.


microk8s-kata-containers
This repository encompasses a fully scripted Github workflow to test the transparent use of the runtime for Kata Containers (Katas) on MicroK8s.

CloudSecDocs


Technical Leadership
A collection of resources and how-tos for Tech Leads and all of those who chose the individual contributor (IC) career track.

If you want to get your product or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
📨 [email protected] 📨

From the cloud providers


AWS Icon  Amazon DynamoDB now supports audit logging and monitoring using AWS CloudTrail
You can now enable data plane activity logging for fine-grained monitoring of all DynamoDB item activity within a table by using CloudTrail.


AWS Icon  Troubleshoot Boot and Networking Issues with New EC2 Serial Console
AWS announced the EC2 Serial Console, a simple and secure way to troubleshoot boot and network connectivity issues by establishing a serial connection to your EC2 instances.


AWS Icon  How to Get Started with Amazon Route 53 Resolver DNS Firewall for Amazon VPC
AWS announced Route 53 Resolver DNS Firewall, which allows to protect against data exfiltration attempts by defining domain name allowlists that allow resources within your VPC to make outbound DNS requests only for the sites your organization trusts.


AWS Icon  Amazon API Gateway now provides IAM condition keys for governing endpoint, authorization, and logging configurations
You can now use IAM condition keys as part of IAM and Service Control Policies (SCPs) to centrally govern endpoint, authorization, and logging configurations for your APIs in API Gateway.


GCP Icon  New whitepaper: Scaling certificate management with Certificate Authority Service
Scaling certificate management with Google Certificate Authority Service is a new whitepaper which focuses on GCP's Certificate Authority Service (CAS) as a modern certificate authority service and showcases key use cases for it.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.