Release Date: 11/04/2021 | Issue: 82
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

⏩ Embed security directly into developer workflows with Bridgecrew ⏪
Stay secure without slowing down production with Bridgecrew’s all-in-one cloud security solution. Bridgecrew automates infrastructure security and governance throughout the entire development lifecycle. With codified security, you can proactively address security and compliance errors before you’re ever exposed to risk. Get started for free.

This week's articles


PodSecurityPolicy Deprecation: Past, Present, and Future
#k8s, #announcement
PodSecurityPolicy (PSP) is being deprecated in Kubernetes 1.21, to be released later this week. PodSecurityPolicy will continue to be fully functional for several more releases before being removed completely. In the meantime, a replacement that covers key use cases more easily and sustainably is being developed.


Project Zero: Who Contains the Containers?
#docker, #attack
Post about a research project James Forshaw (Google's Project Zero) conducted on Windows Server Containers that resulted in four privilege escalations which Microsoft fixed in March 2021. In the post, he describes what led to this research, his research process, and insights into what to look for if you're researching this area.


How to Harden Your Cloud Against SMTP Abuse
#aws, #attack
AWS accounts that are outside of the SES sandbox are valuable to criminals that are looking to perform mass spam campaigns or large-scale phishing attacks. When purchased, they will attempt to launch their campaign as soon as possible and get as much out there as they can, before Amazon catches on and bans the AWS account for malicious activity with SES.


Secure containerized environments with updated threat matrix for Kubernetes
#kubernetes, #defend
Microsoft released the second version of the threat matrix for Kubernetes, which adds new techniques that were found by Microsoft researchers, as well as techniques that were suggested by the community.


Cloud lateral movement: Breaking in through a vulnerable container
#aws, #attack
What often happens in famous attacks to Cloud environments is a vulnerable application that is publicly available and can serve as an entry point. From there, attackers can try to move inside the cloud environment, trying to exfiltrate sensitive data or use the account for their own purpose, like crypto mining.


The worst so-called best practice for Docker
#docker, #build
In a whole bunch of places you will be told not to install security updates when building your Docker image. Please, run dnf/apk/apt-get upgrade in your Dockerfile, you really do want to install security updates in your Docker image. And after that, make sure Docker caching doesn't break your updating.


Man in the Terminal
#aws, #attack
Leveraging environment $PATH variables to keylog, hijack SSH sessions, and more. Useful for post-ex activities on shared *nix jumpboxes or developer workstations. This can be particularly useful in AWS environments where you have access as the ec2-user.


From "War Games" to Network Policies
#kubernetes, #defend
Post considering why traditional network security approaches aren't sufficient in the cloud native world, and see what advantages we can gain through network policies.


Kubernetes Pentest Methodology
#kubernetes, #attack
Series describing a Kubernetes penetration test methodology, which covers the security risks that can be created by misconfiguring Kubernetes RBAC and demonstrates the attack vectors of a remote attacker.


Running Atlantis at Lyft
#ci/cd, #build
Atlantis is an Open Source Terraform Automation platform designed to be run as part of a version control provider's pull request (PR) workflow. It provides workflow customization on a per-team basis, centralized permissions and binaries, audit logs and guardrails such as PR approvals and mergeability.

Tools


kubesploit
Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments.


aa-policy-validator
Validate all your Customer Policies against AWS Access Analyzer.


action-conftest
A GitHub Action for easily using conftest in your CI. It allows for pulling policies from another source and can surface the violations and warnings into the comments of the pull request.


cosigned
A Kubernetes admission controller to verify images have been signed by cosign.


kubernetes-simulator
A distributed systems and infrastructure simulator for attacking and debugging Kubernetes: simulator creates a Kubernetes cluster for you in your AWS account; runs scenarios which misconfigure it and/or leave it vulnerable to compromise and trains you in mitigating against these vulnerabilities.


PMapper v1.1.0 Update
PMapper v1.1.0 has been released, now having support for all policy types (IAM, SCP, Session, Boundary, and Resource for a bunch of resource types).


Checkov 2.0: Deeper, broader, and faster IaC scanning
BridgeCrew introduced Checkov 2.0, including an all-new graph-based framework, 250 new policies, and Dockerfile support.

CloudSecDocs


Kubernetes Pentest Resources
A collection of resources and tools that can aid assessing Kubernetes clusters.

From the cloud providers


AWS Icon  IAM Access Analyzer makes it easier to implement least privilege permissions by generating IAM policies based on access activity
You can now use IAM Access Analyzer to generate fine-grained policies, based on your access activity in your AWS CloudTrail logs. When you request a policy, IAM Access Analyzer gets to work and identifies your activity from CloudTrail logs to generate a policy.


AWS Icon  Amazon VPC Flow Logs announces out-of-the-box integration with Amazon Athena
VPC flow logs now makes it easier to query VPC flow logs using Amazon Athena. With a few clicks, you can now automate the integration between Athena and your VPC flow logs delivered to S3.


AWS Icon  7 ways to improve security of your machine learning workflows
How to use familiar security controls to build more secure machine learning (ML) workflows.


AWS Icon  Using Dex & dex-k8s-authenticator to authenticate to Amazon EKS
How to use Dex with Amazon EKS, a popular OIDC provider that provides connectors for a variety of different OAuth providers. Specifically, this blog describes how to configure Dex with GitHub as your primary IdP.


AWS Icon  Disaster Recovery (DR) Architecture on AWS, Part I: Strategies for Recovery in the Cloud
How to architect for disaster recovery (DR), which is the process of preparing for and recovering from a disaster.


GCP Icon  Secret Manager Best Practices
This guide introduces some best practices when using Secret Manager.


GCP Icon  Best practices for securing service accounts
This guide presents best practices for limiting the privileges of service accounts and mitigating major risks they might incur in.


Azure Icon  Leveraging Azure Arc cluster extensions on Cluster API Azure clusters
Microsoft introduced Azure Monitor, Azure Defender, and Azure RBAC for Cluster API Provider Azure Kubernetes clusters via Azure Arc.


Azure Icon  Announcing Azure AD Verifiable Credentials
Azure AD customers can now easily design and issue verifiable credentials to represent proof of employment, education, or any other claim, so that the holder of such a credential can decide when, and with whom, to share their credentials. Each credential is signed using cryptographic keys associated with the DID that the user owns and controls.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.