Release Date: 25/04/2021 | Issue: 84
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up
Sponsor

Online Training for Common NGINX Misconfigurations on May 6
NGINX is the web server powering one-third of all websites in the world. Detectify's Security Research team analyzed almost 50,000 unique NGINX configuration files downloaded from GitHub with Google BigQuery and discovered common misconfigurations that, if left unchecked, leave your web site vulnerable to attack. This training will walk through the most common issues, including demos and remediation tips for securing your web servers. Training is live on May 6, and will be on-demand afterwards. Sign up for the free training webinar here.

This week's articles


Using Falco to monitor outbound traffic for Pods in Kubernetes   #kubernetes, #monitor
Really interesting walkthrough on how to use Falco to monitor the network traffic of your Pods.


Enforcing Policy as Code using OPA and Gatekeeper in Kubernetes   #opa, #build
How to set up Open Policy Agent/Gatekeeper as your Kubernetes admission webhook to enforce policies on your Kubernetes cluster.


Authorizing Microservice APIs With OPA and Kuma   #opa, #kubernetes, #build
You can hook up Kuma to OPA, so that then whenever an external request comes in, Kuma will send the agent an authorization query that says, "Hey, is this API call authorized or not?". OPA returns that authorization decision and Kuma is responsible for enforcing it.


Top 6 considerations for integrating cloud security and GitOps   #ci/cd, #build
How to leverage GitOps to continuously enforce cloud security guardrails as infrastructure is developed, delivered, and deployed.


A practical guide to writing secure Dockerfiles   #docker, #opa, #build
Post teaching best practices to write Dockerfiles using BuildKit features and linters, as well as leveraging OPA to write custom policies.


Hacking AWS: HackerOne & AWS CTF 2021 writeup   #aws, #attack
Interesting writeup for the HackerOne CTF organised together with AWS.


List of expensive / long-term effect AWS IAM actions   #aws, #attack
A list of IAM permissions that gate calls that could be potentially expensive or result in a long-term commitment.


How to modify etcd data of your Kubernetes directly (without K8s API)   #kubernetes, #explain
How to alter etcd-stored values without using any common Kubernetes tooling like its native CLI utilities or even API.


Annotating Kubernetes Services for Humans   #kubernetes, #explain
Much like implementing observability within microservice systems, you often don't realize that you need human service discovery until it's too late. Don't wait until something is on fire in production to start wishing you had implemented better metrics and also documented how to get in touch with the part of your organization that looks after it.


Evolving Kubernetes networking with the Gateway API   #kubernetes, #explain
Kubernetes announced the Gateway API to standardise underlying route matching, traffic management, and service exposure.

Tools


aws-security-reviewer
Terraform module which automates the setup of roles and users needed to perform a security audit of AWS accounts in an Hub and Spoke model. The concepts behind it are detailed in Cross Account Auditing in AWS and GCP.


kube-burner
Kube-burner is a tool aimed at stressing Kubernetes clusters by creating or deleting a high quantity of objects. You can also refer to the companion blog post.


PurpleCloud
Multi-use Hybrid + Identity Cyber Range implementing a small Active Directory Domain in Azure alongside Azure AD and Azure Domain Services.


fossa-action
Find license compliance and security issues in your applications with FOSSA in Github Actions, using FOSSA CLI V2.


censor-shell
Censors or hides shell / Bash / console output based on defined patterns - great for hiding secrets in demos.


rbac-lookup
Easily find roles and cluster roles attached to any user, service account, or group name in your Kubernetes cluster.

CloudSecDocs


Building Applications for Kubernetes
A collection of resources and utils helpful when building applications for Kubernetes


From the cloud providers


AWS Icon  Review last accessed information to identify unused EC2, IAM, and Lambda permissions and tighten access for your IAM roles
IAM is increasing visibility into access history by extending last accessed information to EC2, IAM, and Lambda management actions. This makes it easier for you to analyze access and reduce EC2, IAM, and Lambda permissions by providing the latest timestamp when an IAM user or role accessed an action.


AWS Icon  Architecting SWIFT Connectivity on Amazon Web Services (AWS)
Architecture principles for a migration approach from a Full Stack on-premises SWIFT infrastructure to AWS.


AWS Icon  How to use AWS Secrets & Configuration Provider with your Kubernetes Secrets Store CSI driver
AWS Secrets Manager now enables you to securely retrieve secrets from AWS Secrets Manager for use in EKS pods.


GCP Icon  Hold your own key with Google Cloud External Key Manager
A new whitepaper explains how security teams that want to hold their own keys can use Google Cloud External Key Manager to do so.


GCP Icon  Access Approval
Access Approval enables you to require your explicit approval whenever Google support and engineering need to access your customer content.


GCP Icon  A peek behind Colossus, Google's file system
A deeper look at the storage infrastructure behind your VMs, specifically the Colossus file system, and how it helps enable massive scalability and data durability for Google services as well as your applications.


Azure Icon  Tutorial: Azure Active Directory single sign-on (SSO) integration with AWS Single-Account Access
How to configure single sign-on between Azure Active Directory and AWS Single-Account Access.


Alibaba Cloud Icon  Secure Docker Compose Stacks with CrowdSec
How to make CrowdSec and Docker Compose work together to protect applications exposed in containers.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.