Release Date: 02/05/2021 | Issue: 85
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

Threats in the Cloud During COVID-19
Prisma Cloud by Palo Alto Networks is hosting a LinkedIn Live event on May 4th on the topic of their latest Unit 42 Cloud Threat Report, which centers around the impact of COVID-19 on cloud security. RSVP to the live event to hear how organizations globally increased their cloud workloads by more than 20% during the pandemic, leading to an explosion of security incidents. To learn more about the Unit 42 team’s findings and recommendations, download the report here.

This week's articles


Automating Cartography Deployments on Kubernetes
#kubernetes, #build
Open sourcing an automated process to get Neo4J and Cartography up and running in a Kubernetes cluster, using HashiCorp Vault as a secrets management engine.


What's New in ATT&CK v9? Data Sources, Containers, Cloud, and more
#kubernetes, #monitor
Blog providing details on new data sources, cloud changes, container techniques and more additions to ATT&CK v9.


Falcosidekick + OpenFaas = a Kubernetes Response Engine
#kubernetes, #monitor
Post explaining the basic concepts for integrating your own Response Engine into K8S with the stack Falco + Falcosidekick + OpenFaaS.


Why You Shouldn't Use Config Maps to Store Sensitive Data in K8s
#kubernetes, #build
It's recommended to store sensitive data of cloud native applications using a built-in secrets object type rather than Kubernetes Configmaps.


Terraform Recommended Practices
#terraform, #explain
Guide describing HashiCorp's recommended Terraform practices and how to adopt them.


Docker Security Cheat Sheet
#docker, #build
Cheat sheet aiming to provide an easy to use list of common security mistakes and good practices that will help you secure your Docker containers.


How to monitor AWS SQS with Prometheus
#aws, #monitor
How to monitor AWS SQS with Prometheus, leveraging the data offered by CloudWatch exporting the metrics to Prometheus using the YACE exporter (Yet Another CloudWatch Exporter).


Secure Deployment: 10 Pointers on Secrets Management
#build
Secrets management is an important indicator of security maturity. This blog gives 10 pointers on how to do secrets management well.


Create Reproducible Security in Kubernetes with Helm 3 and Helm Charts
#kubernetes, #defend
How to use Helm and Helm Charts to create reproducible security in Kubernetes deployments, with a particular emphasis on user management with RBAC, secrets management, and chain of custody and provenance files.


Argo's Threat Model
#kubernetes, #attack
Another excellent threat model exercise conducted by Trail of Bits, this time on ArgoCD.

Tools


dockerscan
A tool focused on analysing and attacking Docker images.


k8s-image-swapper
Mirror images into your own registry and swap image references automatically.


kube-bench-exporter
Helps you to export your cluster's kube-bench reports to remote targets like multiple Amazon S3 buckets, Azure blob storage, etc. in one-go with ease.

From the cloud providers


AWS Icon  Disaster Recovery (DR) Architecture on AWS, Part II: Backup and Restore with Rapid Recovery
Different backup and restore strategies to meet the DR needs for your workload.


AWS Icon  Hands-on walkthrough of the AWS Network Firewall flexible rules engine
How to deploy a demo AWS Network Firewall within your AWS account to interact, first-hand, with its rules engine.


GCP Icon  Sign here! Creating a policy contract with Configuration as Data
Configuration as Data is an emerging cloud infrastructure management paradigm that allows developers to declare the desired state of their applications and infrastructure, without specifying the precise actions or steps for how to achieve it. Config Connector is the tool that allows you to express configuration as data in Google Cloud. There is also a sample repo.


GCP Icon  Build security into Google Cloud deployments with our updated security foundations blueprint
Google launched an updated version of their Google Cloud security foundations guide and corresponding Terraform blueprint scripts, which provide step-by-step guidance for creating a secured landing zone into which you can configure and deploy your Google Cloud workloads.


GCP Icon  Choose the best way to use and authenticate service accounts on Google Cloud
There are a variety of authentication methods that service accounts can employ, and it's important to use the right one based on your needs.


GCP Icon  Risk governance of digital transformation: guide for risk, compliance & audit teams
Whitepaper describing what a cloud transformation means for risk, compliance, and audit functions, and how to best position those programs for success in the cloud world.


GCP Icon  The evolution of Kubernetes networking with the GKE Gateway controller
Google announced the Preview release of the GKE Gateway controller, GCP's implementation of the Gateway API. Over a year in the making, the GKE Gateway controller manages internal and external HTTP/S load balancing for a GKE cluster or a fleet of GKE clusters.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.