Release Date: 30/05/2021 | Issue: 89
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

Are you building cloud applications with a distributed team? Check out Teleport, an open source identity-aware access proxy for cloud resources. Teleport provides secure access to anything running somewhere behind NAT: SSH servers, Kubernetes clusters, internal web apps and databases. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility and ensuring compliance. And best of all, it doesn't get in the way.
Download it today at www.goteleport.com

This week's articles


DNS infrastructure at Hulu
#explain
Post describing the evolution of Hulu's DNS infrastructure from a simple setup to a more distributed configuration that is capable of reliably handling a significantly higher request volume.


Detecting and Mitigating CVE-2021-25737: EndpointSlice validation enables host network hijack
#kubernetes, #monitor
A CVE has been found in Kubernetes kube-apiserver where an authorized user could redirect pod traffic to private networks on a Node. This post explains how Kubernetes is impacted and how to mitigate and detect it with Falco and OpenPolicyAgent.


DevSecOps Series: Shifting Security Left
#strategy
Post describing the different components of running a DevSecOps program as well as some of the (hard) lessons learned through the years.


Cloudbite - Bite-sized cloud learning with spaced repetition
#aws, #explain
Nice small website providing flashcards to learn cloud skills.


The CKA for security engineers
#kubernetes, #explain
There are many descriptions of the CKA exam process on the internet, but not that many from a security engineering perspective. This post discusses how a security engineer found the course, the preparation they did, and their experience of the exam.


Top 20 Dockerfile best practices
#docker, #explain
How to prevent security issues and optimize containerized applications by applying a quick set of Dockerfile best practices in your image builds.


Attacking Kubernetes Clusters Through Your Network Plumbing
#kubernetes, #attack
The use of routing daemons on Kubernetes clusters is opening some new threat models against known routing protocols' security limitations. An attacker can exploit these new game rules to manipulate data traffic throughout the cluster from low-privileged access to a single node in the cluster.


Locking Down SSH - The Right Way
#defend
A little guide for locking down a VPS or similar to ensure your SSH connection is as secure as can be.


Taking TeamTNT's Docker Images Offline
#docker, #defend
TeamTNT staged malicious images on Docker Hub using a legitimate user's Docker Hub account. The credentials to this Docker Hub account were accidentally committed to a public GitHub repo.


AWS Secrets Manager on Kubernetes using AWS Secrets CSI driver Provider
#aws, #build
Recently, AWS published a new backend implementation for the Secrets Store CSI Driver that allows using AWS Secrets Manager as a Secret Provider.


The Attack Path Management Manifesto
#strategy
Perspective, thoughts, and vision for directly dealing with the problem of Attack Paths.

Tools


yor
Yor is an open-source tool that helps add informative and consistent tags across infrastructure-as-code frameworks such as Terraform, CloudFormation, and Serverless. Yor is built to run as a GitHub Action automatically adding consistent tagging logics to your IaC. Yor can also run as a pre-commit hook and a standalone CLI. You can also review the companion blog post.


angle-grinder
Angle-grinder allows you to parse, aggregate, sum, average, min/max, percentile, and sort your data. You can see it, live-updating, in your terminal. Angle grinder is designed for when, for whatever reason, you don't have your data in graphite/honeycomb/kibana/sumologic/splunk/etc. but still want to be able to do sophisticated analytics.


crane
crane is a tool for interacting with remote images and registries.


Outdated
A kubectl plugin to show out-of-date images running in a cluster. The plugin will scan for all pods in all namespaces that you have at least read access to. It will then connect to the registry that hosts the image, and (if there's permission), it will analyze your tag to the list of current tags.


CloudPentestCheatsheets
This repository contains a collection of cheatsheets put together for tools related to pentesting organizations that leverage cloud providers.


CONVEX
CONVEX is a group of CTFs that are independently deployable into participant Azure environments.


terraformer
CLI tool to generate terraform files from existing infrastructure (reverse Terraform).


kubectl-whisper-secret
A plugin which allows users to create secrets with secure input prompt to prevent information leakages through terminal history, shoulder surfing attacks, etc.

CloudSecDocs


AWS Auditing
A collection of tools useful when auditing an AWS account for security misconfigurations.

If you want to get your product or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
📨 [email protected] 📨

From the cloud providers


AWS Icon  How to monitor expirations of imported certificates in AWS Certificate Manager (ACM)
A Lambda function that makes use of CloudWatch rules to report back those certificates that are due to expire within a pre-defined amount of time.


AWS Icon  Building fine-grained authorization using Amazon Cognito, API Gateway, and IAM
How to use an Amazon Cognito user pool as a user directory and let users authenticate and acquire the JSON Web Token (JWT) to pass to the API Gateway.


AWS Icon  Use EC2 Instance Connect to provide secure SSH access to EC2 instances with private IP addresses
How to use Amazon EC2 Instance Connect to use SSH to securely access your EC2 instances running on private subnets within a VPC.


AWS Icon  Working with AWS Directory Service for Microsoft Active Directory
How to use AWS Directory Service with the AWS Transfer Family to securely provide permissions for file transfers to users in your AD groups.


AWS Icon  Visualize your AWS Infrastructure with Amazon Neptune and AWS Config
How to use Amazon Neptune with AWS Config to get an insight of your landscape on AWS and map out relationships.


AWS Icon  Audit companion for the AWS PCI DSS Quick Start
How to use automation to reduce the pain of manual and repetitive evidence collection. This will help you focus more on the compliance architecture rather than on evidence collection.


GCP Icon  New OS configuration management tool for VM Manager
A new version of OS configuration management within VM Manager makes it easier to manage large fleets of Compute Engine virtual machines.


Azure Icon  Who Watches the SOC Team? Enabling Audit/Risk Teams to Monitor the SOC
Blog discussing methods to monitor the actions of the SOC team from a risk and auditing standpoint.


Azure Icon  Announcing 15+ New Azure Sentinel Data Connectors
Microsoft announced over 15 new out-of-the-box data connectors for Azure Sentinel to enable data collection for leading products across different industries and clouds.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.