Release Date: 06/06/2021 | Issue: 90
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

Learn the Benefits of Infrastructure as Code Security ✅
Leverage Infrastructure as Code (IaC) to embed cloud security and compliance directly into developer workflows. With policy-as-code, you can get both real-time visibility and preventative governance to more efficiently manage your cloud security posture. Download more IaC Security insights in the free DZone Refcard.

This week's articles


Access Service: Temporary Access to the Cloud
#aws, #gcp, #build
How the Segment Security Engineering Team approaches access to AWS/GCP roles and SaaS apps, and how they implemented a time-based, peer-reviewed access.


AWS Accounts as Security Boundaries - 97+Ways Data Can be Shared Across Accounts
#aws, #defend
Security teams cannot simply rely on the AWS account boundary to limit access between environments. Instead, they must carefully audit IAM policies, resource policies, Organization membership, RAM shares, service-level integrations, and sometimes combinations of one of more of these options, in order to properly evaluate how data from one account is being sent to others.


How to measure SOC quality
#strategy, #monitor
You can scale your SOC and improve quality. Seems impossible? Not if you know how and what to measure. The crew that helped build Expel's SOC explain how they pulled it off.


Getting Started in Pentesting the Cloud: Azure
#azure, #attack
Differences between Azure resources and Microsoft 365 can oftentimes be confusing but knowing these differences is key to helping you pivot and escalate privileges.


Ensure Content Trust on Kubernetes using Notary and Open Policy Agent
#kubernetes, #build
A detailed guide to help you to ensure that only signed images can get deployed on a cluster.


Protecting Amazon S3 Data from Ransomware
#aws, #defend
Ransomware targeting S3 is more than likely to simply delete your data and claim that it's being held ransom than actually encrypting it.


Analyze Kubernetes Audit logs using Falco
#kubernetes, #monitor
Detect intrusions that happened in your Kubernetes cluster through audit logs using Falco.


Reverse Engineering a Docker Image
#docker, #attack
The Docker image format is a lot more transparent than it could be. A little detective work is needed, but a lot can be figured out just by pulling apart an image file.


K0s Cluster Without Internet Access
#kubernetes, #build
In companies with high security constraints, it might be needed to install a Kubernetes cluster on machines without any internet access. This article shows how k0s manages air-gapped installations.


Is your Ansible Package Configuration Secure?
#ansible, #attack
Deep dive into what package management vulnerabilities in the world of Ansible look like.


Best Practices Around Production Ready Web Apps with Docker Compose
#docker, #build
Quite a few patterns on how to safely use Docker Compose.


Running Linux Tools in Lambda Containers
#aws, #defend
Lambda Containers are a great fit for performing tasks that require elevated privileges, especially if AWS IAM can control access. Running tasks with elevated privileges in an ephemeral manner is great for security, since there's nothing constantly running with that access.

Tools


kpexec
kpexec is a kubernetes cli that runs commands in a container with high privileges.


k8scr
A kubectl plugin for pushing OCI images through the Kubernetes API server.


kubevela
KubeVela is a modern application platform that simplifies deploying and managing applications, based on Kubernetes and OAM.


upgrade-manager
RollingUpgrade provides a Kubernetes native mechanism for doing rolling-updates of instances in an AutoScaling group using a CRD and a controller.


confectionery
A library of rules for Conftest used to detect misconfigurations within Terraform configuration files.

If you want to get your product or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
📨 [email protected] 📨

From the cloud providers


AWS Icon  How to implement a hybrid PKI solution on AWS
How to plan and deploy a PKI that enables certificates to be issued across a hybrid (cloud & on-premises) environment with a common root.


AWS Icon  Integrating Okta with AWS Single Sign-On in an AWS Control Tower environment
How to integrate AWS Control Tower, AWS SSO, and Okta as an external identity provider so that you can manage users, entitlements, accounts, and roles in Okta.


AWS Icon  Automate security scans for cross-account workloads using Amazon Inspector and AWS
How to automatically scan for vulnerabilities in cross-account workloads on AWS.


AWS Icon  Building a serverless Jenkins environment on AWS Fargate
Walkthrough oh how to set up a completely serverless Jenkins environment on AWS Fargate using Terraform.


GCP Icon  DevOps on Google Cloud: tools to speed up software development velocity
Google Cloud's application development and continuous integration/continuous delivery (CI/CD) tools.


GCP Icon  How to use VPC Flow Logs in GCP for network traffic analysis
A set of open-source tools from Google Cloud Professional Services that provide export, analytics and reporting capabilities for multiple use-cases.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.