Release Date: 27/06/2021 | Issue: 93
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

Teleport, an identity-aware access proxy, allows engineers and security professionals to implement industry best practices for SSH and Kubernetes access, meet compliance requirements, prevent data exfiltration, and have complete visibility into access and behavior.
Teleport is the access plane of choice among leading companies.
Learn more today at www.goteleport.com

This week's articles


Security Implications of AWS API Gateway Lambda Authorizers and IAM Wildcard Expansion
#aws, #attack
Post discussing one of the features of AWS API Gateway, called lambda authorizers, and how the official AWS documentation might have led developers into using it insecurely.


Automated Github Backups with ECS and S3
#aws, #build
Architecture and implications of an automated process aiming to backup a Github account, relying on ECS Fargate and S3 Glacier. Disclaimer: I did write this post.


Using Yor for ownership mapping using YAML tag groups
#iac, #build
Yor can auto-tag infrastructure with metadata to categorize resources by purpose, owner, team, environment, and more.


Expose Open Policy Agent/Gatekeeper Constraint Violations for Kubernetes Applications with Prometheus and Grafana
#kubernetes, #opa
A solution which gives platform users a succinct view about which Gatekeeper constraints are violated by using Prometheus & Grafana.


Tech Preview: Docker Dev Environments
#docker, #build, #announcement
With Dev Environments developers can now set up repeatable and reproducible development environments by keeping the environment details versioned in their Software Configuration Management along with their code.


Announcing the Google Workspace Provider for HashiCorp Terraform Tech Preview
#terraform, #gsuite, #announcement
A new Terraform provider which allows you to manage users, groups, and domains in your Google Workspace (formerly G Suite).


Reminder: v1beta1 versions going away in 1.22: CRD and AdmissionWebhookConfiguration
#kubernetes, #announcement
In Kubernetes 1.22, the BETA versions of the CustomResourceDefinition, MutatingWebhookConfiguration, and ValidatingWebhookConfiguration APIs will be removed.


EKS Unchained with eBPF and Bottlerocket
#aws, #kubernetes, #monitor
How to install Cilium with kube-proxy replacement in EKS with managed node groups using eksctl.


Hashcat in AWS EC2
#aws, #attack
Post covering some of the instance options in EC2, installation of the needed Linux packages, the basic setup of Hashcat, running Hashcat, and finally monitoring and benchmarks of an EC2 instance.


Announcing a unified vulnerability schema for open source
#announcement
The Google Open Source Security team, Go team, and the broader open-source community have been developing a simple vulnerability interchange schema for describing vulnerabilities that's designed from the beginning for open-source ecosystems.

Tools


restler-fuzzer
RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.


K8sPurger
Hunt unused resources in Kubernetes.


saffire
A controller to override image sources in the event that an image cannot be pulled.


kubewatch
kubewatch is a Kubernetes watcher that publishes notifications to available collaboration hubs/notification channels. Run it in your k8s cluster, and you will get event notifications through webhooks.


turbolift
A tool to help apply changes across many GitHub repositories simultaneously.

From the cloud providers


AWS Icon  Customize requests and responses with AWS WAF
How to use AWS WAF's custom responses and request header insertion to improve the security posture of your applications.


AWS Icon  CloudHSM best practices to maximize performance and avoid common configuration pitfalls
Best practices to help you maximize the performance of your workload and avoid common configuration pitfalls in the following areas: Administration, Configuration, Managing PKI root keys, Performance, and Error handling.


AWS Icon  Create a portable root CA using AWS CloudHSM and ACM Private CA
How to use ACM Private CA with AWS CloudHSM to operate a hybrid public key infrastructure (PKI) in which the root CA is in CloudHSM, and the subordinate CAs are in ACM Private CA.


GCP Icon  A blueprint for secure infrastructure on Google Cloud | Google Cloud Blog
The security foundations blueprint identifies core security decisions and guides you with opinionated best practices for deploying a secured Google Cloud environment.


GCP Icon  Best practices to protect your organization against ransomware threats
Post sharing guidance on how organizations can increase their resilience to ransomware and how some Cloud products and services can help.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them πŸ™

If you have questions, comments, or feedback, just reply to this email orΒ let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser Β© 2019-present
The Cloud Security Reading List by SecurityBite LTD.