Release Date: 25/07/2021 | Issue: 97
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

Trying to Automate AppSec? πŸ€–
StackHawk is helping One Medical equip developers with automated security testing and self-service remediations. Learn about what One Medical is up to and see how you can get going with automated API and application security for free.
One Medical Automates AppSec with StackHawk

This week's articles


Four steps for hardening Amazon EKS security
#aws, #defend, #kubernetes
Best practices for hardening AWS EKS clusters, including the importance of dedicated continuous delivery IAM roles, multi-account architecture for cluster isolation, and how to encrypt secrets in the control plane.


Guide to Designing EKS Clusters for Better Security
#aws, #defend, #kubernetes
A set of guidelines to help you design your EKS clusters without compromising security.


Bye bye bastion hosts...Hello AWS IAM!
#aws, #defend
How Segment got rid of SSH bastion hosts, reducing cost, complexity, and maintenance of their infrastructure, as well as eliminating the need to distribute SSH Keys. Last but not least, they reduced their attack surface by not having any SSH port open to the world.


Ansible over AWS Systems Manager Sessions - a perfect solution for high security environments
#ansible, #aws, #build
You can combine AWS SSM Sessions with Ansible and execute existing playbooks on the instance, skipping traditional direct SSH connections.


Kubernetes monitoring with Prometheus, the ultimate guide
#kubernetes, #monitor
How to implement Kubernetes monitoring with Prometheus, by learning how to deploy a Prometheus server and metrics exporters, setup kube-state-metrics, pull and collect those metrics, and configure alerts with Alertmanager and dashboards with Grafana.


S3 Bucket Namesquatting - Abusing predictable S3 bucket names
#attack, #aws
Abuse of permissions in S3 buckets is one of the more common security issues companies face but this post addresses a different issue, S3 Bucket Namesquatting.


Detecting new crypto mining attack targeting Kubeflow and TensorFlow
#attack, #docker
Article introducing Kubeflow and TensorFlow, track how this attack works, and cover steps to detect if you are affected, and mitigate its effects.


Azure Flow Log Analysis
#azure, #monitor
Azure flow logs don't have the same instance ID that AWS flow logs do. So how do you figure out which VM the logs came from?


Policy-based infrastructure guardrails with Terraform and OPA
#opa, #terraform
Learn how Open Policy Agent (OPA) can be leveraged to secure infrastructure deployments by building policy-based guardrails around them.


Seamless Dynamic Credentials for Developers with HashiCorp Vault
#vault, #build
How Sky Betting & Gaming helps its developers seamlessly grab dynamic credentials from HashiCorp Vault without having to specify which credentials they need.


What Is Workload Security? On-Premises, Cloud, Kubernetes, and More
#explain, #kubernetes
Different workloads have different characteristics, and the best platform for a particular workload to run on depends on the nature of the specific workload. Workloads and their layers of abstraction need to be addressed independently since the workflow of its users will vary between use cases.


New Attacks on Kubernetes via Misconfigured Argo Workflows
#attack, #kubernetes
How Argo is Abused by attackers to drop cryptominers in exposed Kubernetes clusters.

Tools


mizu
A simple-yet-powerful API traffic viewer for Kubernetes to help you troubleshoot and debug your microservices. Think TCPDump and Chrome Dev Tools combined.


rbac-manager
A Kubernetes operator that simplifies the management of Role Bindings and Service Accounts.


domain-protect-gcp
Scans Google Cloud DNS across a GCP Organization for domain records vulnerable to takeover.


trackiam
A project to collate IAM actions, AWS APIs and managed policies from various public sources.


actions-runner-controller
This controller operates self-hosted runners for GitHub Actions on your Kubernetes cluster.

From the cloud providers


AWS Icon  AWS Private Certificate Authority introduces integration with Kubernetes
AWS Private Certificate Authority (CA) now supports an open source plugin for cert-manager that offers a more secure certificate authority solution for Kubernetes containers.


AWS Icon  Using Amazon Macie to Validate S3 Bucket Data Classification
How to set up Amazon Macie to validate data classifications provided by decentralized software development teams.


AWS Icon  How to restrict IAM roles to access AWS resources from specific geolocations using AWS Client VPN
A solution which uses Client VPN to implement geolocation authentication rules. When a client VPN connection is established, authentication is implemented at the first point of entry into the AWS Cloud.


AWS Icon  Easily enable AWS Config recording and deploy Conformance Packs across your organization using Quick Setup
AWS Systems Manager Quick Setup announced support for AWS Config, allowing you to enable AWS Config recording and deploy conformance packs across all the accounts and Regions in your organization.


AWS Icon  Implement a centralized patching solution across multiple AWS Regions
How to implement a centralized patching solution across AWS Regions by using AWS Systems Manager to initiate, track, and manage patching events from one centralized place.


GCP Icon  Modernizing SOC ... Introducing Autonomic Security Operations
Google announced Autonomic Security Operations, a stack of products, integrations, blueprints, technical content, and an accelerator program to enable customers to take advantage of Google's technology stack built on Chronicle and Google's deep security operations expertise.


GCP Icon  Cloud Armor: enhancing security at the edge with Adaptive Protection, expanded coverage scope, and new rules
Google released the preview of Cloud Armor Adaptive Protection, a machine learning-powered capability to protect your applications and services from Layer 7 DDoS attacks.


GCP Icon  Extending our Trusted Cloud: Introducing Cloud IDS for Network-based Threat Detection
Cloud IDS (Intrusion Detection System) helps detect malware, spyware, and command-and-control attacks.


GCP Icon  Private Catalog: Improving Terraform deployment management experiences
With this release, Private Catalog admins can use Terraform configurations to keep end users informed about updates.


GCP Icon  What you need to know about Confidential Computing
How Google Cloud uses Confidential VMs and GKE Nodes to encrypt data even when it's in use.


Azure Icon  Azure Active Directory security operations guide
Microsoft has published an Azure AD security operations guide. It covers identity security configurations and their monitoring (including user/privileged accounts, apps, devices, infrastructure).


Azure Icon  Next-generation firewall capabilities with Azure Firewall Premium
Microsoft announced the general availability release of Azure Firewall Premium. Key features in this release include: TLS Inspection, IDPS, Web Categories, and URL Filtering.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them πŸ™

If you have questions, comments, or feedback, just reply to this email orΒ let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser Β© 2019-present
The Cloud Security Reading List by SecurityBite LTD.