Release Date: 01/08/2021 | Issue: 98
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

πŸ“’ Get Going with GraphQL Security Testing
How do you know if your GraphQL API is protected from security vulnerabilities? StackHawk runs dynamic security testing against the queries and mutations on your GraphQL API in CI/CD, and gives your development teams the tools to fix vulnerabilities fast. πŸ¦…
Get Going with GraphQL Security Testing from StackHawk

This week's articles


Improving database security with AWS IAM database authentication and ConsoleMe
#aws, #build
How to use Netflix's ConsoleMe to provide secure access to databases via IAM roles.


Monitoring Kubernetes the Elastic way using Filebeat and Metricbeat
#kubernetes, #monitor
How to monitor Kubernetes the Elastic way: collect logs using Filebeat, collect metrics using Metricbeat, ingest them directly to Elasticsearch, and monitor them using Kibana.


Lifecycle of Kubernetes Network Policies and Best Practices
#kubernetes, #monitor
Post discussing the whole lifecycle of Kubernetes Network Policies covering topics such as creation, editing, governance, debugging and best practices.


Network Isolated AKS - Part 1: Controlling network traffic
#azure, #defend, #kubernetes
First part of a series on AKS network isolation, elaborating how to protect AKS from a networking perspective. You can also reference the companion repository.


How to Deploy a 'Jump Pod' on Kubernetes
#defend, #kubernetes
How to create a "jump pod" able to spawn a shell, which is inside a Kubernetes cluster and which is authorized to create other pods in the same namespace, but only there.


Kubernetes Overview Diagrams
#explain, #kubernetes
A collection of overviews of Kubernetes architecture and workload, networking, storage and RBAC objects.


Kubernetes Vulnerability Discovered That Allows Access to Restricted Networks
#attack, #kubernetes
A vulnerability has been discovered that allows http(s) proxy access to kube-apiserver localhost and linklocal (cloud metadata).


Announcing HashiCorp Vault 1.8
#announcement, #vault
Vault 1.8 offers a new Vault Diagnose command, Key Management secrets engine AWS GA support, updates to Integrated Storage Autopilot, and more.

Tools


cloud-guardrails
Cloud Guardrails allows you to rapidly cherry-pick cloud security guardrails by generating Terraform files that create Azure Policy Initiatives.


metabadger
A tool to help prevent SSRF attacks on AWS EC2 via automated upgrades to the more secure Instance Metadata Service v2 (IMDSv2).


trust
trust is an operator for distributing trust bundles across a Kubernetes cluster. It is designed to complement cert-manager by enabling services to trust X.509 certificates signed by Issuers, as well as external CAs which may not be known to cert-manager at all.


dorothy
Dorothy is a tool to help security teams test their monitoring and detection capabilities for their Okta environment. You can also refer to the companion blog post.


awesome-opa
A curated list of OPA related tools, frameworks and articles.


db-auth-gateway
An authentication proxy for Google Cloud managed databases. Based on the ideas of cloudsql-proxy but intended to be run as a standalone network accessible service rather than a sidecar.


yubikey-agent
yubikey-agent is a seamless ssh-agent for YubiKeys.

From the cloud providers


AWS Icon  EC2-Classic Networking is Retiring - Here's How to Prepare
On October 30, 2021 AWS will disable EC2-Classic in Regions for AWS accounts that have no active EC2-Classic resources in the Region. They will also stop selling 1-year and 3-year Reserved Instances for EC2-Classic.


AWS Icon  AWS CloudTrail now supports logging of data events for Amazon EBS direct APIs
AWS CloudTrail now supports logging of data events for Amazon EBS direct APIs that customers can use to identify when their Amazon EBS snapshots are accessed using the ListSnapshotBlocks, ListChangedBlocks, GetSnapshotBlock, or PutSnapshotBlock APIs by users in their AWS account.


AWS Icon  Amazon S3 Access Points aliases allow any application that requires an S3 bucket name to easily use an access point
Amazon S3 Access Points aliases allow any application that requires an S3 bucket name to easily use an access point.


AWS Icon  Choosing Your VPC Endpoint Strategy for Amazon S3
Post providing guidance for selecting the right VPC endpoint type to access Amazon S3. A VPC endpoint enables workloads in an Amazon VPC to connect to supported public AWS services or third-party applications over the AWS network. This approach is used for workloads that should not communicate over public networks.


AWS Icon  Strengthen the security of sensitive data stored in Amazon S3 by using additional AWS services
Post describing the AWS services that can be used to both detect and protect data stored in S3.


GCP Icon  Cloud Build private pools offers CI/CD for private networks
With new private pools, you can use Google Cloud's hosted Cloud Build CI/CD service on resources in your private network or in other clouds.


GCP Icon  Securing the software development lifecycle with Cloud Build and SLSA
Google's proposed SLSA framework provides guidance on how to build a more secure software supply chain.


GCP Icon  How lateral movement insights are generated
New GCP IAM recommender "lateral movement insight" which identifies roles that allow a service account in one project to impersonate a service account in another project.


GCP Icon  Setting limits on granting roles
You can set limits on the roles that a member can grant and revoke with IAM Conditions and the iam.googleapis.com/modifiedGrantsByRole API attribute. These limits let you create limited IAM admins who can manage their own team's IAM policies, but only within the boundaries that you have set.


GCP Icon  Accessing private Google Kubernetes Engine clusters with Cloud Build private pools
How to access a private Google Kubernetes Engine (GKE) cluster using Cloud Build private pools. This access lets you use Cloud Build to deploy your application on a private GKE cluster.


Azure Icon  Integrating SIEM + XDR: Azure Sentinel and Azure Defender bi-directional incident sync
Microsoft announced the public preview of incident sharing for Azure Defender and Azure Sentinel. Using this new capability, customers can use Azure Sentinel as their single pane of glass for incident triage, leverage Microsoft 365 Defender or Azure Defender for incident investigation and remediation, and stay seamlessly in-sync across all three products.


Azure Icon  Software Defined Monitoring - Using Automated Notebooks and Azure Sentinel to Improve Sec Ops
how to deploy and use a solution that allows for the automatic execution of Jupyter Notebooks to provide enrichment to incidents within Azure Sentinel.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them πŸ™

If you have questions, comments, or feedback, just reply to this email orΒ let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser Β© 2019-present
The Cloud Security Reading List by SecurityBite LTD.