Release Date: 08/08/2021 | Issue: 99
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.
Sponsor

📣 The rumors are true. Detectify is developing its fuzzing engine to check APIs⚡
We understand that every API is different, so it’s challenging to have a standardized approach to security testing on APIs. Our approach? We’re trying to take example usage of our customer’s APIs and modify those requests in a way that allows us to spot unique and previously unknown vulnerabilities. ➡️ Get more details from Senior Security Researchers at Detectify, Tom Hudson and Fredrik N. Almroth, on why the Detectify team is developing API security tools.
We're about to launch the open beta program. Save your spot to be noticed as soon as it's live!

This week's articles


NSA Kubernetes Hardening Guidance
#defend, #design, #kubernetes
The Kubernetes Hardening Guidance from NSA everyone has been talking about for the past week. It includes hardening strategies to avoid common misconfigurations and guides on how to deploy Kubernetes, with example configurations for the recommended hardening measures and mitigations.


S3 backups and other strategies for ensuring data durability through ransomware attacks
#aws, #build, #defend
Post from SummitRoute discussing options for ensuring the durability of data stored on S3, through protections in place and backup strategies.


Top things to do when setting up a new Org
#aws, #build
What you should do when setting up a new AWS Organization from scratch.


Threat Hunting with Kubernetes Audit Logs
#kubernetes, #monitor
Post from Square going through the basics of Kubernetes audit logs, and how we can use these audit logs effectively to hunt for attackers in our Kubernetes clusters.


Security as code: The best (and maybe only) path to securing cloud applications and systems
#design, #iac, #strategy
An article from McKinsey analysing how embedding cloud security in code can reduce risk without slowing down the business.


Dependencies, Confusions, and Solutions: What Did Twilio Do to Solve Dependency Confusion
#ci/cd, #defend
How dependency confusion works, how Twilio is defending against it, and how you can protect your own codebase.


Cloud Malware: Resource Injection in CloudFormation Templates
#attack, #aws
Blog focusing on a new Pacu module on cloud malware using resource injection in CloudFormation templates.


Account Takeover (ATO) Checklist
#defend
A checklist of practices for organizations dealing with account takeover threats.


Exploring Kyverno
#build, #explain, #kubernetes
Multi-part series exploring Kyverno, a Kubernetes-native policy engine.


Launching our new Google Identity Services APIs
#announcement, #gsuite
Google launched a new family of Identity APIs called Google Identity Services, which consolidates multiple identity offerings under one software development kit (SDK). This SDK includes the Sign in with Google button as well as One Tap, a new low-friction authentication prompt. Sign in with Google and One Tap use secure tokens, rather than passwords, to sign users into partner websites and apps.


Announcing HCP Vault Starter
#announcement, #vault
HashiCorp announced a new fully managed Vault offering called "Starter" for AWS environments on the HashiCorp Cloud Platform (HCP). The new Starter cluster is a production-grade, 3-node cluster.

Tools


awesome-prometheus-alerts
A collection of Prometheus alerting rules.


terraformer
CLI tool to generate terraform files from existing infrastructure (reverse Terraform).


lens-resource-map-extension
Lens Resource Map is an extension for Lens - The Kubernetes IDE that displays Kubernetes resources and their relations as a real-time force-directed graph.

From the cloud providers


AWS Icon  Building an AWS Perimeter
Many organizations want to create in AWS the same kind of perimeter protections they use in on-premises environments. This paper outlines the best practices and available services for creating a perimeter around your identities, resources, and networks in AWS.


AWS Icon  How to implement the principle of least privilege with CloudFormation StackSets
How to conform to the principle of least privilege while still allowing users to use CloudFormation to create the resources they need.


AWS Icon  Analyze Fraud Transactions using Amazon Fraud Detector and Amazon Athena
How to perform fraud detection on a batch of many events using Amazon Fraud Detector.


AWS Icon  How to import AWS IoT Device Defender audit findings into Security Hub
How the integration of IoT security findings into Security Hub works, and you can download AWS CloudFormation templates to implement the solution.


GCP Icon  Elevate your security with new Secret Manager features and integrations
Increased SLA, geo-expansion, new certifications, Customer-Managed Encryption Keys and more come to Google Cloud Secret Manager.


GCP Icon  How lateral movement insights are generated
GCP IAM Recommender now generates lateral movement insights, which identify roles that allow a service account in one project to impersonate a service account in another project.


GCP Icon  Compliance Engineering - From manual attestation to continuous compliance
Risk Management and Compliance is as important in the cloud as it is in conventional on-premises environments. To help organizations in regulated industries meet their compliance requirements, Google Cloud offers automated capabilities that ensure the effectiveness of productionalization processes.


GCP Icon  Private Service Connect is now generally available
Private Service Connect lets you create private and secure connections to Google Cloud and third-party services with service endpoints in your VPCs.


GCP Icon  Security Log Scoping Tool
Security Log Scoping Tool is an interactive form to help customers discover, evaluate and enable their security-relevant logs across Google Cloud.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.