This week's articles
Thinking Outside the Box: Or, how I learned to stop worrying and love the cloud
These are the slides from Dino
's keynote at H2HC. It starts with the mentality shift from thinking about the security of single machines ("box") to the security of many all at once, as fleet-wide scale security is incredibly powerful and makes some hard problems simple. Another main take-away is that in the cloud there are many somewhat overlapping, but mutually inconsistent, security models. Among them, the cloud provider's IAM (like AWS IAM) is the only security model that really matters, with everything else being "defence in depth" at best.
Exploring container security: Use your own keys to protect your data on GKE
This week, Google released two features to help protect and control GKE environments and support regulatory requirements: the general availability of GKE application-layer Secrets encryption
, so you can protect your Kubernetes Secrets with envelope encryption; and customer-managed encryption keys (CMEK) for GKE persistent disks
in beta, giving you more control over encryption of persistent disks.
Multi-cluster security with Falco and AWS Firelens on EKS & ECS
Ever wondered how to aggregate all Kubernetes security events across AWS container services? Using AWS FireLens, you can route Falco events from several clusters into AWS CloudWatch, centralizing all security events in one view.
App Identity and Access Adapter with Istio
A blog post describing how to use Istio to secure multi-cloud Kubernetes applications, with zero code changes or redeployments, by leveraging the App Identity and Access Adapter.
AWSume: AWS Assume Made Awesome!
That's a nice utility for easily managing session tokens and assume AWS IAM roles from the command line.
NCC released a tool for standing up (and tearing down!) purposefully insecure cloud infrastructure with Terraform. Sadcloud was created to easily allow security researchers to misconfigure AWS for training purposes, or to assess AWS-related security tools.
Native Container Image Scanning in Amazon ECR
AWS playing catch up with GCP, this time deciding to use CoreOS Clair
in ECR to carry out static analysis of vulnerabilities. The ECR API, the AWS CLI and SDKs have been extended with image scanning functionalities, and a managed service has been implemented for use in a CI pipeline. AWS also put together a sample available on GitHub
that shows how you can utilize the new image scanning-related ECR APIs to perform scheduled re-scans of container images.
Do you want deal with Kubernetes updates less frequently?
Many Kubernetes users want a LTS release channel that gets fewer updates, but patched actively. Apparently it is now possible on GKE: --release-channel=[stable|regular|rapid]
imgcrypt: OCI Image Encryption Package
The imgcrypt library provides API exensions for containerd to support encrypted container images.