Skip to content

Latest commit

 

History

History
401 lines (353 loc) · 31.9 KB

cloud-native-developments.md

File metadata and controls

401 lines (353 loc) · 31.9 KB
Raw
description
Be careful with your cloud ☁️

Cloud native

About

Cloud-native security refers to a set of security practices and technologies designed specifically for applications built and deployed in cloud environments. It involves a shift in mindset from traditional security approaches, which often rely on network-based protections, to a more application-focused approach that emphasizes identity and access management, container security and workload security, and continuous monitoring and response.

In a cloud-native security approach, security is built into the application and infrastructure from the ground up, rather than added on as an afterthought. This requires a combination of automated security controls, DevOps processes, and skilled security professionals who can manage the complex and dynamic nature of cloud environments. The goal of cloud native-security is to protect against threats and vulnerabilities that are unique to cloud environments, while also ensuring compliance with regulations and standards. [1]

Best practices

From OWASP Cloud-Native Application Security Top 10 [2] (CNAS, by order), try to avoid:

  • Insecure cloud, container or orchestration configuration
    • Publicly open cloud storage buckets
    • Improper permissions set on cloud storage buckets
    • Container runs as root
    • Container shares resources with the host (network interface, etc.)
    • Insecure Infrastructure-as-Code (IaC) configuration
  • Injection flaws (app layer, cloud events, cloud services)
    • SQL injection
    • XXE
    • NoSQL injection
    • OS command injection
    • Serverless event data injection
  • Improper authentication & authorization
    • Unauthenticated API access on a microservice
    • Over-permissive cloud IAM role
    • Lack of orchestrator node trust rules (e.g. unauthorized hosts joining the cluster)
    • Unauthenticated orchestrator console access
    • Unauthorized or overly-permissive orchestrator access
  • CI/CD pipeline & software supply chain flaws
    • Insufficient authentication on CI/CD pipeline systems
    • Use of untrusted images
    • Use of stale images
    • Insecure communication channels to registries
    • Overly-permissive registry access
    • Using a single environment to run CI/CD tasks for projects requiring different levels of security
  • Insecure secrets storage
    • See secrets-management.md
    • Orchestrator secrets stored unencrypted
    • API keys or passwords stored unencrypted inside containers
    • Hardcoded application secrets
    • Poorly encrypted secrets (e.g. use of obsolete encryption methods, use of encoding instead of encryption, etc.)
    • Mounting of storage containing sensitive information
  • Over-permissive or insecure network policies
    • Over-permissive pod to pod communication allowed
    • Internal microservices exposed to the public Internet
    • No network segmentation defined
    • End-to-end communications not encrypted
    • Network traffic to unknown or potentially malicious domains not monitored and blocked
  • Using components with known vulnerabilities
    • See dependency-management.md
    • Vulnerable 3rd party open source packages
    • Vulnerable versions of application components
    • Use of known vulnerable container images
  • Improper assets management
    • Undocumented microservices & APIs
    • Obsolete & unmanaged cloud resources
  • Inadequate "compute" resource quota limits
    • Resource-unbound containers
    • Over-permissive request quota set on APIs
  • Ineffective logging & monitoring (e.g. runtime activity)
    • No container or host process activity monitoring
    • No network communications monitoring among microservices
    • No resource consumption monitoring to ensure availability of critical resources
    • Lack of monitoring on orchestration configuration propagation and stale configs

Resources

Find here a complete list of resources related to cloud security.

Governance

AWS Governance

MultiCloud Governance

Standards

Compliances

Benchmarks

Tools

Infrastructure

  • aws_pwn: A collection of AWS penetration testing junk
  • aws_ir: Python installable command line utility for mitigation of instance and key compromises.
  • aws-firewall-factory: Deploy, update, and stage your WAFs while managing them centrally via FMS.
  • aws-vault: A vault for securely storing and accessing AWS credentials in development environments.
  • awspx: A graph-based tool for visualizing effective access and resource relationships within AWS.
  • azucar: A security auditing tool for Azure environments
  • checkov: A static code analysis tool for infrastructure-as-code.
  • cloud-forensics-utils: A python lib for DF & IR on the cloud.
  • Cloud-Katana: Automate the execution of simulation steps in multi-cloud and hybrid cloud environments.
  • cloudlist: Listing Assets from multiple Cloud Providers.
  • Cloud Sniper: A platform designed to manage Cloud Security Operations.
  • Cloudmapper: Analyze your AWS environments.
  • Cloudmarker: A cloud monitoring tool and framework.
  • Cloudsploit: Cloud security configuration checks.
  • CloudQuery: Open source cloud asset inventory with set of pre-baked SQL policies for security and compliance.
  • Cloud-custodian: Rules engine for cloud security, cost optimization, and governance.
  • consoleme: A Central Control Plane for AWS Permissions and Access
  • cs suite: Tool for auditing the security posture of AWS/GCP/Azure.
  • Deepfence ThreatMapper: Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless.
  • dftimewolf: A multi-cloud framework for orchestrating forensic collection, processing and data export.
  • diffy: Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix.
  • ElectricEye: Continuously monitor AWS services for configurations.
  • Forseti security: GCP inventory monitoring and policy enforcement tool.
  • Hammer: A multi-account cloud security tool for AWS. It identifies misconfigurations and insecure data exposures within most popular AWS resources.
  • kics: Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code.
  • Matano: Open source serverless security lake platform on AWS that lets you ingest, store, and analyze data into an Apache Iceberg data lake and run realtime Python detections as code.
  • Metabadger: Prevent SSRF attacks on AWS EC2 via automated upgrades to the more secure Instance Metadata Service v2 (IMDSv2).
  • Open policy agent: Policy-based control tool.
  • pacbot: Policy as Code Bot.
  • pacu: The AWS exploitation framework.
  • Prowler: Command line tool for AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool.
  • ScoutSuite: Multi-cloud security auditing tool.
  • Security Monkey: Monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
  • SkyWrapper: Tool helps to discover suspicious creation forms and uses of temporary tokens in AWS.
  • Smogcloud: Find cloud assets that no one wants exposed.
  • Steampipe: A Postgres FDW that maps APIs to SQL, plus suites of API plugins and compliance mods for AWS/Azure/GCP and many others.
  • Terrascan: Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.
  • tfsec: Static analysis powered security scanner for Terraform code.
  • Zeus: AWS Auditing & Hardening Tool.
  • AWS Security Benchmark (⚠️): Open source demos, concept and guidance related to the AWS CIS Foundation framework.
  • AWS Missing Tools by CloudAvail (⚠️): tools for managing AWS resources including EC2, EBS, RDS, IAM, CloudFormation and Route53.

Container

  • auditkube: Audit for for EKS, AKS and GKE for HIPAA/PCI/SOC2 compliance and cloud security.
  • Falco: Container runtime security.
  • mkit: Managed kubernetes inspection tool.
  • Open policy agent: Policy-based control tool.
  • Grype: A vulnerability scanner for container images and filesystems.
  • Kai: KAI (Kubernetes Automated Inventory) can poll Kubernetes Cluster API(s) to tell Anchore which Images are currently in-use.
  • Syft: CLI tool and library for generating a Software Bill of Materials from container images and filesystems.
  • Cloudsploit: Cloud Security Posture Management (CSPM).
  • Kube-Bench: Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark.
  • Kube-Hunter: Hunt for security weaknesses in Kubernetes clusters.
  • Kubectl-who-can: Show who has RBAC permissions to perform actions on different resources in Kubernetes.
  • Trivy: Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more.
  • Docker - Docker Bench for Security: The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
  • Elias - Dagda: a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities.
  • Falco Security - Falco: Cloud Native Runtime Security.
  • Harbor - Harbor: An open source trusted cloud native registry project that stores, signs, and scans content.
  • Quay - Clair: Vulnerability Static Analysis for Containers.
  • Snyk - Snyk: Snyk CLI scans and monitors your projects for security vulnerabilities.
  • vchinnipilli - Kubestriker: A Blazing fast Security Auditing tool for Kubernetes.

SaaS

  • aws-allowlister: Automatically compile an AWS Service Control Policy with your preferred compliance frameworks.
  • binaryalert: Serverless S3 yara scanner.
  • cloudsplaining: An AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.
  • Cloud Guardrails: Rapidly cherry-pick cloud security guardrails by generating Terraform files that create Azure Policy Initiatives.
  • Function Shield: Protection/destection lib of aws lambda and gcp function.
  • FestIN: S3 bucket finder and content discover.
  • GCPBucketBrute: A script to enumerate Google Storage buckets.
  • IAM Zero: Detects identity and access management issues and automatically suggests least-privilege policies.
  • Lambda Guard: AWS Lambda auditing tool.
  • Policy Sentry: IAM Least Privilege Policy Generator.
  • S3 Inspector: Tool to check AWS S3 bucket permissions.
  • Serverless Goat: A serverless application demonstrating common serverless security flaws.
  • SkyArk: Tool to helps to discover, assess and secure the most privileged entities in Azure and AWS.
  • Terraform for Policy Guru (⚠️): Terraform provider for Policy Sentry (IAM least privilege generator and auditor).
  • Aardvark: Aardvark is a multi-account AWS IAM Access Advisor API.
  • PolicyUniverse: Parse and Process AWS IAM Policies, Statements, ARNs, and wildcards.
  • Repokid (⚠️): AWS Least Privilege for Distributed, High-Velocity Deployment.
  • AWS IAM Generator (⚠️): Generate Multi-Account IAM users/groups/roles/policies from a simple YAML configuration file and Jinja2 templates.
  • Parliament: AWS IAM linting library.
  • CloudTracker (⚠️): CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.

Native tools

Incident Response

Examples

Others

Reading

Podcasts

Testing & Learning

Others

Sources

[1]: What Is Cloud-Native Security? - Palo Alto Networks

[2]: OWASP Cloud-Native Application Security Top 10 | OWASP Foundation

[3]: 4ndersonLin/awesome-cloud-security: 🛡️ Awesome Cloud Security Resources ⚔️ (github.com)

[4]: Funkmyster/awesome-cloud-security: Curated list of awesome cloud security blogs, podcasts, standards, projects, and examples. (github.com)

[5]: teamssix/awesome-cloud-security: awesome cloud security 收集一些国内外不错的云安全资源,该项目主要面向国内的安全人员 (github.com)