Cloud native

About

Cloud-native security refers to a set of security practices and technologies designed specifically for applications built and deployed in cloud environments. It involves a shift in mindset from traditional security approaches, which often rely on network-based protections, to a more application-focused approach that emphasizes identity and access management, container security and workload security, and continuous monitoring and response.

In a cloud-native security approach, security is built into the application and infrastructure from the ground up, rather than added on as an afterthought. This requires a combination of automated security controls, DevOps processes, and skilled security professionals who can manage the complex and dynamic nature of cloud environments. The goal of cloud native-security is to protect against threats and vulnerabilities that are unique to cloud environments, while also ensuring compliance with regulations and standards. [1]

Best practices

From OWASP Cloud-Native Application Security Top 10 [2] (CNAS, by order), try to avoid:

• Insecure cloud, container or orchestration configuration

  • Publicly open cloud storage buckets

  • Improper permissions set on cloud storage buckets

  • Container runs as root

  • Container shares resources with the host (network interface, etc.)

  • Insecure Infrastructure-as-Code (IaC) configuration

    • See Infrastructure as Code (IaC)

• Injection flaws (app layer, cloud events, cloud services)

  • SQL injection

  • XXE

  • NoSQL injection

  • OS command injection

  • Serverless event data injection

• Improper authentication & authorization

  • Unauthenticated API access on a microservice

  • Over-permissive cloud IAM role

  • Lack of orchestrator node trust rules (e.g. unauthorized hosts joining the cluster)

  • Unauthenticated orchestrator console access

  • Unauthorized or overly-permissive orchestrator access

• CI/CD pipeline & software supply chain flaws

  • Insufficient authentication on CI/CD pipeline systems

  • Use of untrusted images

  • Use of stale images

  • Insecure communication channels to registries

  • Overly-permissive registry access

  • Using a single environment to run CI/CD tasks for projects requiring different levels of security

• Insecure secrets storage

  • See Secrets Management

  • Orchestrator secrets stored unencrypted

  • API keys or passwords stored unencrypted inside containers

  • Hardcoded application secrets

  • Poorly encrypted secrets (e.g. use of obsolete encryption methods, use of encoding instead of encryption, etc.)

    • See Cryptography

  • Mounting of storage containing sensitive information

• Over-permissive or insecure network policies

  • Over-permissive pod to pod communication allowed

  • Internal microservices exposed to the public Internet

  • No network segmentation defined

  • End-to-end communications not encrypted

  • Network traffic to unknown or potentially malicious domains not monitored and blocked

• Using components with known vulnerabilities

  • See Dependency Management

  • Vulnerable 3rd party open source packages

  • Vulnerable versions of application components

  • Use of known vulnerable container images

• Improper assets management

  • Undocumented microservices & APIs

  • Obsolete & unmanaged cloud resources

• Inadequate "compute" resource quota limits

  • Resource-unbound containers

  • Over-permissive request quota set on APIs

• Ineffective logging & monitoring (e.g. runtime activity)

  • No container or host process activity monitoring

  • No network communications monitoring among microservices

  • No resource consumption monitoring to ensure availability of critical resources

  • Lack of monitoring on orchestration configuration propagation and stale configs

Resources

Find here a complete list of resources related to cloud security.

Governance

AWS Governance

• AWS CloudFormation Guard

• AWS CodePipeline Governance

• AWS Config Rules Development Kit

• AWS Control Tower Customizations

• AWS Security Hub Automated Response and Remediation

• AWS Vault

• AWS Well Architected Labs

MultiCloud Governance

• Cloud Custodian

• CloudQuary

• Cloudsploit

• ManageIQ by RedHat

• Mist.io

• NeuVector

• Triton by Joyent

Standards

Compliances

• CSA STAR

• ISO/IEC 27017:2015

• ISO/IEC 27018:2019

• MTCS SS 584

• CCM

• NIST 800-53

Benchmarks

• CIS Benchmark

Tools

Infrastructure

• aws_pwn: A collection of AWS penetration testing junk

• aws_ir: Python installable command line utility for mitigation of instance and key compromises.

• aws-firewall-factory: Deploy, update, and stage your WAFs while managing them centrally via FMS.

• aws-vault: A vault for securely storing and accessing AWS credentials in development environments.

• awspx: A graph-based tool for visualizing effective access and resource relationships within AWS.

• azucar: A security auditing tool for Azure environments

• checkov: A static code analysis tool for infrastructure-as-code.

• cloud-forensics-utils: A python lib for DF & IR on the cloud.

• Cloud-Katana: Automate the execution of simulation steps in multi-cloud and hybrid cloud environments.

• cloudlist: Listing Assets from multiple Cloud Providers.

• Cloud Sniper: A platform designed to manage Cloud Security Operations.

• Cloudmapper: Analyze your AWS environments.

• Cloudmarker: A cloud monitoring tool and framework.

• Cloudsploit: Cloud security configuration checks.

• CloudQuery: Open source cloud asset inventory with set of pre-baked SQL policies for security and compliance.

• Cloud-custodian: Rules engine for cloud security, cost optimization, and governance.

• consoleme: A Central Control Plane for AWS Permissions and Access

• cs suite: Tool for auditing the security posture of AWS/GCP/Azure.

• Deepfence ThreatMapper: Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless.

• dftimewolf: A multi-cloud framework for orchestrating forensic collection, processing and data export.

• diffy: Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix.

• ElectricEye: Continuously monitor AWS services for configurations.

• Forseti security: GCP inventory monitoring and policy enforcement tool.

• Hammer: A multi-account cloud security tool for AWS. It identifies misconfigurations and insecure data exposures within most popular AWS resources.

• kics: Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code.

• Matano: Open source serverless security lake platform on AWS that lets you ingest, store, and analyze data into an Apache Iceberg data lake and run realtime Python detections as code.

• Metabadger: Prevent SSRF attacks on AWS EC2 via automated upgrades to the more secure Instance Metadata Service v2 (IMDSv2).

• Open policy agent: Policy-based control tool.

• pacbot: Policy as Code Bot.

• pacu: The AWS exploitation framework.

• Prowler: Command line tool for AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool.

• ScoutSuite: Multi-cloud security auditing tool.

• Security Monkey: Monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.

• SkyWrapper: Tool helps to discover suspicious creation forms and uses of temporary tokens in AWS.

• Smogcloud: Find cloud assets that no one wants exposed.

• Steampipe: A Postgres FDW that maps APIs to SQL, plus suites of API plugins and compliance mods for AWS/Azure/GCP and many others.

• Terrascan: Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure.

• tfsec: Static analysis powered security scanner for Terraform code.

• Zeus: AWS Auditing & Hardening Tool.

• AWS Security Benchmark (⚠️): Open source demos, concept and guidance related to the AWS CIS Foundation framework.

• AWS Missing Tools by CloudAvail (⚠️): tools for managing AWS resources including EC2, EBS, RDS, IAM, CloudFormation and Route53.

Container

• auditkube: Audit for for EKS, AKS and GKE for HIPAA/PCI/SOC2 compliance and cloud security.

• Falco: Container runtime security.

• mkit: Managed kubernetes inspection tool.

• Open policy agent: Policy-based control tool.

• Grype: A vulnerability scanner for container images and filesystems.

• Kai: KAI (Kubernetes Automated Inventory) can poll Kubernetes Cluster API(s) to tell Anchore which Images are currently in-use.

• Syft: CLI tool and library for generating a Software Bill of Materials from container images and filesystems.

• Cloudsploit: Cloud Security Posture Management (CSPM).

• Kube-Bench: Checks whether Kubernetes is deployed according to security best practices as defined in the CIS Kubernetes Benchmark.

• Kube-Hunter: Hunt for security weaknesses in Kubernetes clusters.

• Kubectl-who-can: Show who has RBAC permissions to perform actions on different resources in Kubernetes.

• Trivy: Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more.

• Docker - Docker Bench for Security: The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.

• Elias - Dagda: a tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities.

• Falco Security - Falco: Cloud Native Runtime Security.

• Harbor - Harbor: An open source trusted cloud native registry project that stores, signs, and scans content.

• Quay - Clair: Vulnerability Static Analysis for Containers.

• Snyk - Snyk: Snyk CLI scans and monitors your projects for security vulnerabilities.

• vchinnipilli - Kubestriker: A Blazing fast Security Auditing tool for Kubernetes.

SaaS

• aws-allowlister: Automatically compile an AWS Service Control Policy with your preferred compliance frameworks.

• binaryalert: Serverless S3 yara scanner.

• cloudsplaining: An AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized report.

• Cloud Guardrails: Rapidly cherry-pick cloud security guardrails by generating Terraform files that create Azure Policy Initiatives.

• Function Shield: Protection/destection lib of aws lambda and gcp function.

• FestIN: S3 bucket finder and content discover.

• GCPBucketBrute: A script to enumerate Google Storage buckets.

• IAM Zero: Detects identity and access management issues and automatically suggests least-privilege policies.

• Lambda Guard: AWS Lambda auditing tool.

• Policy Sentry: IAM Least Privilege Policy Generator.

• S3 Inspector: Tool to check AWS S3 bucket permissions.

• Serverless Goat: A serverless application demonstrating common serverless security flaws.

• SkyArk: Tool to helps to discover, assess and secure the most privileged entities in Azure and AWS.

• Terraform for Policy Guru (⚠️): Terraform provider for Policy Sentry (IAM least privilege generator and auditor).

• Aardvark: Aardvark is a multi-account AWS IAM Access Advisor API.

• PolicyUniverse: Parse and Process AWS IAM Policies, Statements, ARNs, and wildcards.

• Repokid (⚠️): AWS Least Privilege for Distributed, High-Velocity Deployment.

• AWS IAM Generator (⚠️): Generate Multi-Account IAM users/groups/roles/policies from a simple YAML configuration file and Jinja2 templates.

• Parliament: AWS IAM linting library.

• CloudTracker (⚠️): CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.

Native tools

• AWS:

  • Artifact: Compliance report selfservice.

  • Audit manager: Continuously audit for AWS usage.

  • Certificate Manager: Private CA and certificate management service.

  • CloudTrail: Record and log API call on AWS.

  • Config: Configuration and resources relationship monitoring.

  • Elastic Disaster Recovery: Application recovery service.

  • Detective: Analyze and visualize security data and help security investigations.

  • Firewall Manager: Firewall management service.

  • GuardDuty: IDS service

  • CloudHSM: HSM service.

  • Inspector: Vulnerability discover and assessment service.

  • KMS: KMS service

  • Macie: Fully managed data security and data privacy service for S3.

  • Network Firewall: Network firewall service.

  • Secret Manager: Credential management service.

  • Security Hub: Integration service for other AWS and third-party security service.

  • Shield: DDoS protection service.

  • Single Sign-On: Service of centrally manage access AWS or application.

  • ThreatMapper: Identify vulnerabilities in running containers, images, hosts and repositories.

  • VPC Flowlog: Log of network traffic.

  • WAF: Web application firewall service.

• Azure:

  • Application Gateway: L7 load balancer with optional WAF function.

  • DDoS Protection: DDoS protection service.

  • Dedicated HSM: HSM service.

  • Key Vault: KMS service

  • Monitor: API log and monitoring related service.

  • Security Center: Integration service for other Azure and third-party security service.

  • Sentinel: SIEM service.

• GCP:

  • Access Transparency: Transparency log and control of GCP.

  • Apigee Sense: API security monitoring, detection, mitigation.

  • Armor: DDoS protection and WAF service

  • Asset Inventory: Asset monitoring service.

  • Assured workloads: Secure and compliant workloads.

  • Audit Logs: API logs.

  • Binanry Authorization: Binary authorization service for containers and serverless.

  • Cloud HSM: HSM service.

  • Cloud IDS: IDS service.

  • Confidential VM: Encrypt data in use with VM.

  • Context-aware Access: Enable zero trust access to applications and infrastructure.

  • DLP: DLP service:

  • EKM: External key management service

  • Identity-Aware Proxy: Identity-Aware Proxy for protect the internal service.

  • KMS: KMS service

  • Policy Intelligence: Detect the policy related risk.

  • Security Command Center: Integration service for other GCP security service.

  • Security Scanner: Application security scanner for GAE, GCE, GKE.

  • Shielded VM: VM with secure boot and vTPM.

  • Event Threat Detection: Threat dection service.

  • VPC Service Controls: GCP service security perimeter control.

Incident Response

• AWS Incident Response Playbooks by AWS Samples

• AWS Security Hub Automated Response and Remediation

• Dispatch by Netflix

• PagerDuty Automated Remediation Docs

• PagerDuty Business Response Docs

• PagerDuty DevSecOps Docs

• PagerDuty Full Case Ownership Docs

• PagerDuty Full Service Ownership Docs

• PagerDuty Going OnCall Docs

• PagerDuty Incident Response Docs

• PagerDuty Operational Review Docs

• PagerDuty PostMortem Docs

• PagerDuty Retrospectives Docs

• PagerDuty Stakeholder Communication Docs

• Velociraptor

Examples

• Ex. Automated Security Assessment

  • AWS Config Rules Repository

  • AWS Inspector Agent Autodeploy

  • AWS Inspector Auto Remediation

  • AWS Inspector Lambda Finding Processor

• Ex. Identity and Access Management

  • Amazon Cognito Streams connector for Amazon Redshift

• Ex. Logging

  • AWS Centralized Logging

  • AWS Config Snapshots to ElasticSearch

  • AWS CloudWatch Events Monitor Security Groups

• Ex. Web Application Firewall

  • AWS WAF Sample

  • AWS WAF Security Automations

Others

• Git Secrets by AWS Labs

• 411 by Etsy

• ElastAlert by Yelp

• StreamAlert by Airbnb

• Knox

• Spring Cloud Security

• ThreatModel for Amazon S3

Reading

• AWS:

  • Overiew of AWS Security

  • AWS-IAM-Privilege-Escalation by RhinoSecurityLabs: A centralized source of all AWS IAM privilege escalation methods.

  • MITRE ATT&CK Matrices of AWS

  • AWS security workshops

  • ThreatModel for Amazon S3: Library of all the attack scenarios on Amazon S3, and how to mitigate them following a risk-based approach

• Azure:

  • Overiew of Azure Security

  • Azure security fundamentals

  • MicroBurst by NetSPI: A collection of scripts for assessing Microsoft Azure security

  • MITRE ATT&CK Matrices of Azure

  • Azure security center workflow automation

• GCP:

  • Overiew of Azure Security

  • Azure security fundamentals

  • MicroBurst by NetSPI: A collection of scripts for assessing Microsoft Azure security

  • MITRE ATT&CK Matrices of Azure

  • Azure security center workflow automation

• Others:

  • Cloud recent news | Dark Reading

Podcasts

• Azure DevOps Podcast

• Security Now

Testing & Learning

• Labs:

  • AWS Workshops

    • AWS Identity: Using Amazon Cognito for serverless consumer apps

    • AWS Network Firewall Workshop

    • AWS Networking Workshop

    • Access Delegation

    • Amazon VPC Endpoint Workshop

    • Build a Vulnerability Management Program Using AWS for AWS

    • Data Discovery and Classification with Amazon Macie

    • Data Protection

    • DevSecOps - Integrating security into your pipeline

    • Disaster Recovery on AWS

    • Finding and addressing Network Misconfigurations on AWS

    • Firewall Manager Service - WAF Policy

    • Getting Hands on with Amazon GuardDuty

    • Hands on Network Firewall Workshop

    • Implementing DDoS Resiliency

    • Infrastructure Identity on AWS

    • Integrating security into your container pipeline

    • Integration, Prioritization, and Response with AWS Security Hub

    • Introduction to WAF

    • Permission boundaries: how to delegate permissions on AWS

    • Protecting workloads on AWS from the instance to the edge

    • Scaling threat detection and response on AWS

    • Serverless Identity

  • PagerDuty Training Lab

    • PagerDuty Training GitHub

    • PagerDuty Training for Engineers

    • PagerDuty Training for Everyone: Part 1

    • PagerDuty Training for Everyone: Part 2

• Courses:

  • Oracle Cloud Security Administrator

  • Learning Paths (by A Cloud Guru):

    • AWS Security Path

    • Azure Security Path

    • GCP Security Path

• Others:

  • ccat: Cloud Container Attack Tool.

  • CloudBrute: A multiple cloud enumerator.

  • cloudgoat: "Vulnerable by Design" AWS deployment tool.

  • Leonidas: A framework for executing attacker actions in the cloud.

  • Sadcloud: Tool for spinning up insecure AWS infrastructure with Terraform.

  • TerraGoat: Bridgecrew's "Vulnerable by Design" Terraform repository.

  • WrongSecrets: A vulnerable app which demonstrates how to not use secrets. With AWS/Azure/GCP support.

  • ServerlessGoat by OWASP

Others

• Cloud Security Research by RhinoSecurityLabs

• CSA cloud security guidance v4

• Appsecco provides training

• Cloud Risk Encyclopedia by Orca Security: 900+ documented cloud security risks, with ability to filter by cloud vendor, compliance framework, risk category, and criticality.

• Mapping of On-Premises Security Controls vs. Major Cloud Providers Services

• AWS Bucket search by grayhatwarfare

Sources

[1]: What Is Cloud-Native Security? - Palo Alto Networks

[2]: OWASP Cloud-Native Application Security Top 10 | OWASP Foundation

[3]: 4ndersonLin/awesome-cloud-security: 🛡️ Awesome Cloud Security Resources ⚔️ (github.com)

[4]: Funkmyster/awesome-cloud-security: Curated list of awesome cloud security blogs, podcasts, standards, projects, and examples. (github.com)

[5]: teamssix/awesome-cloud-security: awesome cloud security 收集一些国内外不错的云安全资源，该项目主要面向国内的安全人员 (github.com)