6 Part III: Cloud Security CHAPTER 13: Monitoring Cloud Operations Host Dashboarding with NetData Cloud Platform Interrogation with Komiser Summary CHAPTER 14: Cloud Guardianship Installing Cloud Custodian More Complex Policies IAM Policies S3 Data at Rest Generating Alerts Summary CHAPTER 15: Cloud Auditing Runtime, Host, and Cloud Testing with Lunar AWS Auditing with Cloud Reports CIS Benchmarks and AWS Auditing with Prowler Summary CHAPTER 16: AWS Cloud Storage Buckets Native Security Settings Automated S3 Attacks Storage Hunting Summary
7 Part IV: Advanced Kubernetes and Runtime Security CHAPTER 17: Kubernetes External Attacks The Kubernetes Network Footprint Attacking the API Server Attacking etcd Attacking the Kubelet Summary CHAPTER 18: Kubernetes Authorization with RBAC Kubernetes Authorization Mechanisms RBAC Overview RBAC Gotchas Auditing RBAC Summary CHAPTER 19: Network Hardening Container Network Overview Restricting Traffic in Kubernetes Clusters CNI Network Policy Extensions Summary CHAPTER 20: Workload Hardening Using Security Context in Manifests Mandatory Workload Security PodSecurityPolicy PSP Alternatives Summary
8 Index
List of Tables
1 Chapter 1Table 1.1: Common Container Components
2 Chapter 2Table 2.1: Rootless Mode Limitations and Restrictions
3 Chapter 4Table 4.1: Actions for auditd
When Disks Are Filling Up RapidlyTable 4.2: The Different Permissions You Can ApplyTable 4.3: List Options Available for fork
and clone
SyscallsTable 4.4: Options for audit_set_failure
4 Chapter 5Table 5.1: Deployment Methods for kube-hunter
Table 5.2: Scanning Options That You Can Try in kube-hunter
Table 5.3: Hunting Modes in kube-hunter
5 Chapter 6Table 6.1: Policy Matching Criteria That Anchore Can Use Within Its PoliciesTable 6.2: The Policies Available from the Policy Hub
6 Chapter 7Table 7.1: ZAP Builds Available via Docker
7 Chapter 8Table 8.1: Using Tags in Gauntlt to Get More or Less Results
8 Chapter 12Table 12.1: Interactive Options for Nikto While It's RunningTable 12.2: IDS Evasion Capabilities Courtesy of LibwhiskerTable 12.3: Nikto Offers “Mutation” Technique Options, TooTable 12.4: Tuning Options Within Nikto
9 Chapter 15Table 15.1: The Many Areas of Coverage That Lunar Offers
10 Chapter 16Table 16.1: Public Access Settings for S3 Buckets and ObjectsTable 16.2: Ways to List S3 Buckets in S3Scanner
List of Illustrations
1 Chapter 1Figure 1.1: How virtual machines and containers reside on a host
2 Chapter 5Figure 5.1: The excellent kube-hunter