Join us

Lateral movement risks in the cloud and how to prevent them

@faun ・ Mar 11,2023

Lateral movement risks in the cloud and how to prevent them

In this blog post, the focus is on the lateral movement risks from the cloud to Kubernetes clusters, and the potential attack vectors that attackers can leverage to exploit them.

Adversaries can exploit IAM cloud keys, kubeconfig files, and container registry images to conduct lateral movement attacks from cloud environments to managed Kubernetes clusters. The attack vectors differ between the major CSPs, depending on their default cluster configurations and integrations with IAM/AAD identities.

To mitigate the risks, organizations should consider implementing the following best practices:

  1. Avoid storing long-term cloud keys in workloads and instead use IAM roles/service accounts/managed identities to define minimum required permissions.
  2. Remove kubeconfig files from publicly exposed cloud workloads and consider configuring K8s API server endpoint as private and strictly configuring security group access to specific IP addresses.
  3. Restrict access to container registries by defining a strict resource-based policy for each repository, enabling the "Tag immutability" flag, limiting network access with firewall rules or private endpoint connection, and avoiding exposure to allUsers and allAuthenticatedUsers principals.

Share with your friends and followers

Only registered users can post comments. Please, login or signup.

Start blogging about your favorite technologies, reach more readers and earn rewards!

Join other developers and claim your FAUN account now!

Publish your first story!
Avatar

The FAUN

@faun
A worldwide community of developers and DevOps enthusiasts!
User Popularity
2k

Influence

245k

Total Hits

1

Posts

Join faun
Read, Learn, Know, Teach

Hand curated newsletters for Developers, private Slack with like minded people, podcasts, job offers, news and more!