Release Date: 08/12/2019 | Issue: 15
The Cloud Security Reading List is a low volume newsletter (delivered once per week) that highlights security-related news focused on the cloud native landscape, hand curated by Marco Lancini.

This week's articles

Identity federation with multiple AWS accounts
As organizations scale, they tend to centralize identity with SSO SAML federation, but there are two patterns for federation with AWS. This post from Alex Smolen covers the differences between direct vs. hub-and-spoke identity federation with multiple AWS accounts.

Guardians of the Cloud: Automating the Response to Security Events
In this blog, the Auth0 team describes how they use security automation to respond to GuardDuty events at scale: they provide an overview of the implemented architecture for the alert analysis, triage, user notification, and automated response of the AWS GuardDuty security findings on all of their AWS accounts.

CloudTrail Application Anomaly Detection
This project is a CloudTrail based anomaly detection for use in AWS. It keeps track of all API actions a principal calls (that are tracked by CloudTrail) for a N day period and alerts on new API calls after the N day period.

Reverse Engineering and Exploiting Builds in the Cloud
This is the repository that contains material and slides for the talk Reverse Engineering and Exploiting Builds in the Cloud delivered at BlackHat Europe 2019 by the Heroku team. The slides are a nice overview of different attack paths against cloud-based build systems.

Terrier is an Image and Container analysis tool that can be used to scan Images and Containers to identify and verify the presence of specific files according to their hashes. In particular, it allows to scan an OCI image or a running container for the presence of one or more files that match one or more provided SHA256 hashes.

Seccomp in Kubernetes — Part I
The first of a series on how to land great seccomp profiles in a SecDevOpsy way without resorting to magic or sorcery. The first part covers the basics and the internals of the Kubernetes seccomp implementation.

From the cloud providers

AWS Icon  Amazon Detective
Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities.

AWS Icon  AWS IAM Access Analyzer
IAM Access Analyzer mathematically analyzes access control policies attached to resources and determines which resources can be accessed publicly or from other accounts. It continuously monitors all policies for Amazon Simple Storage Service (S3) buckets, IAM roles, AWS Key Management Service (KMS) keys, AWS Lambda functions, and Amazon Simple Queue Service (SQS) queues. With IAM Access Analyzer, you have visibility into the aggregate impact of your access controls, so you can be confident your resources are protected from unintended access from outside of your account.

AWS Icon  Introducing EC2 Image Builder
AWS announced the availability of EC2 Image Builder, a service that makes it easier and faster to build and maintain secure images. Image Builder simplifies the creation, patching, testing, distribution, and sharing of Linux or Windows Server images.

GCP Icon  Help secure software supply chains on Google Kubernetes Engine
This article shows how to ensure that your software supply chain follows a known and secure path before your code is deployed in a Google Kubernetes Engine (GKE) cluster. The article reviews how binary authorization works, then explains how to best implement and use it with GCP to ensure that your deployment pipeline can provide the most information possible to help you enforce approvals at each of your required stages.

GCP Icon  Google Groups for GKE
Previously, you could only grant roles to GCP user accounts or Cloud IAM service accounts. Google Groups for GKE (Beta) allows you to grant roles to the members of a GSuite Google Group. With this mechanism, the users and groups themselves are maintained by GSuite administrators, completely outside of Kubernetes or GCP Console, so cluster administrators do not need detailed information about your users. Another benefit is integration with your existing user account management practices, such as revoking access when someone leaves your organization.

View this email in your browser © 2019-present
The Cloud Security Reading List by SecurityBite LTD.