Copy
View this email in your browser
Release Date: 05/01/2020 | Issue: 18
"The Cloud Security Reading List" is a low volume mailing list (once per week) that highlights security-related news focused on the cloud native landscape,
hand curated by Marco Lancini.

This week's articles


Catalog of Supply Chain Compromises
CNCF SIG Security is creating a catalog of software supply chain compromises. The goal is not to catalog every known supply chain attack, but rather to capture many examples of different kinds of attack, so that we can better understand the patterns and develop best practices and tools.


Software Libraries Are Terrifying
Still on the topic of supply chain security, this is a nice post describing how easy it is to end up with malicious libraries in your codebase.


Demystifying AWS' AssumeRole and sts:ExternalId
AWS AssumeRole accepts an optional parameter called "sts:ExternalId" which is intended to mitigate certain types of attacks. However, both the attacks that sts:ExternalId mitigates and how to properly use it are widely misunderstood, resulting in large numbers of vulnerable AWS-based applications. This post aims to describe what sts:ExternalId does, when to use it, and how to use it.


Actionable threat hunting in AWS
Talk that Chris Farris (@jcfarris) delivered at AWS re:Invent 2019, describing how they do security monitoring and IR on AWS.


kube-psp-advisor
kube-psp-advisor is a tool that makes it easier to create K8s Pod Security Policies (PSPs) from either a live K8s environment or from a single .yaml file containing a pod specification (Deployment, DaemonSet, Pod, etc).


kube-query
kube-query is an extension for osquery, letting you visualize your cluster using SQL queries.

From the cloud providers

 
Learn how to import AWS Config rules evaluations as findings in Security Hub.


 Google Cloud now supports CCPA compliance
The California Consumer Privacy Act (CCPA) is a data privacy law that imposes new requirements on businesses and gives consumers in California the right to access, delete, and opt-out of the "sale" of their personal information. Google Cloud is now committed to supporting CCPA compliance across G Suite and Google Cloud products.
Website
Twitter
Copyright © 2020 The Cloud Security Reading List, All rights reserved.