Release Date: 24/10/2021 | Issue: 110
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

🦙 Compliance That Doesn't SOC 2 Much 🦙
Are you in the throws of a painstaking SOC 2 panic? We know the feeling -- and we're here to help. Vanta restores trust in internet businesses by giving startups an easy-to-use platform to prove security. Nearly 2,000 businesses rely on Vanta to automate their SOC 2, ISO 27001, HIPAA, or (very soon!) PCI compliance.
Let Vanta automate your compliance.

This week's articles

Protect your open source project from supply chain attacks   #ci/cd, #defend
Post which can serve as a beginner's guide for anyone who wants to protect their open source project from supply chain attacks. These recommendations follow the SLSA framework and OpenSSF Scorecards rubric, and many can be implemented automatically by using the Allstar project.

Attacking and Securing CI/CD Pipelines   #ci/cd, #attack, #defend
In 2021, Mercari have been affected by a supply chain attack caused by the use of CodeCov, which allowed an intrusion into the CI/CD environment. This presentation shares a comprehensive summary of both the attack methods often used against CI/CD environments and Mercari's experience in securing CI/CD, learned the hard way. You can also check the companion repo.

Multicloud failover is almost always a terrible idea   #aws, #azure, #gcp, #strategy
Multicloud failover is complex and costly to the point of nearly almost always being impractical, and it's not an especially effective way to address cloud resilience risks.

Github Actions Security Best Practices   #ci/cd, #defend
Some of the key security concerns you should be aware of when using Github Actions, alongside the best practices that Salesforce Heroku follows to securely use them.

Abusing Registries For Exfil And Droppers   #attack, #containers
This post goes into some of the details about the standard container registry API, some abuse points, and some areas of attack pentesters or future malware writers can expose.

How to improve your Docker containers security - [cheat sheet]   #containers, #defend
A set of recommendations regarding Docker containers configuration at build and runtime to improve your containers' security.

Container security best practices: Comprehensive guide   #containers, #defend
Container security best practices don't just include the delivered applications and the container image itself, but also the full component stack used for building, distributing, and specially executing the container. This includes: the host or VM, the container runtime, cluster technology, cloud provider configuration, and more.

Securing Kubernetes Secrets with Conjur   #build, #kubernetes
Conjur helps you secure & manage your secrets centrally. This post talks about how to set up, run & integrate Conjur with Kubernetes to secure its secrets.

Introducing the Consul API Gateway   #announcement, #hashicorp, #kubernetes
The new Consul API Gateway is a dedicated ingress solution for intelligently routing traffic to applications running on the HashiCorp Consul service mesh.


A vulnerability scanner for container images and filesystems.

A small lambda script that will disable access keys older than a given amount of days.

Terraform Provider for cascading runs across multiple workspaces.

Detects orphan configmaps and secrets in a Kubernetes cluster.

Cronjobber is a cronjob controller for Kubernetes with support for time zones.

From the cloud providers

AWS Icon  AWS Security Hub adds support for cross-Region aggregation of findings
AWS Security Hub now allows you to designate an aggregation Region and link some or all Regions to that aggregation Region. This gives you a centralized view of all your findings across all of your accounts and all of your linked Regions.

AWS Icon  Building an end-to-end Kubernetes-based DevSecOps software factory on AWS
An end-to-end Kubernetes-based DevSecOps software factory on AWS with continuous testing, continuous logging and monitoring, auditing and governance, and operations.

AWS Icon  Enabling data classification for Amazon RDS database with Macie
How to use AWS Database Migration Service (AWS DMS) to extract data from RDS, store it on S3, and then classify the data using Macie.

AWS Icon  Securely extend and access on-premises Active Directory domain controllers in AWS
A best practice that implements a remote desktop gateway solution to access your domain controllers securely while using the minimum required ports.

GCP Icon  Cloud Data Loss Prevention is now automatic
Google announced they are making Cloud DLP automatic: automatic discovery, automatic inspection, automatic classification, automatic data profiling. Now available in preview for BigQuery, you can enable Cloud DLP across your entire organization to gain visibility into your data risk.

GCP Icon  Using signed provenance and Binary Authorization
As part of the image's provenance, Cloud Build automatically records details like the images generated, the input sources, the build arguments, and the built time, and a new attestor allows you to deploy only trusted images using Binary Authorization.

GCP Icon  Trust Google Cloud more with ubiquitous data encryption
Ubiquitous data encryption on Google Cloud provides unified control over data at-rest, in-use, and in-transit, with keys under customer control.

Azure Icon  Azure Sentinel Threat Intelligence Workbook
Azure Sentinel Threat Intelligence is based on the ingestion of threat indicators such as IP addresses, domains, URLs, email senders, and file hashes. This provides a starting point for building threat intelligence programs which require the ability to both ingest and correlate threat data across cloud workloads.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.