Release Date: 12/12/2021 | Issue: 117
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

Uncover lessons learned from the recent cloud attack by a group called TeamTNT in this short blog. TeamTNT is known for large-scale attacks against virtual and cloud solutions, like Kubernetes and Docker. Recently they deployed a new strategy that leverages AWS metadata giving them access to excessive permissions that can be exploited in the cloud resulting in lateral movement attacks.
Read the blog to discover how the attack works, the associated risks, and how to detect it.

This week's articles

Snaring the Bad Folks   #aws, #defend, #monitor
Blog post introducing Snare, Netflix's Detection, Enrichment, and Response platform for handling cloud security related findings. Snare is responsible for receiving millions of records a minute, analyzing, alerting, and responding to them.

Falco 101   #explain, #falco
All you need to learn to get started with Falco.

Zero Trust with Envoy, SPIRE and Open Policy Agent (OPA)   #build, #opa
Blog exploring one of the key principles of Zero Trust, around authenticating and authorizing every request before a service is allowed to access a resource, and defining a simple OPA policy that demonstrates how service to service communication can be protected.

Achieving Least Privilege with AWS IAM   #aws, #explain, #iam
A few tips and tricks that should help anyone looking to advance their understanding of IAM.

Pod Security Graduates to Beta   #announcement, #defend, #kubernetes
With the release of Kubernetes v1.23, Pod Security admission has now entered beta. Pod Security is a built-in admission controller that evaluates pod specifications against a predefined set of Pod Security Standards and determines whether to admit or deny the pod from running.

Zero-friction keyless signing with Github Actions   #build, #ci/cd, #containers
How-to guide explaining how to use cosign to sign container images built in Github. You can also check the related Github Announcement.

Using Google Cloud Service Account impersonation in your Terraform code   #build, #gcp, #terraform
This blog details different ways to authenticate as a service account in Terraform code using short-lived credentials.

Best practices for using workload identity federation   #build, #gcp, #iam
This guide presents best practices for deciding when to use workload identity federation, and how to configure it in a way that helps you minimize risks.

AWS SageMaker Jupyter Notebook Instance Takeover   #attack, #aws
An attacker can run any code on a victim's SageMaker JupyterLab Notebook Instance across accounts. This means that an attacker can access the Notebook Instance metadata endpoint and steal the access token for the attached role.

Over-Privileged Service Accounts Create Escalation of Privileges and Lateral Movement in Google Cloud   #attack, #gcp, #iam
There are standard best practices for service accounts but many GCP environments lag behind in implementing these best practices. This research shown how these violations in best practices can allow attackers to chain together attack steps to gain broader access to resources in a GCP environment.


A list of security mistakes made by Cloud Service Providers (AWS, GCP, Azure). Includes CVEs, SOC 2 Type 2 failures, security researchers compromising managed services, and more.

A standalone exporter for vulnerability reports and other CRs created by Starboard.

From the cloud providers

AWS Icon  Amazon S3 console now reports security warnings, errors, and suggestions from IAM Access Analyzer as you author your S3 policies
The S3 console now reports security warnings, errors, and suggestions from Identity and Access Management (IAM) Access Analyzer as you author your S3 policies. The console automatically runs more than 100 policy checks to validate your policies.

GCP Icon  Ensuring scale and compliance of your Terraform Deployment with Cloud Build
The best way to run Terraform on Google Cloud is with Cloud Build and Cloud Storage. This article explains why, covering scale, security and compliance.

GCP Icon  Cloud IDS for network-based threat detection is now generally available
Google announced the general availability of Cloud IDS. This core network security offering helps detect network-based threats and helps organizations meet compliance standards that call for the use of an intrusion detection system.

GCP Icon  Enabling keyless authentication from GitHub Actions
With GitHub's introduction of OIDC tokens into GitHub Actions Workflows, you can authenticate from GitHub Actions to Google Cloud using Workload Identity Federation, removing the need to export a long-lived JSON service account key.

Azure Icon  Public preview availability of Virtual Machine restore points
Take multi-disk consistent point in time snapshots of all the disks attached to a VM for backup and disaster recovery purposes.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.