Release Date: 06/03/2022 | Issue: 127
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

To Err Is Human, and That’s What Hackers Are Counting On
Ransomware may be a top cybersecurity priority, but in the cloud, the number one threat is data breaches due to misconfiguration and control plane compromise. Organizations that get this right maintain full knowledge of their environment and empower developers with tools that leverage automation and policy as code.
Read more about modern cloud threats and how to meet them in this article from Josh Stella, Chief Architect, Snyk: "To Err Is Human, and That's What Hackers Are Counting On."
Learn more about automating cloud security and compliance with Fugue here.

This week's articles

The Secure Software Factory   #ci/cd, #design, #supply-chain
A reference architecture to securing the software supply chain.

In depth research and trends analyzed from 50+ different concepts as code   #explain, #iac
We all know "infrastructure as code". It is expanding to bigger constructs , devsecops, workflow , data , documentation, and slowly getting into the business domain. This post analyzed the trends from over 50+ concepts "as code".

How secure is your Grafana instance? What you need to know   #monitor
With Grafana's out-of-the-box security features, you can protect your instances against vulnerabilities and create security audit dashboards.

Security for package maintainers   #defend, #supply-chain
Some good practices for securing accounts and package repositories.

Privilege Escalation from Node/Proxy Rights in Kubernetes RBAC   #attack, #kubernetes
How granting rights to node/proxy resources in Kubernetes could allow for audit logs and other security controls to be bypassed.

Go directly to namespace jail: Locking down network traffic between Kubernetes namespaces   #defend, #kubernetes
How do you restrict network traffic between namespaces in a Kubernetes cluster? This guide shows how to prevent traffic between namespaces using Linkerd's traffic policies.

Docker authentication   #containers, #explain
A great explanation of how docker credential helpers and registry authentication works.

Containers vs. Pods - Taking a Deeper Look   #explain, #kubernetes
What is the difference between a Docker Container and a Kubernetes Pod? Can a Pod be created with plain Docker commands? How are Pods implemented under the hood?


Build OCI images using APK directly without Dockerfile. You can also refer to the companion blog post.

Infrastructure-as-code where you work with high-level constructs instead of getting lost in low level cloud configuration.

Simple command line utility to transform a provided Kubernetes resource into a Kubernetes AdmissionReview request, as sent from the Kubernetes API server when dynamic admission control (i.e. webhook) is configured.

Zarf massively simplifies the setup & administration of kubernetes clusters "across the air gap".

Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by a Neo4j database. You can also refer to the companion blog post.


ControlPlane is Hiring!
Are you a cloud native pentester, engineer, or security architect with Kubernetes experience? Want to write Golang or build security tooling and pipelines?
ControlPlane is a London based cloud technology company, helping to keep people safe online. We work with cloud providers and their customers to secure the building blocks of the internet, by offering consulting, training, and products related to cloud native development, security and operations.
We guarantee nice people, interesting work, and offer remote-first roles:

From the cloud providers

AWS Icon  Configure AWS SSO ABAC for EC2 instances and Systems Manager Session Manager
How to configure AWS Single Sign-On to define attribute-based access control (ABAC) permissions to manage EC2 instances and AWS Systems Manager Session Manager for federated users.

AWS Icon  Fine-tune and optimize AWS WAF Bot Control mitigation capability
This post describes the primary building blocks for using Bot Control, and how you can combine and customize them to address different scenarios.

AWS Icon  Introducing AWS Cloud Map MCS Controller for K8s
Amazon is announcing an open source project, AWS Cloud Map MCS Controller for K8s, which allows a Kubernetes-native service discovery capability that works across Kubernetes (K8s) clusters.

AWS Icon  How to build a multi-Region AWS Security Hub analytic pipeline and visualize Security Hub data
How to build an analytics pipeline of your Security Hub findings, summarize the data with Amazon Athena, and visualize the data via QuickSight.

AWS Icon  AWS Security Reference Architecture (AWS SRA)
The AWS Security Reference Architecture (AWS SRA) is a holistic set of guidelines for deploying the full complement of AWS security services in a multi-account environment.

GCP Icon  GCP launches deny policies
IAM deny policies let you set guardrails on access to Google Cloud resources. With deny policies, you can define deny rules that prevent certain principals from using certain permissions, regardless of the roles they're granted. You can also check this useful thread from @jasonadyke.

GCP Icon  Webhook, Pub/Sub, and Slack Alerting notification channels launched
Announcing the general availability of the new Pub/Sub, Webhook, and Slack Notification channels.

GCP Icon  Creating custom notifications with Cloud Monitoring and Cloud Run
A tutorial for writing and deploying customized Cloud Monitoring alert notifications to third party services.

Azure Icon  Detecting identity attacks in Kubernetes
Identities are a key aspect of Kubernetes security, and monitoring their activity is crucial for keeping your cluster secured. The Kubernetes audit log and the cloud control plane logs can be used for identifying suspicious activity of the identities in Kubernetes.

Azure Icon  Stay on top of database threats with Microsoft Defender for Azure Cosmos DB
Microsoft announced a new addition to their database protection offering Microsoft Defender for Azure Cosmos DB in preview.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! πŸ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
Β© 2019-present, CloudSecList by Marco Lancini.