Release Date: 24/04/2022 | Issue: 134
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

The 2022 State of Cyber Assets Report - Now Available from JupiterOne!
This analysis of over 370 million cyber assets, findings, and policies across almost 1,300 organizations helps security operations, engineers, practitioners and leaders understand cyber assets, liabilities, attack surfaces, and their relationships in the modern enterprise.
To get your copy, see The 2022 State of Cyber Assets Report

This week's articles

Security alert: Attack campaign involving stolen OAuth user tokens issued to two third-party integrators   #attack, #ci/cd, #supply-chain
On April 12, GitHub Security began an investigation that uncovered evidence that an attacker abused stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organizations, including npm.

AWS's Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation   #attack, #aws
PaloAlto identified severe security issues within AWS Log4Shell hot patch solutions. This article provides a root cause analysis and overview of fixes and mitigations.

Security Overview of AWS Fargate   #aws, #containers, #defend
Amazon's own security overview of Fargate, which is helpful for new adopters and deepens understanding of Fargate for current users.

Mitigating the top 10 security threats to GCP using the CIS Google Cloud Platform Foundation Benchmark   #defend, #gcp
What the CIS Google Cloud Platform Foundation Benchmark offers against 10 of the most common GCP misconfigurations that NCC Group comes across during client assessments.

Where's my stuff on GCP?   #explain, #gcp
In 2018 GCP released a feature called Cloud Asset Inventory. It allows one to search for all your resources globally: "$ gcloud asset search-all-resources".

Implementing Cloud Governance as a Code using Cloud Custodian   #aws, #defend
Cloud Custodian enables us to define rules and remediation as one policy to facilitate a well-managed cloud infrastructure.

The OPA AWS CloudFormation Hook   #aws, #opa
Learn more about AWS CloudFormation Hook and how Open Policy Agent may be used for CloudFormation policy enforcement.

RBAC Explained with Examples   #explain, #iam, #kubernetes
Kubernetes RBAC tutorial with two examples, using ServiceAccounts and openssl to create separate contexts for users.

Securing your site via OIDC, powered by Kong and KeyCloak   #build, #kubernetes
How to incorporate the Kong Ingress Controller, KeyCloak and Kubernetes to have an initial OIDC flow to front external services (API or web endpoints).

Gaining Visibility Within Container Clusters   #kubernetes, #monitor
Service mesh platforms can be used to provide insight into the container processes and their network operations within K8s clusters.

Abusing Azure Container Registry Tasks   #attack, #azure
How one Azure service supporting DevOps can start in a very solid "secure by default" state, but then quickly descend into a very dangerous configured state.

Your Favorite Software Repositories, Now Working Together   #announcement, #supply-chain
OpenSSF announced the creation of the Securing Software Repositories Working Group, a community collaboration with a focus on the maintainers of software repositories, software registries, and tools (like package managers) that rely on them, at various levels including system, language, plugin, extensions and container systems.


Compares and analyzes GCP IAM roles.

A command line utility to help you investigate the sensitive data associated with Macie findings.

Smart SSH bastion that works with any SSH client.

Curiefense is a new application security platform, which protects sites, services, and APIs. It extends Envoy proxy to defend against a variety of threats, including SQL and command injection, cross site scripting (XSS), account takeovers (ATOs), application-layer DDoS, remote file inclusion (RFI), API abuse, and more.

A container runtime tool aimed at providing unprivileged sandboxes.


Is manual evidence collection weighing your engineering team down?
Level up your game and save 200+ hours with Drata's automated continuous compliance solution for SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR, CCPA. Drata connects to your techstack with 60+ integrations, including AWS, GitHub, GCP, & more to automate the compliance process.
Kickstart your compliance journey by requesting a demo and get 10% off๐Ÿš€

From the cloud providers

AWS Icon  How to protect HMACs inside AWS KMS
Post explaining the basics of the HMAC algorithm as a cryptographic building block, including how HMACs are used.

AWS Icon  Easily Running Open Policy Agent Serverless with AWS Lambda and Amazon API Gateway
How to run OPA as a service within a container in Lambda using just the standard precompiled OPA binary. This will allow you take advantage of OPA's built-in REST API while still getting the performance and cost savings of Lambda with no code to customize or manage besides your actual Rego policy code.

GCP Icon  Standardize traffic management: Service Directory and Traffic Director
Service Directory and Traffic Director integration for service based traffic management.

Azure Icon  In preview: SSH access to Azure Arc-enabled servers
This functionality lets you SSH into your Arc machines without a public IP address or additional inbound ports.

Azure Icon  Opt-in to Auditing on Azure DevOps
Auditing has now been made an opt-in feature on Azure DevOps.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present, CloudSecList by Marco Lancini.