Release Date: 01/05/2022 | Issue: 135
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

Why Your Current Cloud Security Won't Prevent Attacks
Cloud environments are built on design failureโ€”and hackers are exploiting these failures every day. You can't monitor your way out of this problem. In Fugue's next Cloud Security Masterclass, Josh Stella (chief architect, Snyk) explores the taxonomy of cloud security involving the 3 vectors we can manipulate to design secure cloud environments: resources, actions, and time.
May 5 at 1PM ET. Register here

This week's articles

Not All SBOMs Are Created Equal   #explain, #supply-chain
A comprehensive SBOM is a valuable part of any organization's security toolbox. By looking at SCA tools critically and understanding their theory of operation we can generate more complete and accurate SBOMs.

Don't Panic: A Playbook for Handling Account Compromise with Sigstore   #ci/cd, #defend, #supply-chain
There's a myth that Sigstore makes revocation harder; in fact, the opposite is true! While it is true that the signatures on software are stored forever, software verification using Sigstore does support artifact revocation.

Introducing Package Analysis: Scanning open source packages for malicious behavior   #defend, #supply-chain
OpenSSF announced the initial prototype version of the Package Analysis project, a project addressing the challenge of identifying malicious packages in popular open source repositories.

Cloud-Native Ransomware - How attacks on availability leverage cloud services   #aws, #defend
Paper which outlines the paths a malicious actor might take to affect the availability of data by using the tools provided by Cloud Service Providers, as well as providing architectural patterns to make securing these systems easier and methods for detecting cloud-native ransomware.

CloudGoat goes Serverless: A walkthrough of Vulnerable Lambda Functions   #attack, #aws, #explain
This post walks through exploiting serverless environments and AWS Lambda functions via the CloudGoat vulnerable_lambda scenario.

"ExtraReplica" - a cross-account database vulnerability in Azure PostgreSQL   #attack, #azure
Wiz Research has discovered a chain of critical vulnerabilities in the widely used Azure Database for PostgreSQL Flexible Server. Dubbed ExtraReplica, this vulnerability allows unauthorized read access to other customers' PostgreSQL databases, bypassing tenant isolation.

Encrypting our way to SSRF in VMWare Workspace One UEM (CVE-2021-22054)   #attack
The Assetnote team discovered a pre-authentication vulnerability that allowed to make arbitrary HTTP requests, including requests with any HTTP method and request body. In order to exploit this SSRF, they had to reverse engineer the encryption algorithm used by VMWare Workspace One UEM.

What's New in Kubernetes Version 1.24   #explain, #kubernetes
The Kubernetes 1.24 release brings many changes, including Dockershim removal, signing of Kubernetes artifacts with Cosign, and other improvements.


Audit your GitHub data using custom policies written in Rego.

A codesigning tool for Python packages.

Easily check your clusters for use of deprecated APIs.

The Threat Hunting In Rapid Iterations (THIRI) Jupyter notebook is designed as a research aide to let you rapidly prototype threat hunting rules.

Job Advert

Doyensec is an independent security research and development company focused on vulnerability discovery and remediation. We love what we do and we routinely take on difficult engineering challenges to help our customers build with security.
We are looking for a Cloud Security Engineer to join our team. We need someone who has a strong interest in auditing and researching cloud platforms and containerized environments.
More details:

From the cloud providers

AWS Icon  How to control access to AWS resources based on AWS account, OU, or organization ๐Ÿ”ฅ ๐Ÿ”ฅ
AWS IAM launched new condition keys to make it simpler to control access to your resources along your organizational boundaries. By using the new conditions, aws:ResourceOrgID, aws:ResourceOrgPaths, and aws:ResourceAccount, you can define access controls based on an AWS resource's organization, organizational unit (OU), or account. These conditions make it simpler to require that your principals (users and roles) can only access resources inside a specific boundary within your organization.

AWS Icon  How to integrate AWS STS SourceIdentity with your identity provider
How you can configure the AWS STS SourceIdentity attribute in Okta, Ping, and OneLogin to help you track usage of your APIs.

AWS Icon  Extend your pre-commit hooks with AWS CloudFormation Guard
How to extend your Git hooks to validate your AWS CloudFormation templates against policy-as-code rules by using AWS CloudFormation Guard.

GCP Icon  Announcing new simple query options in Cloud Logging
The faster you can find logs, the faster you can resolve issues! Google announced a simpler way to find logs in Logs Explorer.

GCP Icon  10 considerations to help you design cloud networks
Ten tips providing some insight into helping you design a better cloud network architecture from the beginning.

Azure Icon  Authentication and authorization in Azure Container Apps Preview
Azure Container Apps now includes built-in authentication. Integrate one or more identity providers without writing any code.

Azure Icon  Generally available: Controls to block domain fronting behaviour on customer resources
Block domain fronting behaviour on Azure Front Door, Azure Front Door (classic), and Azure CDN Standard from Microsoft (classic) resources.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present, CloudSecList by Marco Lancini.