Release Date: 08/05/2022 | Issue: 136
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

Interested in beta testing a new Cloudflare security product?
Cloudflare is excited to share a new opportunity to try out one of our latest platform additions, Cloudflare CASB. This new product gives IT and security teams a ridiculously easy way to connect their SaaS apps - like Google Workspace and Microsoft 365 - and scan them for critical security issues and risks, like misconfigurations, insecure file sharing, and shadow IT.
Sound like something that could help at your organization?
Please visit and submit our beta access form to get started!

This week's articles

Old Services, New Tricks: Cloud Metadata Abuse by UNC2903   #attack, #aws
Mandiant identified exploitation of public-facing web applications by threat actors (UNC2903) to harvest credentials using Amazon's Instance Metadata Service (IMDS).

Compromising Read-Only Containers with Fileless Malware   #attack, #containers
Post exploring the mechanics and prevalence of malware fileless execution in attacking read-only containerized environments.

CloudFlare Pages, part 1: The fellowship of the secret   #attack, #cloudflare
A 3-part serie (see also Part 2 and Part 3) uncovering issues like: command injection, container escapes, Github tokens, Cloudflare's Github tokens, Cloudflare API Keys to Cloudflare Organisation, and Cloudflare's Azure API tokens amongst other things. You can also read Cloudflare's own writeup.

SBOM + SLSA: Accelerating SBOM success with the help of SLSA   #defend, #supply-chain
Post explaining the strengths of SBOMs and SLSA and how they fundamentally differ, and shows how SLSA principles can both support the generation of high-quality SBOMs and help consumers respond to supply chain attacks.

Kubernetes signals massive adoption of Sigstore for protecting open source ecosystem   #containers, #defend, #kubernetes, #supply-chain
Kubernetes 1.24 will be the first release officially using Sigstore, enabling seamless verification of signatures to protect against supply chain attacks across the 5.6m developer community. This marks a huge shift toward verifiable infra.

Increasing the security bar in Ingress-NGINX v1.2.0   #defend, #kubernetes
The Ingress may be one of the most targeted components of Kubernetes. While its risks are well understood, it's not an easy process to tackle them, so the Kubernetes community took another approach to reduce (but not remove!) them in the current (v1.2.0) release: by isolating the NGINX service as a container inside the controller container.

Bottlerocket Security Guidance   #aws, #build
Recommendations, details, and examples to help you create a configuration that meets your security and compliance requirements.

Limiting access to Kubernetes resources with RBAC   #explain, #iam, #kubernetes
How to recreate the Kubernetes RBAC authorization model from scratch and practice the relationships between Roles, ServiceAccounts, RoleBindings, etc.

Intro to OCI Reference Types   #containers, #explain
What is OCI? OCI stands for Open Container Initiative. This is a group which oversees a collection of open specifications relating to containers. If you have ever run an application on Kubernetes, then you have leveraged OCI.

Gaining Unlimited access to graph AuditLogs endpoint using complex filters with non-privileged user account   #attack, #azure
Another Azure vulnerability, this time allowing an unprivileged user to modify graph search filters so that user could access logs which would normally require admin roles.


Pre-commit git hooks for Open Policy Agent (OPA) and Rego development.

Python library to carry out DFIR analysis on the Cloud.

ChopChop is a CLI to help developers scanning endpoints and identifying exposition of sensitive services/files/folders.

GitGoat enables DevOps and Engineering teams to test security products intending to integrate with GitHub. GitGoat is a learning and training project that demonstrates common configuration errors that can potentially allow adversaries to introduce code to production.

Job Advert

Doyensec is an independent security research and development company focused on vulnerability discovery and remediation. We love what we do and we routinely take on difficult engineering challenges to help our customers build with security.
We are looking for a Cloud Security Engineer to join our team. We need someone who has a strong interest in auditing and researching cloud platforms and containerized environments.
More details:

From the cloud providers

AWS Icon  AWS Well-Architected Labs - Security
Hands on labs and real world design scenarios for Well-Architected workloads.

AWS Icon  Authenticate AWS Client VPN users with AWS Single Sign-On
How to integrate Client VPN with an existing AWS Single Sign-On via a custom SAML 2.0 application to authenticate and authorize Client VPN connections and traffic.

AWS Icon  Disabling Security Hub controls in a multi-account environment
An automated process for disabling or enabling selected AWS Security Hub controls across multiple accounts and multiple regions.

AWS Icon  Implement OAuth 2.0 device grant flow by using Amazon Cognito and AWS Lambda
How to implement the OAuth 2.0 device authorization grant flow for Amazon Cognito by using AWS Lambda and Amazon DynamoDB.

GCP Icon  Introducing SWIFT on Google Cloud
Introducing SWIFT on Google Cloud - modernize your payments by bringing them to the cloud.

GCP Icon  CIS hardening support in Container-Optimized OS from Google
Google's latest Container-Optimized OS release supports CIS benchmark compliance and can provide continuous CIS scanning capabilities.

Azure Icon  Customize your secure VM session experience with native client support on Azure Bastion
Azure Bastion is a fully managed jumpbox-as-a-service that provides secure and seamless Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) access to your VMs in local or peered virtual networks. With native client support available on the Standard SKU for Azure Bastion, you now unlock customizable features and added functionality in your VM sessions.

Azure Icon  Intelligent application protection from edge to cloud with Azure Web Application Firewall
Microsoft has been evolving Azure Web Application Firewall (Azure WAF), a cloud-native, self-managed security service to protect your applications and APIs running in Azure or anywhere else, from the network edge to the cloud.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.