Release Date: 22/05/2022 | Issue: 138
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

Source code leaks are to be taken seriously.
They are damaging your brand’s reputation and can also potentially put at risk some of the most valuable assets a company owns. Don’t offer what attackers value the most: a complete picture of the inner working of a piece of software, including its flaws, the processes, and the people involved as well.
With the explosion of the code-sharing platform GitHub, monitoring a company’s public footprint has become one of the most challenging tasks for threat intelligence analysts.
Use the free tool HasMyCodeLeaked to figure out if your intellectual property has leaked

This week's articles

Tetragon - eBPF-based Security Observability & Runtime Enforcement   #announcement, #containers, #monitor
Isovalent announced the open source release of Tetragon, an eBPF-based security observability and runtime enforcement platform that has been part of Isovalent Cilium Enterprise for several years.

Zero Maintenance AWS Canary Tokens That Scale   #aws, #monitor
By utilizing temporary credentials (credentials returned as the result of the AssumeRole operation) as honeytokens, we can deploy a honeytoken approach that scales with our environment, utilize existing detection mechanisms (CloudTrail alerting), and remove the need to run a set of infrastructure dedicated to managing IAM Users.

Learning from AWS Customer Security Incidents [2022]   #attack, #aws, #defend
Slides of a post discussing the public catalog of AWS Customer Security Incidents, covering over twenty different public breaches. It walks through the technical details of these attacks, establish the common root causes, look at lessons learned, and establish how you can proactively secure your environment against these real world risks.

Trampoline Pods: Node to Admin PrivEsc Built Into Popular K8s Platforms   #attack, #gcp, #kubernetes
Researchers from Palo Alto Networks presented research findings on “trampoline pods”—pods with an elevated set of privileges required to do their job, but that could conceivably be used as a jumping off point to gain escalated privileges. You can also read GKE's response.

Terraform CI code execution restrictions   #attack, #ci/cd, #terraform
A post explaining RCE via Provider and Provisioners, supply chain attack scenarios and mitigations.

Plain Kubernetes Secrets are fine   #defend, #kubernetes
By creating a threat model that includes the kinds of attacks you want to mitigate, it's clear that managing secrets safely is extremely difficult. The problem is NOT that secrets are just base64 encoded; that was never meant as a security feature. And the problem cannot be simply waved away by software/cloud providers and their flashy documentation.

Implementing Secure Code in the Cloud   #aws, #defend, #gcp
Learn how to implement security in the cloud at the application layer.

Role Based Access Control Good Practices   #explain, #kubernetes
Principles and practices for good RBAC design for cluster operators.

Introducing Envoy Gateway   #announcement
The announcement of Envoy Gateway, a new member of the Envoy Proxy family aimed at significantly decreasing the barrier to entry when using Envoy for API Gateway (sometimes known as “north-south”) use cases.


Trivy now scans Kubernetes
Trivy now can scan kubernetes clusters. It reports vulnerabilities and misconfigurations when scanning a full cluster, namespace or a resource.

A Kubernetes shell that allows you to escape to the host while obfuscating itself from the API server.

A tool for securing CI/CD workflows with version pinning.

A kubectl plugin that lets you can see the running configuration of all containers that are running inside pods.


99% of cloud identities are granted excessive permissions that are left unused
This and other shocking findings are part of new research from Unit 42, Palo Alto Networks’ global threat intelligence arm. Poor identity and access management (IAM) leaves the door open for malicious actors to target your organization. In their latest report, Unit 42 compiled an industry-first Cloud Threat Actor Index charting the cloud-specific TTPs used to target cloud infrastructure. Get your copy now to learn who attacks cloud infrastructure and how they do it, as well as why proper IAM is your first line of defense and how to implement it. Short on time?
Get the executive summary.

From the cloud providers

AWS Icon  Choosing the right certificate revocation method in ACM Private CA
Post covering two fully managed certificate revocation status checking mechanisms provided by ACM PCA: the Online Certificate Status Protocol (OCSP) and certificate revocation lists (CRLs). OCSP and CRLs both enable you to manage how you can notify services and clients about ACM PCA-issued certificates that you revoke.

AWS Icon  Incident Manager from AWS Systems Manager expands support for runbook automation
Incident Manager, a capability of AWS Systems Manager, announces expanded support for runbook automation to speed up incident diagnosis and resolution.

GCP Icon  Announcing policy guardrails for Terraform on Google Cloud CLI preview
Learn more about how gcloud terraform vet allows you to apply pre-deployment checks and guardrails to your Terraform infrastructure configurations.

GCP Icon  Announcing federating workloads to Google Cloud with SAML
Customers who use a SAML-based identity provider are able to take advantage of Workload Identity Federation to reduce their use of long-lived service account keys.

GCP Icon  Introducing Google Cloud's new Assured Open Source Software service
Announcing Google Cloud's new Assured Open Source Software Service, which can help organizations add the same software that Google uses into their own workflows.

Azure Icon  Public preview: AKS Private Link Service integration
You can now have AKS take care of creating the Private Link Service association to the Kubernetes service identified by the frontend IP configuration of an internal Azure Load Balancer.

Azure Icon  Public preview: Key Management System integration
You can now store secrets in BYOK encrypted etcd using Key Management System (KMS).

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.