Release Date: 19/06/2022 | Issue: 142
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

Vantaโ€™s State of Startup Security Report
Vanta asked startups to honestly answer questions about their security posture, planning, and prioritization. Over 500 people took part in our survey and weโ€™re sharing the results.
Learn more today!

This week's articles

Incident report: Spotting an attacker in GCP   #attack, #defend, #gcp
A walk through of how an attacker gained access to a customer's GCP environment, Expel's investigative process, and some key takeaways for securing your organization.

Introducing Gitsign   #announcement, #supply-chain
The Sigstore project has created a new tool called Gitsign, which aims to bring the best of Sigstore to Git with "keyless" signing and transparency log support, making it easy to get started with signing without the need to generate and manage long-term keys.

Going secretless and keyless with Spiffe Vault   #build, #supply-chain, #vault
Post introducing a small command line utility (spiffe-vault) that enables a whole bunch of usecases like: Secretless deployments, Keyless codesigning, Keyless encryption.

The cloud gray zone: secret agents installed by cloud service providers   #attack, #aws, #azure, #gcp
Wiz Research details how cloud middleware use across cloud service providers can expose customers' virtual machines to new attack vectors.

SynLapse - Technical Details for Critical Azure Synapse Vulnerability   #attack, #azure
This blog describes the technical details of SynLapse, a critical Synapse Analytics vulnerability in Microsoft Azure which allowed attackers to bypass tenant separation.

Public Travis CI Logs (Still) Expose Users to Cyber Attacks   #attack, #ci/cd
The Aqua Security team found that tens of thousands of user tokens are exposed via the Travis CI API, which allows anyone to access historical clear-text logs. More than 770 million logs of free tier users are available, from which you can easily extract tokens, secrets, and other credentials associated with popular cloud service providers such as GitHub, AWS, and Docker Hub.

Unwanted Permissions that may impact security when using the ReadOnlyAccess policy in AWS   #aws, #iam
With this analysis, Tempest researchers identified at least 41 actions that can lead to improper data access.

How to Write Your First Rules in Rego, the Policy Language for OPA  
Rego is the purpose-built declarative policy language that supports Open Policy Agent (OPA). It's used to write policy that is easy to read and easy to write.

AWS IAM Security Best Practices   #aws, #explain, #iam
A post going through a few top rules and best practices in AWS IAM.

Integrating Kubernetes into Traditional Infrastructure with HA Egress Gateway   #build, #kubernetes
Cilium HA Egress Gateway can integrate legacy applications with Kubernetes based workloads, by allowing you to specify which nodes should be used by a pod to reach the outside world.


A tool to simulate Amazon EC2 instance metadata.

mirrord lets you easily mirror traffic from your production environment to your development environment.

SOCless is a serverless framework built to help security teams easily automate their incident response and operations workflows.


Is your team drowning in container vulnerability noise?
According to CISA, new vulnerabilities reported each year have nearly tripled. In this new blog, learn how to reduce vulnerability noise by up to 95%, by eliminating the noise from vulnerabilities that pose no immediate risk. Find, focus and fix the threats that matter to prevent breaches.
Read the blog to learn how!

From the cloud providers

AWS Icon  Upcoming changes required for AWS Config
On July 5, 2022, the AWS managed policy AWSConfigRole will be deprecated. It will continue working for all currently attached users, groups, and roles. However, after July 5, 2022, the AWSConfigRole managed policy can't be attached to any new users, groups, or roles.

AWS Icon  Data Perimeter Workshop
This workshop takes you through some of the best practices and available AWS services and features for creating a boundary around your resources in AWS.

AWS Icon  Automating detection of security vulnerabilities and bugs in CI/CD pipelines using Amazon CodeGuru Reviewer CLI
How to leverage Amazon CodeGuru Reviewer Command Line Interface (CLI) to integrate CodeGuru Reviewer into your Jenkins Continuous Integration & Continuous Delivery (CI/CD) pipeline.

GCP Icon  Announcing general availability of Confidential GKE Nodes
Confidential GKE Nodes keep data encrypted in memory with a node-specific dedicated key that solely resides in the processor.

GCP Icon  Announcing gcpdiag - Open Source Troubleshooting Tool for Google Cloud Platform
Google announced gcpdiag, an open source tool to detect configuration issues in Google Cloud projects, maintained by Google Cloud Support team and with contributions from the open source community.

GCP Icon  Infrastructure Security in Google Cloud
A bird's eye view of Google Cloud infrastructure security and some services that help protect your infrastructure in Google Cloud.

GCP Icon  Introducing managed zone permissions for Cloud DNS
It is now possible to delegate and distribute Cloud DNS zone management responsibilities to your application teams.

Azure Icon  Simplify and centralize network security management with Azure Firewall Manager
Web Application Firewall (WAF) policy management in Azure Firewall Manager is now generally available.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present, CloudSecList by Marco Lancini.