Release Date: 03/07/2022 | Issue: 144
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

9 Questions you Should Ask About Your Cloud Security
Business leaders need to start asking new questions about the security of their cloud environment—and security teams need to be prepared to answer them. Cloud attackers don’t care about checklist security programs—they routinely cross the arbitrary boundaries we draw around things and sidestep security solutions to get what they’re after.
In 9 Questions You Should Ask About Your Cloud Security, Snyk and Fugue outline the knowledge every cloud security team should possess at all times.

This week's articles


The Open Cloud Vulnerability & Security Issue Database
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues.   #attack   #aws   #azure   #gcp


MiTM at the Edge - Abusing Cloudflare Workers
An attacker compromising a Cloudflare account can abuse Workers to establish persistence and exfiltrate sensitive data.   #attack   #cloudflare


Learnings from 5 years of tech startup code audits
Some of the more surprising things learned while auditing Series A/B startups.   #build


Vault Logging and Alerting on Day 1
A step-by-step guide to building a free solution for Day 1 Vault logging and alerting on AWS.   #aws   #build   #vault


Sky's the Limit: Stratus Red Team for Azure
A write-up on using Stratus Red Team for testing threat detection rules.   #attack   #azure   #monitor


FabricScape: Escaping Service Fabric and Taking Over the Cluster
FabricScape (CVE-2022-30137) is a privilege escalation vulnerability in Microsoft's Service Fabric, which allowed cross tenant root access built out of unprivileged processes.   #attack   #azure


CloudGoat Scenario: Avoiding AWS Security Detection and Response
This will walk through the CloudGoat AWS detection_evasion scenario, detailing how to avoid AWS security detection and response services, such as in Lambda.   #attack   #aws

Tools


op-vscode
1Password for VS Code provides you with a set of tools to integrate your development workflow with 1Password, powered by the 1Password CLI. You can also read the companion blog post.


gitgat
Evaluate source control (GitHub) security posture.


vault-assessment-prometheus-exporter
A prometheus exporter for monitoring aspects secrets stored on a running HashiCorp Vault server.


azure-policy-tester
Run unit-tests with Golang testing on your Azure policies. You can also read the companion blog post.

From the cloud providers


#AWS   TLS 1.2 to become the minimum TLS protocol level for all AWS API endpoints
You will no longer be able to use TLS versions 1.0 and 1.1 with all AWS APIs in all AWS Regions by June 28, 2023.


#AWS   How to use regional SAML endpoints for failover
Recommendations that can improve resiliency for those that use IAM federation, in the unlikely event of disrupted availability of one of the regional endpoints.


#GCP   Announcing MITRE ATT&CK mappings for Google Cloud security capabilities
Google Cloud now supports improved, threat-informed defenses by mapping their native security capabilities to MITRE ATT&CK.


#GCP   Disabling Exempted Users in Cloud Audit Logging
A new constraint to prevent from exempting additional principals from audit logging.


#GCP   Announcing general availability of Cloud Armor's new edge security policies, and support for proxy load balancers
Google announced two major capabilities that expand Cloud Armor's coverage to more types of workloads: edge security policies, and TCP/SSL Proxy Load Balancers.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini