Release Date: 03/07/2022 | Issue: 144
CloudSecList is a weekly newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand curated by Marco Lancini.
Sponsor

9 Questions you Should Ask About Your Cloud Security
Business leaders need to start asking new questions about the security of their cloud environment—and security teams need to be prepared to answer them. Cloud attackers don’t care about checklist security programs—they routinely cross the arbitrary boundaries we draw around things and sidestep security solutions to get what they’re after.
In 9 Questions You Should Ask About Your Cloud Security, Snyk and Fugue outline the knowledge every cloud security team should possess at all times.

This week's articles


The Open Cloud Vulnerability & Security Issue Database
#attack, #aws, #azure, #gcp
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues.


MiTM at the Edge - Abusing Cloudflare Workers
#attack, #cloudflare
An attacker compromising a Cloudflare account can abuse Workers to establish persistence and exfiltrate sensitive data.


Learnings from 5 years of tech startup code audits
#build
Some of the more surprising things learned while auditing Series A/B startups.


Vault Logging and Alerting on Day 1
#aws, #build, #vault
A step-by-step guide to building a free solution for Day 1 Vault logging and alerting on AWS.


Sky's the Limit: Stratus Red Team for Azure
#attack, #azure, #monitor
A write-up on using Stratus Red Team for testing threat detection rules.


FabricScape: Escaping Service Fabric and Taking Over the Cluster
#attack, #azure
FabricScape (CVE-2022-30137) is a privilege escalation vulnerability in Microsoft's Service Fabric, which allowed cross tenant root access built out of unprivileged processes.


CloudGoat Scenario: Avoiding AWS Security Detection and Response
#attack, #aws
This will walk through the CloudGoat AWS detection_evasion scenario, detailing how to avoid AWS security detection and response services, such as in Lambda.

Tools


op-vscode
1Password for VS Code provides you with a set of tools to integrate your development workflow with 1Password, powered by the 1Password CLI. You can also read the companion blog post.


gitgat
Evaluate source control (GitHub) security posture.


vault-assessment-prometheus-exporter
A prometheus exporter for monitoring aspects secrets stored on a running HashiCorp Vault server.


azure-policy-tester
Run unit-tests with Golang testing on your Azure policies. You can also read the companion blog post.

From the cloud providers


AWS Icon  TLS 1.2 to become the minimum TLS protocol level for all AWS API endpoints
You will no longer be able to use TLS versions 1.0 and 1.1 with all AWS APIs in all AWS Regions by June 28, 2023.


AWS Icon  How to use regional SAML endpoints for failover
Recommendations that can improve resiliency for those that use IAM federation, in the unlikely event of disrupted availability of one of the regional endpoints.


GCP Icon  Announcing MITRE ATT&CK mappings for Google Cloud security capabilities
Google Cloud now supports improved, threat-informed defenses by mapping their native security capabilities to MITRE ATT&CK.


GCP Icon  Disabling Exempted Users in Cloud Audit Logging
A new constraint to prevent from exempting additional principals from audit logging.


GCP Icon  Announcing general availability of Cloud Armor's new edge security policies, and support for proxy load balancers
Google announced two major capabilities that expand Cloud Armor's coverage to more types of workloads: edge security policies, and TCP/SSL Proxy Load Balancers.

Thanks for reading!

If you found this newsletter useful and interesting, and know other people who would too, I'd really appreciate if you could forward it to them 📨

If you have questions, comments, or feedback, just reply to this email or let me know on Twitter @lancinimarco!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share
Website
Twitter
View this email in your browser © 2019-present, CloudSecList by Marco Lancini.