Release Date: 24/07/2022 | Issue: 147
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

Like a search engine for your cloud configurations
With JupiterOne, you can search for answers about your cloud configurations in a single place, and save any query in a dashboard or as an alert. There are an endless number of queries you can make in JupiterOne, and you can start anytime with a free account.
Click here to set up your free JupiterOne account today

This week's articles

The Kubernetes Networking Guide   #explain, #kubernetes
The purpose of this website is to provide an overview of various Kubernetes networking components with a specific focus on exactly how they implement the required functionality.

Azure's Security Vulnerabilities Are Out of Control   #attack, #azure
Azure's multiple security vulnerabilities are highly concerning, for both customer data and the cloud's reputation. It's time we put public pressure on Azure.

Abusing the Replicator: Silently Exfiltrating Data   #attack, #aws
A comprehensive backup strategy is a cornerstone of any DR plan. But how would you distinguish between legitimate backup activity and malicious data exfiltration?

User and workload identities in Kubernetes   #explain, #iam, #kubernetes
Article explaining how users and workloads can authenticate with the Kubernetes API server.

Minimal Container Images: Towards a More Secure Future   #build, #containers
This post walks through the typical approaches in this space: minimal distributions, scratch and distroless.

2022 Argo external security audit: Lessons learned   #attack, #ci/cd, #containers
Twenty-six issues were identified: seven in Argo CD, six in Argo Workflows, and thirteen in Argo Events. If you are curious, you can read the full report.


Build, sign, and compute the SBOM of a container image
A reusable Github Action workflow that: builds a container image, scans it with Trivy, pushes it to ECR, signs it with cosign, and computes its SBOM with Syft.

Ping Castle Cloud is a tool designed to assess quickly the AzureAD security level with a methodology based on risk assessment and a maturity framework.

Sets up Open Policy Agent CLI in your GitHub Actions workflow.

The purpose of the Certificate Controller library is to provide an easy way for controller authors to bootstrap webhooks while making it possible for users to use more customizable projects like cert-manager.


A cheatsheet describing Sigstore's components, use cases, functioning, and implementation.


I'm writing a book! 📖
The CloudSec Engineer will be a book on how to enter, establish yourself, and thrive in the cloud security industry as an individual contributor.
You can sign up to get updates and free samples of the book as I write it at:

From the cloud providers

AWS Icon  Best Practices for AWS Organizations Service Control Policies in a Multi-Account Environment
How you can plan your organization based on AWS best practices with recommended SCPs.

AWS Icon  Automatically block suspicious DNS activity with Amazon GuardDuty and Route 53 Resolver DNS Firewall
How to use Amazon Route 53 Resolver DNS Firewall to automatically respond to suspicious DNS queries that are detected by Amazon GuardDuty within your AWS environment.

AWS Icon  AWS Lambda announces support for Attribute-Based Access Control (ABAC)
AWS Lambda announces support for attribute-based access control (ABAC) for API actions that use Lambda function as the required resource.

GCP Icon  Using Cloud Bigtable with IAM Conditions and Tags
Learn about limiting team members' access to Bigtable resources including more advanced techniques like conditional permissions.

GCP Icon  How to overcome 5 common SecOps challenges
Here are 5 common issues that many SecOps teams struggle with, and how to fix them.

Azure Icon  Microsoft open sources its software bill of materials (SBOM) generation tool
Salus is a general purpose, enterprise-proven, build-time SBOM generator. It works across platforms including Windows, Linux, and Mac, and uses the standard Software Package Data Exchange (SPDX) format.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.