Release Date: 31/07/2022 | Issue: 148
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

Automate up to 90% of the work required for security audits
Vanta simplifies the complex and tedious process of proving compliance, starting with SOC 2 and ISO 27001.
Learn more at

This week's articles

Exploiting GitHub Actions on open source projects   #attack, #ci/cd
GitHub Actions is phenomenal in many aspects. But its commonality can make it a target for bad actors. Here's how Tinder Security Labs detects security risks and what they recommend to identify potential vulnerabilities in workflows.

Protecting GCP Services with VPC Service Controls and Terraform   #build, #defend, #gcp
Post exploring VPC Service Controls through an example of a common use case of VPC Service Control perimeters, deep dive on some key concepts, and learn how to automate administration with Terraform.

Container Security Considerations: Security Best Practices and Common Threats   #attack, #containers, #defend
Understand container security challenges and learn about critical container security best practices, such as securing images, registries, etc.

Identify Google Groups vulnerable to spam and spoofing   #attack, #gsuite
Google Groups deliver some unauthenticated emails to user inboxes which puts group members at a higher risk of receiving spoofing and malicious emails and presents additional risk to the organization.

Attesting Image Scans With Kyverno   #build, #containers, #kubernetes
Using Sigstore Cosign, Trivy, GitHub Actions, and Kyverno to attest and verify continual vulnerability scans in container images run under Kubernetes.

Hacking an AWS hosted Kubernetes backed product, and failing   #attack, #aws, #kubernetes
Tales from a recent pentest of a product hosted on the AWS cloud backed by Kubernetes (EKS) and a whole lot of secure design goodness that withstood attack attempts.


IAM-Deescalate helps mitigate privilege escalation risk in AWS IAM. You can also refer to the companion blog post.

The policy-controller admission controller can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from cosign.

A vulnerable-by-design Azure Lab to test your red team attacking and blue team detecting capabilities, from Mandiant.

From the cloud providers

AWS Icon  AWS Single Sign-On (AWS SSO) is now AWS IAM Identity Center
For current AWS SSO customers, there is no change to how you centrally manage access to multiple AWS accounts or applications. The name change reflects the service capabilities, foundation in AWS Identity and Access Management (IAM), and role as the central place to manage access across AWS.

AWS Icon  Malware protection now a feature of Amazon GuardDuty
Amazon GuardDuty Malware Protection is now available, in Amazon GuardDuty, to help detect malicious files residing on an instance or container workload running on Amazon Elastic Compute Cloud (Amazon EC2) without deploying security software or agents. Amazon GuardDuty Malware Protection adds file scanning for workloads utilizing Amazon Elastic Block Store (EBS) volumes to detect malware that can be used to compromise resources, modify access permissions, and exfiltrate data.

AWS Icon  AWS Security Hub now receives Amazon GuardDuty Malware Protection findings
AWS Security Hub now automatically receives Amazon GuardDuty Malware Protection findings. Amazon GuardDuty Malware Protection delivers agentless detection of malware on your Amazon Elastic Cloud Compute (EC2) instance and container workloads.

AWS Icon  New for Amazon GuardDuty - Malware Detection for Amazon EBS Volumes
When you have GuardDuty Malware Protection enabled, a malware scan is initiated when GuardDuty detects that one of your EC2 instances or container workloads running on EC2 is doing something suspicious.

AWS Icon  Amazon Detective Supports Kubernetes Workloads on Amazon EKS for Security Investigation
AWS announced new capabilities in Amazon Detective to expand security investigation coverage for Kubernetes workloads running on Amazon EKS. When you enable this new feature, Amazon Detective automatically starts ingesting EKS audit logs to capture chronological API activity from users, applications, and the control plane in Amazon EKS for clusters, pods, container images, and Kubernetes subjects (Kubernetes users and service accounts).

AWS Icon  Amazon Macie introduces new capability to securely review and validate sensitive data found in an S3 object
A new capability in Macie that allows for one-click, temporary retrieval of up to 10 examples of sensitive data found in S3 by Macie.

AWS Icon  Combined OU and Accounts page now available in AWS Control Tower
A new Organization page in AWS Control Tower with a hierarchical view of all Organizational units (OUs) and accounts. Customers now have the ability to view, group, and manage their entire organizational structure through a single page.

GCP Icon  Achieving Autonomic Security Operations: Why metrics matter (but not how you think)
Metrics can be a vital asset - or a terrible failure - for keeping organizations safe. Follow these tips to ensure security teams are tracking what truly matters.

GCP Icon  DNS on GKE: Everything you need to know
This article is trying to answer one simple question: When deciding on how to use DNS with GKE, what are the available native k8s options, which options exist on Google Cloud, and how do these two things play together?

GCP Icon  Announcing password policy tools for Cloud SQL for PostgreSQL and MySQL local users
New password validation for Cloud SQL for PostgreSQL and MySQL local users simplifies password management and can help better secure databases.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.