Release Date: 21/08/2022 | Issue: 151
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

This week's articles

Characterizing the Security of Github CI Workflows   #ci/cd, #defend, #design
Paper comparing 6 popular CI/CD platforms and how they enforce security properties like: Admittance Control, Execution Control, Code Control, and Access to Secrets.

Auditing RBAC - Redux   #iam, #kubernetes
Tools are a great way to get started with understanding cluster rights, but we always have to be aware that they can only tell you what they can see within the scope of their operation.

Three Guardrails for AWS Lambda   #aws, #defend
Three guardrails you can put in place around that Lambda code: code signing, function versions and aliases, and Amazon CodeGuru Reviewer.

Automating Insecurity In Azure   #attack, #azure, #defend
Slides of the homonym talk at @cloudvillage_dc.

GCP: Monitor IAM role assignments via Log Alerts in GCP   #build, #gcp, #monitor
How to create Log alerts in GCP to track specific IAM role assignments.

GitOps: A Simple Approach to using AWS Secrets Manager with Kubernetes   #build, #kubernetes
A starting point for secrets management in Kubernetes by using simpler ideas and minimal tooling.

How to setup geofencing and IP allow-list for Cognito user pool   #aws, #build
AWS announced a new feature this week that lets you enable WAF protection for Cognito user pools. And one of the things you can do with this is to implement geo-fencing and IP allow/deny lists.

Modern workload identity with SPIFFE & Trust Domains   #build, #explain
How to configure SPIFFE workload identities using cert-manager.


Threatest is a Go framework for end-to-end testing threat detection rules. You can also refer to the companion blog post.

A modern watch command. Time machine and pager.

Packets traffic visualization for kubernetes.

Stratus Red Team adds GCP support
Now Stratus has attack techniques also for GCP, grouped by MITRE ATT&CK Tactic.

Trivy adds AWS support
You can now scan your AWS Services for security issues with Trivy.

From the cloud providers

AWS Icon  How to detect suspicious activity in your AWS account by using private decoy resources
How you can create low-cost private decoy AWS resources in your AWS accounts and configure them to generate alerts when they are accessed.

AWS Icon  Amazon Cognito enables native support for AWS WAF
You can now enable AWS WAF protections for Amazon Cognito, making it even easier to protect Amazon Cognito user pools and hosted UI from common web exploits.

GCP Icon  Use Snoozes to temporarily disable your alerts and notifications
Snooze alert policies to prevent the creation of alerts and notifications. This is useful during maintenance windows, non-business hours, and more.

GCP Icon  Building security guardrails for developers with Google Cloud
For many organizations with security top of mind, their concern is "How do I balance security and innovation?". This blog explores techniques commonly used to configure security guardrails for developers.

GCP Icon  Securing apps for Googlers using Anthos Service Mesh
ASM is a powerful tool that enterprises can use to modernize their IT infrastructure. It provides a shared environment-agnostic enforcement point to manage security policy, and a unified way to provision identities, describe application dependencies.

Azure Icon  Announcing Microsoft Dev Box Preview
Microsoft announced the preview of Dev Box, a managed service that enables developers to create on-demand, high-performance, secure, ready-to-code, project-specific workstations in the cloud.

Azure Icon  General availability: Network security groups support for private endpoints
Network security groups (NSGs) support for private endpoints is now generally available.

Azure Icon  Generally available: Key management system integration with AKS
AKS now supports key management system (KMS) plugin integration. This generally available capability enables encryption at rest of your Kubernetes data in etcd using Azure Key Vault. This means you can now store secrets in bring your own key (BYOK) encrypted etcd using KMS.

Sponsor CloudSecList

Pre-bookings for 2023 are available now
If you want to get your product or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
📨 [email protected] 📨

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.