Release Date: 25/09/2022 | Issue: 156
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

Who loves managing access to AWS infrastructure across multiple accounts? No one. It's time-consuming complexity which creates an unproductive experience for engineers and developers alike.
Teleport makes managing identity-based access to AWS infrastructure dead simple using a single identity across all your accounts. This allows organizations to eliminate access silos all while making engineers happy and maintaining security and compliance.
Try Teleport today

This week's articles

How we Abused Repository Webhooks to Access Internal CI Systems at Scale   #attack, #ci/cd
Any internet originating attacker can leverage an SCM webhook infrastructure to send traffic towards internal CI systems and conduct malicious activities which range from obtaining valid CI credentials to running exploits and fully compromising the CI.

How DoorDash Ensures Velocity and Reliability through Policy Automation   #aws, #build, #opa
How DoorDash leverages OPA to build policy-based guardrails with codified rules that ensure velocity and reliability for cloud infrastructure automated deployments.

AWS IAM Identity Center Access Tokens are Stored in Clear Text and No, That's Not a Critical Vulnerability   #aws, #defend, #explain
Assuming constant full compromise of all machines is probably going to lead to controls where users can't reasonably do work.

AttachMe: critical OCI vulnerability allows unauthorized access to customer cloud storage volumes   #attack
Before it was patched, AttachMe could have allowed attackers to access and modify any other users' OCI storage volumes without authorization, thereby violating cloud isolation. Upon disclosure, the vulnerability was fixed within hours by Oracle. No customer action was required.

Azure Cloud Shell Command Injection: Stealing User's Access Tokens   #attack, #azure
This post describes how a researcher took over an Azure Cloud Shell trusted domain and leveraged it to inject and execute commands in other users' terminals.

The Challenges of Assessing Kubernetes clusters for PCI Compliance   #defend, #explain, #kubernetes
There's some complexities that auditors and assessors should be aware of if they're new to Kubernetes, and this blog takes a quick look at them.

Azure Attack Paths   #attack, #azure
Post shedding some light on known attack paths in an Azure environment.

A Guide to Improving Security Through Infrastructure-as-Code   #defend, #explain, #iac
This article aims to make an attempt to collect the main starting points, creating a guide on how to integrate security into infrastructure as a code and show how these security checks and gates, tools and procedures secures the infrastructure.

Serverless Ad Blocking with Cloudflare Gateway   #build, #cloudflare
How I blocked advertisements in my home office, mimicking the Pi-hole's behaviour, using only serverless technologies (Cloudflare Gateway, to be precise).

Terraform 1.3 Improves Extensibility and Maintainability of Terraform Modules   #announcement, #terraform
Now generally available, HashiCorp Terraform 1.3 introduces optional object type attributes with defaults, and enhancements to moved blocks, improving extensibility and maintainability of Terraform modules.


Adding Kubernetes Support to Scout Suite
You can now have Scout Suite scan not only your cloud environments, but your Kubernetes clusters. You can also refer to the companion blog post.

Wolfi is a lightweight GNU software distribution which is designed around minimalism, making it well-suited for containerized environments built with apko. You can also refer to the companion blog post.

dexter is an OIDC (OpenId Connect) helper to create a hassle-free Kubernetes login experience powered by Google or Azure as Identity Provider.

MerLoc is a live AWS Lambda function development and debugging tool. It allows to run AWS Lambda functions on your local while they are still part of a flow in the AWS cloud remote.

varc collects a snapshot of volatile data from a system. It tells you what is happening on a system, and is of particular use when investigating a security incident.

From the cloud providers

AWS Icon  Announcing an update to IAM role trust policy behavior
AWS is changing role assumption behavior to always require self-referential role trust policy grants.

AWS Icon  Amazon Route 53 announces support for DNS resource record set permissions
AWS introduced DNS resource record set permissions, enabling customers to define IAM create, edit, and delete policies for individual or groups of DNS record sets within a Route 53 public or private hosted zone.

AWS Icon  Copy existing AWS CloudTrail trails events to a AWS CloudTrail Lake event data store
Amazon announced a new import feature which will allow customers to copy existing trail events to a CloudTrail Lake event data store which were recorded prior to event data store creation.

GCP Icon  Introducing Custom Organization Policy for GKE to harden security
Custom organization policy for GKE can improve security and efficiency using guardrails you define tailored to your organization's needs, and it's offered to Google Cloud customers at no additional cost.

GCP Icon  Google Cloud Firewall introduces Network Firewall Policies, IAM-governed Tags and more
The combination of the new policy structures and the IAM-governed Tags delivers a consistent firewall experience across the Google Cloud resource hierarchy, simplifying operations, while also achieving more granular control, enabling a more least-privilege environment, while allowing more self-service for devops for each group or app.

GCP Icon  Container analysis support for Maven and Go: Automatic Scanning of Containers in Public Preview
With the Container Scanning API enabled, any containers including Java (in Maven repositories) and Go language packages that are uploaded to an Artifact Registry repository will be scanned for vulnerabilities.

GCP Icon  Security Roundup - stories and launches from second quarter 2022
Updates from Cloud External Key Manager, automatic data risk management for BigQuery using DLP, error Remediation with Security Command Center, Cloud Armor.

Azure Icon  Azure Payment HSM achieves PCI PIN certification
Azure Payment HSM has achieved Payment Card Industry Personal Identification Number (PCI PIN), offering customers secure digital payments solutions in the cloud.

Azure Icon  Public preview: Encryption scopes on hierarchical namespace enabled storage accounts
You can now use separate encryption keys for each customer in a single hierarchical namespace enabled storage account.

Sponsor CloudSecList

If you want to get your product or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
📨 [email protected] 📨

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.