Release Date: 09/10/2022 | Issue: 158
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

Access and Security Trade-Offs for DevSecOps Teams
How to stay secure while your team ships at scale? Learn about the recent advancements in technologies for balancing access and security for DevOps teams building cloud-native software. Download this free tech paper to check out security overhead, common trade-offs and emerging solutions.
Get your free copy now

This week's articles

Unofficial list of free resources to learn AWS for absolute beginners   #aws, #explain
An unofficial list of free resources to learn AWS for absolute beginners. This will be a living document.

Diving Deeply into IAM Policy Evaluation   #aws, #explain, #iam
A post going through confounding conditions, double and triple negatives, and principals matched and unmatched to explain a more accurate model of how IAM evaluates permissions internally.

State of AWS Security in 2022: A Look Into Real-World AWS Environments   #aws, #defend
Datadog analyzed trends in the implementation of security best practices and took a closer look at various types of misconfigurations that contribute to the most common causes of security breaches.

AWS Permission Boundaries for Dummies   #aws, #explain, #iam
Tl;dr: if you want someone to admin some IAM in an account but not all the IAM, then you might need one.

What your scanner doesn't know **can** hurt you   #containers, #supply-chain
This post explains how most vulnerability scanners for containers work, and highlights a few challenges this approach has that can lead to blind spots in your infrastructure.

Kubernetes 1.25: alpha support for running Pods with user namespaces   #announcement, #kubernetes
This is a major improvement for running secure workloads in Kubernetes. Each pod will have access only to a limited subset of the available UIDs and GIDs on the system, thus adding a new security layer to protect from other pods running on the same system.

Terraform Gains Visibility, Self-Service, and Compliance Upgrades   #announcement, #terraform
Continuous validation, no-code provisioning, native OPA support for Terraform Cloud, and other new features are key upgrades to HashiCorp Terraform introduced at HashiConf Global 2022.

Cyber Security Career Pathways   #strategy
A first attempt at grouping security-related roles into macro-functions commonly found in tech companies.

A Guide To Identify Authorization Vulnerabilities At Scale Using Semgrep   #defend
Some ideas on how to effectively identify, remediate and eliminate authorization vulnerabilities at scale in your org, via an example scenario and some SAST rules.

Ramblings from Jessie: Hard Multi-Tenancy in Kubernetes   #explain, #kubernetes
A design proposal for how to do hard multi-tenancy in Kubernetes.


AWS Secrets Manager GitHub Action
The AWS Secrets Manager team has launched their official GitHub action! Use a GitHub action to retrieve secrets from AWS Secrets Manager and add them as masked Environment variables in your GitHub workflow.

Dissect is a collection of Python libraries and tools to facilitate enterprise-scale incident response and forensics. It supports the analyst from the moment of acquisition of artifacts, to normalisation and processing.

Kubernetes-native Job Queueing. You can also refer to the companion blog post.

Logto helps build sign-in, auth, and user identity within minutes, by providing OIDC-based identity service.

CLI for building OPA policies into OCI images.

From the cloud providers

AWS Icon  AWS announces updated Support Plans Console with new IAM controls
Changing AWS Support plan does no longer require the account root user.

AWS Icon  IAM Access Analyzer makes it simpler to author and validate role trust policies
AWS has updated the IAM console experience for role trust policies to make it simpler for you to author and validate the policy that controls who can assume a role.

AWS Icon  Amazon Machine Images now support Instance Metadata Service Version 2 by default
You can now set an EC2 Amazon Machine Image (AMI) to use Instance Metadata Service Version 2 (IMDSv2) by default.

GCP Icon  Overview of Sensitive Actions Service - Security Command Center
Sensitive Actions Service, a built-in service of the Security Command Center Premium tier that detects when actions are taken in your Google Cloud organization, folders, and projects that could be damaging to your business if they are taken by a malicious actor.

GCP Icon  Introducing Workforce Identity Federation to easily manage workforce access to Google Cloud
Workforce Identity Federation can help users onboard to Google Cloud using their identity and credentials that currently exist with their external identity provider.

GCP Icon  De-identifying data using custom info types with DLP on Google Cloud
How to use Data Loss Prevention (DLP) to de-identify custom data, through masking, encryption, or other transformations.

GCP Icon  How Cloud tools help with healthcare data security
Data de-identification technology to help automate the identification and redaction of sensitive data using machine learning.

Azure Icon  Strengthen your security with Policy Analytics for Azure Firewall
Policy Analytics provides you with critical insights and analytics to optimize your Azure Firewall rules and strengthen your security posture.

Azure Icon  Azure Firewall Basic now in preview
Azure Firewall Basic is a new SKU of Azure Firewall designed to meet the needs of SMBs by providing enterprise-grade protection of their cloud environment at an affordable price point.

Sponsor CloudSecList

If you want to get your product or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
📨 [email protected] 📨

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.