Release Date: 04/12/2022 | Issue: 166
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up
The re:Invent edition
With re:Invent happening this past week, this CloudSecList issue will have a more extensive section showcasing the primary security-related announcements that came out of it.
Back to business as usual from next week!

DevSecGuide to Kubernetes
Kubernetes® is the de facto container orchestration system, offering development teams scale, flexibility, and speed when running cloud-native applications. For all its benefits, however, it also brings new complexity and risk. This guide explores the unique considerations Kubernetes presents for securing cloud-native apps and how to embrace DevSecOps along the way. Learn about:
  • Security considerations across each layer of Kubernetes
  • Kubernetes security best practices
  • DevSecOps tips for cloud-native apps
  • And more!
Download The DevSecGuide to Kubernetes for free!

This week's articles

Attacker persistence in Kubernetes using the TokenRequest API: Overview, detection, and prevention   #attack, #kubernetes
The TokenRequest API in Kubernetes can be misused to create backdoors in clusters. This blog looks the how to secure and audit its use.

Yet Another Azure VM Persistence Using Bastion Shareable Links   #attack, #azure
These links have no additional authentication and are publicly accessible. faster, cheaper and Generally Available (GA)   #announcement, #kubernetes
Starting with 1.25, Kubernetes' container image registry has changed from to This new registry spreads the load across multiple Cloud Providers & Regions, functioning as a sort of CDN for Kubernetes container images.


An experimental prototype OCI registry on Cloudflare Workers.

Forecastle is a control panel which dynamically discovers and provides a launchpad to access applications deployed on Kubernetes.

Colorize your kubectl output.

A collection of plugins for kubectl integration.

Sponsor CloudSecList

If you want to get your product or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
📨 [email protected] 📨

From the cloud providers

AWS Icon  Fine-Grained Authorization - Amazon Verified Permissions
Amazon Verified Permissions provides developers with a centralized fine-grained permissions management and authorization system for custom applications.

AWS Icon  Amazon Inspector Now Scans AWS Lambda Functions for Vulnerabilities
Amazon Inspector is available starting today for functions and layers written in Java, NodeJS, and Python.

AWS Icon  Failover Controls for Amazon S3 Multi-Region Access Point
In the event that connectivity between a client and a bucket in a particular Region is lost, the Multi-Region Access Point will automatically route all traffic to the closest bucket (synchronized via S3 Replication) in another Region.

AWS Icon  Automated Data Discovery for Amazon Macie
Automated data discovery automates the continual discovery of sensitive data and potential data security risks across your entire set of buckets aggregated at AWS Organizations level.

AWS Icon  AWS Config Rules Now Support Proactive Compliance
AWS Config rules have been extended to support proactive mode so that they can be run at any time before provisioning and save time spent to implement custom pre-deployment validations.

AWS Icon  New for AWS Control Tower - Comprehensive Controls Management
You can use it to apply managed preventative, detective, and proactive controls to accounts and OUs by service, control objective, or compliance framework. AWS Control Tower does the mapping between them on your behalf, saving time and effort.

AWS Icon  Protect Sensitive Data with Amazon CloudWatch Logs
A new set of capabilities for Amazon CloudWatch Logs that leverage pattern matching and machine learning (ML) to detect and protect sensitive log data in transit.

AWS Icon  Amazon ECS Service Connect Enabling Easy Communication Between Microservices
ECS Service Connect provides an easy network setup and seamless service communication deployed across multiple ECS clusters and virtual private clouds (VPCs). You can add a layer of resilience to your ECS service communication and get traffic insights with no changes to your application code.

AWS Icon  Amazon SQS announces ABAC for flexible and scalable access permissions
It's now possible to grant access to your Amazon Simple Queue Service queues based on their tags.

AWS Icon  Announcing AWS KMS External Key Store (XKS)
Store and use your encryption keys on premises or outside of the AWS Cloud.

AWS Icon  Announcing delegated administrator for AWS Organizations
It is now possible to delegate the management of your Organizations policies, enabling you to govern your AWS organization and member accounts with increased agility and decentralization.

AWS Icon  Introducing VPC Lattice - Simplify Networking for Service-to-Service Communication
With VPC Lattice, you can define policies for traffic management, network access, and monitoring so you can connect applications in a simple and consistent way across AWS compute services.

AWS Icon  Amazon Security Lake
A purpose-built service that automatically centralizes an organization's security data from cloud and on-premises sources into a purpose-built data lake stored in your account.

AWS Icon  Amazon GuardDuty RDS Protection now in preview
Amazon GuardDuty RDS Protection profiles and monitors access activity to existing and new databases in your account, and uses tailored machine learning models to accurately detect suspicious logins to Aurora databases.

AWS Icon  AWS Verified Access Preview: VPN-less Secure Network Access to Corporate Application
A new secure connectivity service that allows enterprises to enable local or remote secure access for their corporate applications without requiring a VPN.

GCP Icon  Explore the new Learn Kubernetes with Google website
The new website Learn Kubernetes with Google brings together under one roof the guidance of Kubernetes experts, both from Google and across the industry, to communicate the latest trends in building your Kubernetes infrastructure.

GCP Icon  How data embassies can strengthen resiliency with sovereignty
Embassies have been foreign safe havens for generations. The concept has been extended to data in the digital world, made possible by the flexible, distributed nature of the cloud. Here's how it works.

GCP Icon  Low-latency fraud detection with Cloud Bigtable
Explore the end to end flow of detecting fraudulent payments with a low-latency and horizontally scalable system powered by tools like Bigtable.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.