Release Date: 15/01/2023 | Issue: 170
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

☁ The Necessity of Attack Path Management for the Hybrid Cloud ☁
Published in collaboration with the Cloud Security Alliance (UK), this whitepaper explores how attackers create attack paths across on-prem and cloud networks. Download the whitepaper to discover:
  • Common attack techniques used to move across the hybrid cloud
  • Top 6 challenges for securing the cloud
  • Best practices to improve your cloud security posture

This week's articles

AWS Phishing: Four Ways   #attack, #aws, #defend
Post looking at some common phishing tactics in AWS: Credential Phishing, Device Authentication Phishing, CloudFormation Stack Phishing, and ACM Email Validation Phishing.

SES-pionage   #attack, #aws
What do attackers do with exposed AWS access keys? This blog looks inside AWS SES to give deeper insights into the service, why & how its targeted and how to detect it.

Hunting for signs of persistence in the cloud: an IR guide following the CircleCI incident   #aws, #azure, #gcp, #monitor
Learn how to detect malicious persistence techniques in AWS, GCP, and Azure after potential initial compromise, like with the CircleCI incident.

Detecting Anomalous AWS Sessions From Temporary Credentials   #aws, #explain, #iam
Learn about short-term access keys (unofficially also known as temporary tokens or temporary credentials) in AWS, and how they can be compromised.

Cedar: A new policy language   #aws, #explain, #iam
Cedar is a new language created by AWS to define access permissions using policies, similar to the way IAM policies work today. This post explains both why this language was created and how to author policies with it.

Improve GitHub Actions OIDC security posture with custom issuer   #aws, #build, #ci/cd
You can grant developers permission to invoke iam:CreateRole without worrying that an errant role trust policy has opened up access to the entirety of

Responding to an attack in AWS   #aws, #monitor
Post walking through the initial steps of an investigation following an incident in AWS.

Cloud Native and Kubernetes Security Predictions 2023   #strategy
A speculative look into the perils and opportunities that 2023 holds for cloud native security.

How to Connect to Kubernetes Clusters Using Boundary   #build, #hashicorp, #kubernetes
How to use HashiCorp Boundary to provide identity-based remote access and credential management for Kubernetes clusters.


Python library to carry out DFIR analysis on the Cloud.

A utility to dump all Protobuf file descriptors from a given binary as *.proto files.

A simple framework to explain how to centralize logs and detect a bare minimum of potential threats in Microsoft Azure.

Example code for bootstrapping trust between Terraform Cloud and cloud providers in order to use TFC's Workload Identity.

Introspecting and debugging Kubernetes applications using eBPF "gadgets".


Not sure what a Lambda extension is?
Read this blog by ClearVector to learn about Lambda extensions and the Lambda execution environment.

From the cloud providers

AWS Icon  Amazon S3 Encrypts New Objects By Default
Now, S3 automatically applies server-side encryption (SSE-S3) for each new object, unless you specify a different encryption option.

AWS Icon  Amazon RDS announces integration with AWS Secrets Manager
With this feature, RDS fully manages the master user password and stores it in AWS Secrets Manager whenever your RDS database instances are created, modified, or restored.

AWS Icon  Updated whitepaper available: AWS Security Incident Response Guide
Amazon updated the AWS Security Incident Response Guide to more clearly explain what you should do before, during, and after a security event.

AWS Icon  AWS announces changes to AWS Billing, Cost Management, and Account consoles permissions
AWS announces the retirement of IAM actions for AWS Billing, Cost Management, and Account consoles under aws-portal service prefix, purchase-orders:ViewPurchaseOrders, and purchase-orders:ModifyPurchaseOrders and is replacing them with fine-grained service specific actions.

GCP Icon  Best Kept Security Secrets: How VPC Service Controls can help build defense in depth
VPC Service Controls can play a vital role in creating additional security while making it easier to manage data in a way that most cloud services can't do today.

GCP Icon  Hierarchical Firewall Policy Automation with Terraform
How to use Infrastructure as Code to build Hierarchical Firewall Policies for consistently implementing guardrails in Google Cloud environments.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.