Release Date: 29/01/2023 | Issue: 172
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

TrustShare: Are you spending too much time on security questionnaires?
What would you rather do than answer security questionnaires? Our clients told us they’d rather close deals, spend time with customers, get ready for an upcoming audit, or even organize their inbox. Ouch.
TrustShare by Kintent is the only tool to cut down on the time you spend on questionnaires by creating a custom trust portal to securely share compliance documentation, and using AI to pre-populate over half of questionnaires. So you can get back to work, or take your dog for a nice walk.
Start today

This week's articles

Security Drone: Scaling Continuous Security at Revolut   #build, #iac, #strategy
How Revolut uses a custom system to scale and improve their continuous security scanning.

Elevating Security Alert Management Using Automation   #monitor, #strategy
A post that describes the Brex Detection and Response Team's approach to managing and automating security alerts at scale.

Enforcing Device AuthN & Compliance at Pinterest   #defend, #strategy
How Pinterest enforced the use of managed and compliant devices in their Okta authentication flow, using a passwordless implementation, so that access to their tools always requires a healthy Pinterest device.

Tampering User Attributes In AWS Cognito User Pools   #attack, #aws
Post explaining AWS Cognito User Attributes tampering and introducing a free lab to experiment with.

GitHub Container Registry private repos sometimes weren't  
GitHub Container Registry (GHCR) had an information leak bug, where names of private repos were exposed. Here's the background on how it was reported and fixed.

Mitigating RBAC-Based Privilege Escalation in Popular Kubernetes Platforms   #attack, #kubernetes
A recap on privilege escalation and powerful permissions in Kubernetes and an analysis of the ways various platforms have addressed it.

Enhancing Kubernetes security with user namespaces   #defend, #explain, #kubernetes
Learn how to improve cluster security with user namespaces, a new feature introduced in Kubernetes v1.25.

A Guide to Running Sigstore Locally   #build, #supply-chain
How to stand up a Sigstore deployment on your own infrastructure on Kubernetes so that you will be able to take advantage of the benefits and the assurance of not exposing sensitive resources.

Provisioning Kubernetes clusters on AWS/GCP with Terraform   #aws, #build, #gcp, #kubernetes
Learn how you can leverage Terraform and GKE or EKS to provision identical clusters for development, staging and production environments with a single click.

HCP Packer Adds Ancestry to Track Image Relationships   #announcement, #hashicorp
Ancestry tracking for HCP Packer provides visibility into image dependencies across your cloud environment for image lifecycle management.


Take automated actions on your Security Command Center findings.

Exploiting and Securing Jenkins Instances at Scale. You can also refer to the companion blog post.

Ddbsh is a simple CLI for DynamoDB modeled on isql, and the MySQL CLIs.

AWS Cryptographic Computing for Clean Rooms (C3R)
The Cryptographic Computing for Clean Rooms (C3R) encryption client and SDK provide client-side tooling which allows users to participate in AWS Clean Rooms collaborations leveraging cryptographic computing by pre- and post-processing data.

The Amazon Elastic Kubernetes Service (EKS) Creation Engine (ECE) is a Python command-line program that facilitates the creation and enablement of secure EKS Clusters.


AlphaSOC: Free Adversary Simulation Utility
Want to test your threat detection stack? AlphaSOC has published Network Flight Simulator (flightsim) which is a free, open source utility that synthesizes malicious traffic patterns including C2 beacons, DGA traffic, DNS tunneling, SSH exfiltration, network scanning, and cryptomining. Use flightsim to instantly uncover detection blindspots and improve your SIEM / SOAR configuration.
Network Flight Simulator on GitHub

From the cloud providers

AWS Icon  Introducing AWS Lambda runtime management controls
AWS Lambda is announcing runtime management controls which provide more visibility and control over when Lambda applies runtime updates to your functions.

AWS Icon  How to improve security incident investigations using Amazon Detective finding groups
The finding groups feature reduces triage time and provides a clear view of related GuardDuty findings. With finding groups, you can investigate entities and security findings that might have been overlooked in isolation.

AWS Icon  How to run AWS CloudHSM workloads in container environments
How to use Docker to develop, deploy, and run applications by using the CloudHSM SDK, and how to manage and orchestrate workloads by using tools and services like ECS, EKS, and Jenkins.

AWS Icon  Visualize AWS WAF logs with an Amazon CloudWatch dashboard
How to use Amazon CloudWatch to monitor and analyze AWS WAF activity using the options in CloudWatch metrics, Contributor Insights, and Logs Insights.

GCP Icon  Accessing Cloud SQL using Private Service Connect
How to privately connect to Cloud SQL from a remote network using PSC.

GCP Icon  Apply policy bundles and monitor policy compliance at scale for Kubernetes clusters
Policy Controller enables the enforcement of programmable policies for Anthos clusters. This blog is for introducing new features launched for ACM - Policy Controller.

Azure Icon  Mitigate OWASP API security top 10 in Azure API Management
How to protect against common API-based vulnerabilities, as identified by the OWASP API Security Top 10 threats, using Azure API Management.

Azure Icon  Classic VM retirement: extending retirement date to September 1st 2023
Microsoft extended migration period for IaaS VMs from Azure Service Manager to Azure Resource Manager up to the 1st of September 2023.

Azure Icon  General availability: Application security groups support for private endpoints
Application security groups (ASGs) support for private endpoints is now generally available.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! πŸ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
Β© 2019-present, CloudSecList by Marco Lancini.