Release Date: 05/02/2023 | Issue: 173
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

📑 XM Cyber's 2022 Attack Path Management Impact Report 📑
The industry's first annual report that reveals the likelihood and impact of a breach, analyzes the attack techniques used to compromise an organization's critical assets, and shares best practices to keep them protected. Download the report to learn:
  • How many steps it takes for attackers to compromise your critical assets
  • Top exposures and hygiene issues that form attack paths
  • Key findings related to attacks across hybrid, on-prem or multi-cloud networks, with specific insights on AWS and Azure

This week's articles

Incident Response in Google Cloud: Forensic Artifacts   #gcp, #monitor
This article examines forensic artifacts available in GCP and provides recommendations for triage and prioritization.

Threat Modelling Cloud Platform Services by Example: Google Cloud Storage   #gcp, #explain
A threat modelling exercise from NCC which demonstrated that user/tenant configuration choices matter when evaluating the overall security posture of an instance of Google Cloud Storage, and that a number of relative weaknesses can be improved through deliberate choices on behalf of the user.

2023 identity security trends and solutions from Microsoft   #attack, #azure, #defend
Microsoft has published a very good summary about AzureAD security trends in 2023 which considered post authentication attacks.

Data exfiltration with native AWS S3 features   #attack, #aws, #monitor
A deep dive on different options for abuse of legitimate S3 features with the end goal of data exfiltration, so to better understand the shortcomings of native AWS logging and monitoring tooling, and to offer some suggestions for how to go about detecting their use and abuse.

How Adversaries Can Persist with AWS User Federation   #attack, #aws, #iam
CrowdStrike has identified a novel technique that can use the sts:GetFederationToken API to escape typical containment practices and persist in AWS environments.

Sigstore's cosign and policy-controller with GKE, Artifact Registry and KMS   #build, #gcp, #kubernetes
Use Sigstore to sign container images and then enforce that only signed containers can run in GKE.

General availability of SLSA 3 Container Generator for GitHub Actions   #announcement, #supply-chain
The SLSA project announced the general availability of the SLSA 3 Container Generator for GitHub Actions, which allows any GitHub project to produce SLSA level 3 compliant provenance statements so users can verify the origin of container images they use.

Kubernetes and Cloud Security Associate (KCSA) certification coming in Q3 2023   #announcement
CNCF and The Linux Foundation announced the upcoming Kubernetes and Cloud Security Associate (KCSA) certification.

Native OPA Support in Terraform Cloud Is Now Generally Available   #announcement, #opa, #terraform
Native Open Policy Agent (OPA) support allows customers who have standardized on OPA to bring their policies into Terraform Cloud.

Terraform Cloud Adds Dynamic Provider Credentials for Vault and Official Cloud Providers   #announcement, #hashicorp, #terraform, #vault
Dynamic provider credentials for Terraform Cloud provide a simple and safe authentication workflow for Vault and official cloud providers.


Use ChatGPT to analyze AWS policies for vulnerabilities.

An enumeration and attack tool that allows both blue teamers and offensive security practitioners to evaluate the blast radius of a compromised personal access token within a GitHub organization.

A demo/testing OIDC token issuer. It will accept any claims as query parameters and mint valid OIDC tokens with them.

Generate a score for your sbom to understand if it will actually be useful.

Instant K8s service dependency map, right to your Grafana.


SecureFlag - Secure Coding Training
The SecureFlag training platform teaches secure coding through hands-on labs that run in virtualized desktop environments available through the browser. Developers, DevOps, and QA engineers learn using the same tools and technologies they use at work. Participants learn defensive programming via a gamified, adaptive training platform that includes learning paths, tournaments, assessments, & powerful metrics, enabling organizations to build highly effective, secure coding training programs.
SecureFlag now supports hands-on cloud labs targeting Terraform!

From the cloud providers

AWS Icon  AWS CloudTrail Lake Supports Ingesting Activity Events From Non-AWS Sources
AWS announced support of ingestion for activity events from non-AWS sources using CloudTrail Lake, making it a single location of immutable user and API activity events for auditing and security investigations.

AWS Icon  Define a custom session duration and terminate active sessions in IAM Identity Center
With AWS IAM Identity Center you now have the option to configure the appropriate session duration for your organization's needs while using new session management capabilities to look up active user sessions and revoke unwanted sessions.

AWS Icon  How to set up ongoing replication from your third-party secrets manager to AWS Secrets Manager
How to use third-party secrets manager as the source of truth for secrets, while replicating a subset of these secrets to AWS Secrets Manager.

AWS Icon  Amazon increases NAT Gateway's capacity to support concurrent connections to a unique destination
You can now configure your NAT Gateway to support up to 440,000 concurrent connections to a unique destination by adding multiple IP addresses to same NAT Gateway.

GCP Icon  Mandiant now supports Attack Surface Management for Google Cloud
Google announced Mandiant Attack Surface Management for Google Cloud, which can enable customers to centralize visibility into cloud-hosted external assets.

GCP Icon  BigQuery authorized views permissions via Terraform, avoiding the chicken & egg problem
How IAM is implemented on BigQuery datasets via Terraform and how to correctly assign and preserve authorized view permissions without running into the chicken and egg problem.

GCP Icon  gVisor File system Improvements for GKE and Serverless
GVisor rolled out two file system performance improvements to GKE and Serverless: VFS2 and LISAFS. These bring gVisor performance closer to native.

GCP Icon  Announcing Security Command Center's project-level, pay-as-you-go options
Google Cloud's Security Command Center is now available on a project-level basis, with pay-as-you-go options.

Azure Icon  Generally Available: Azure Kubernetes Service introduces two pricing tiers: Free and Standard
AKS's Free tier allows you to only pay for the virtual machines, and associated storage and networking resources consumed, and you get the managed Kubernetes control plane for free.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.