Release Date: 12/02/2023 | Issue: 174
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

JupiterOne: Know What You’re Defending
Perhaps the biggest problem in cybersecurity today is that companies don’t have a good understanding of what they’re defending. JupiterOne solves this foundational issue by collecting everything you own into a single system of record that includes cloud infrastructure, endpoints, DNS, SaaS apps, and more.
It connects the dots using graph-based technologies, allowing you to ask complex Attack Surface Questions, like "Show me all VMware-based systems associated with our crown jewels and that have something facing the internet."
Start your free account today

This week's articles

Integrating threat modeling with DevOps   #strategy
Reflections on how it is possible to adopt threat modeling more effectively and efficiently, integrating it with modern DevOps methodologies and tools, and focusing on the value provided to all the various actors involved with the Software Development Lifecycle.

threatmodel-for-azure-storage   #azure, #defend
A library of all the attack scenarios on Azure Storage, and how to mitigate them following a risk-based approach.

Privilege Escalation via storage accounts   #attack, #azure
Post explaining the risk of storage accounts and how to abuse them for lateral movement.

Restricting cluster-admin Permissions   #defend, #iam, #kubernetes
The cluster-admin ClusterRole gives the user access and permission to do all operations on all resources in the cluster. What if we need to block an action performed by cluster admins? We can't do it with RBAC, it only allows for adding of permissions, not taking them away.

Fine-Grained RBAC For GitHub Action Workflows With GitHub OIDC and HashiCorp Vault   #ci/cd, #defend, #vault
DigitalOcean's approach to securing CI/CD through GitHub Actions, OIDC, and HashiCorp Vault.

Discovering a weakness leading to a partial bypass of the login rate limiting in the AWS Console   #attack, #aws
Post discussing a weakness in the AWS Console authentication flow that allowed an attacker to partially bypass the login rate limit.

Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation   #attack, #containers
Post discussing the details of six privilege escalation vulnerabilities found in Docker Desktop for Windows, and releasing a new tool named PipeViewer that scans for Windows named pipes with weak permissions.

Know Your App Services Before Your Enemy Does   #azure, #defend
A look at Azure App Services, security advice, and how to use Azure Resource Graph Explorer and other tools to implement these recommendations.

GitHub Actions - Updating the default GITHUB_TOKEN permissions to read-only   #announcement, #ci/cd
Previously, GitHub Actions gets a GITHUB_TOKEN with both read/write permissions by default whenever Actions is enabled on a repository. As a default, this is too permissive, so to improve security GitHub chnaged the default going forward to a read-only token.


Top-level domain name registry service on Google App Engine.

A tool to use AWS IAM credentials to authenticate to a Kubernetes cluster.

An open-source database for detecting secrets, API keys, passwords, tokens, and more.

A Terraform module which handles the deployment of Cloud Functions (Gen 2) on GCP.

Allows configuration of logging settings for AWS SSM Session Manager.


Automating your security compliance with Vanta helps you get audit-ready fast.
Now, we also have an exclusive program where we'll work closely with a small number of companies to help you get your SOC 2 Type I in just 10 days. A SOC 2 Type I can help you close more deals, hit your revenue targets, and start laying a foundation of security best practices.
Due to the white glove support, spots in this program are extremely limited.
Complete the form to learn more and see if you qualify.

From the cloud providers

AWS Icon  Visualize Your VPC Resources from Amazon VPC Creation Experience
Amazon announced VPC resource map, a new feature that displays your existing VPC resources and their routing visually on a single page, allowing you to quickly understand the architectural layout of the VPC.

AWS Icon  The anatomy of ransomware event targeting data residing in Amazon S3
Post describing several important stages of your response to a ransomware event in Amazon S3, including detection, response, recovery, and protection.

AWS Icon  Updated ebook: Protecting your AWS environment from ransomware
The new ebook includes the top 10 best practices for ransomware protection and covers new services and features that have been released since the original published date in April 2020.

GCP Icon  Harden your Kubernetes clusters and monitor workload compliance with PCI DSS policy bundle
Policy Controller enables the enforcement of programmable policies for Anthos clusters.

GCP Icon  Google Cloud Firewall capabilities to enhance your security posture and simplify configuration
Cloud Firewall has significantly enhanced its capabilities in the last six months. Here's what's new, and how it can help strengthen your security posture.

GCP Icon  Rapid Vulnerability Detection overview
Rapid Vulnerability Detection, a built-in service of Security Command Center Premium, is a zero-configuration network and web application scanner that actively scans public endpoints to detect vulnerabilities that have a high likelihood of being exploited, such as weak credentials, incomplete software installations, and exposed administrator user interfaces.

Azure Icon  Secure your application traffic with Application Gateway mTLS
Azure Application Gateway now supports mTLS and OCSP.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.