Release Date: 19/02/2023 | Issue: 175
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

⭐O'Reilly Book from Teleport: Identity-Based Infrastructure Access Management⭐
Some of the largest companies in the world have experienced, by replacing traditional access controls with Teleport’s identity-native infrastructure access platform, a considerable increase in their security and boost in developer productivity.
This innovative O'Reilly book will introduce the concept of identity-native infrastructure access, and how it’s rapidly replacing traditional secret-based approaches as the industry standard of infrastructure security.
Download the first 4 chapters now

This week's articles

Under-documented Kubernetes Security Tips   #defend, #explain, #kubernetes
There are some security practices which kinda don't fit into traditional hardening guides, don't get reported as CVEs, and just exist in the minds of expensive consultants.

How Using Deprecated Policies Creates Overprivileged Permissions   #aws, #iam
AmazonEC2RoleforSSM, a deprecated version of the now recommended AmazonSSMManagedInstaceCore. This post breaks down why AWS likely deprecated the original policy and how organizations leave themselves vulnerable by continuing to use these deprecated policies.

6 Keys to Securing User Uploads to Amazon S3   #aws, #build
How to architect AWS applications to securely enable user uploaded content, using pre-signed post URLs.

A Look at AWS API Protocols   #aws, #explain
An introduction to AWS API protocols and how they impact the structure of an AWS API request.

Kubernetes Security Checklist   #defend, #kubernetes
A baseline checklist for ensuring security in Kubernetes clusters.

Azure B2C: Crypto Misuse and Account Compromise   #attack, #azure
Microsoft's Azure Active Directory B2C service contained a cryptographic flaw which allowed an attacker to craft an OAuth refresh token with the contents for any user account. An attacker could redeem this refresh token for a session token, thereby gaining access to a victim account as if the attacker had logged in through a legitimate login flow.

Azure AD Kerberos Tickets: Pivoting to the Cloud   #attack, #azure
If you've ever been doing an Internal Penetration test where you've reached Domain Admin status and you have a cloud presence, your entire Azure cloud can still be compromised.

Canarytokens welcomes Azure Login Certificate Token   #announcement, #azure, #monitor introduced the Azure Login Certificate Token (aka the Azure Token). You can sprinkle Azure tokens throughout your environment and receive high fidelity notifications whenever they're used.

Cloud drift detection: How to resolve out-of-state changes   #defend, #iac, #terraform
The keys to a successful IaC to IaaS drift detection strategy are: understanding when drift becomes a risk, implementing drift detection automation relevant to your stack, and classifying and route their response to the right individual or team.


A Software as a Service (SaaS) log collection framework.

Create a break glass role for emergency use in order to limit production console access.

Centralized AWS CloudWatch Logs aggregation
Centralizing AWS CloudWatch log forwarding via EventBridge and Step Functions.

Setup a template to easily create and apply AWS Service Control Policies (SCPs) with Terraform.

PESD (Proxy Enriched Sequence Diagrams) Exporter converts Burp Suite's proxy traffic into interactive diagrams. You can also refer to the companion blog post.


Cyber Security is More Than Just Technology: It's a Cultural Movement
In today's digital world, it's crucial to prioritize security from the start. CLOUDYRION’s Secure-by-Design approach helps building a strong cybersecurity culture from the ground up. Our experts will work with you to understand your organization's unique needs and develop a plan to improve your security maturity and shape future security champions. From secure cloud or K8 migration to mature SDLC, we've got you covered. Contact us and learn more about secure-by-design approach:

From the cloud providers

AWS Icon  How to visualize IAM Access Analyzer policy validation findings with QuickSight
How to create a QuickSight dashboard to visualize the policy validation findings from IAM Access Analyzer.

AWS Icon  Guidance for Baseline Security Assessment on AWS
This Guidance helps customers assess their foundational security setup in their AWS account. Use the provided AWS CloudFormation template to automate the assessment of your AWS accounts for security vulnerabilities and deliver an assessment report that includes steps on how to resolve the issues.

AWS Icon  Tag workloads with AWS Config conformance packs across AWS accounts
An example of a customized Automation runbook, a capability of AWS Systems Manager, that automatically remediates non-compliant resources evaluated by the AWS Config rule "required-tags".

GCP Icon  Move your data around easily with Storage Transfer Service
Google Cloud Storage Transfer Service (STS) enables you to move or backup your data to a Cloud Storage bucket or POSIX file system.

GCP Icon  Secured Landing Zone service Overview
After you deploy a security blueprint, you can enable an instance of the Secured Landing Zone service on that deployment to protect and enforce the security posture defined in the original blueprint.

Azure Icon  Microsoft Azure Security expands variant hunting capacity at a cloud tempo
Post focusing on variant hunting as part of Microsoft's larger overall security program.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.