Release Date: 26/02/2023 | Issue: 176
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

Wiz’s 2023 State of the Cloud Report
Wiz’s State of the Cloud 2023 report provides analysis of trends in cloud usage such as multi-cloud, use of managed services and more. The report highlights notable cloud risks based on our scanning of over 200,000 cloud accounts, including more than 30% of the Fortune 100 environments. For instance, our data shows that 47% of companies have at least one database or storage bucket publicly exposed to the internet, and an attacker can discover and access an exposed bucket in less than 13 hours.
Download the Report

This week's articles

Down the Cloudflare / Stripe / OWASP Rabbit Hole: A Tale of 6 Rabbits Deep   #build, #cloudflare
A tale from Troy Hunt of firewalls, APIs and sifting through layers and layers of different services to sniff out the root cause of something that seemed very benign, but actually turned out to be highly impactful.

My CI/CD pipeline is my release captain   #aws, #build, #ci/cd, #strategy
How Amazon continuously release changes to production by practicing trunk-based development, by using CI/CD pipelines to manage deployment artifacts and coordinate releases across multiple production environments, and by practicing proactive and automatic rollbacks.

Lateral movement risks in the cloud: from compromised cloud resource to Kubernetes cluster takeover   #attack, #defend, #kubernetes
Post discussing lateral movement risks from the cloud to Kubernetes: it explains attacker TTPs, and outlines best practices for cloud builders and defenders to help secure their cloud environments and mitigate risk.

How to Achieve Application & Cloud Security Resilience   #strategy
A guide to defining and maturing a truly resilient Application and Cloud Security program through automation and data.

To DIY or Not to DIY; Key Kubernetes Security Considerations   #defend, #kubernetes
Understand the security ramifications of doing Kubernetes with a managed service provider or DIY.

Container security fundamentals: Exploring containers as processes   #containers, #defend
A look at how containers work as Linux processes and what that means for security.

A role for all your EC2 instances   #aws, #build
You can now pass an IAM role to every EC2 instance in your account + region.

Securing Kubernetes Secrets with HashiCorp Vault   #build, #kubernetes, #vault
Secrets in Kubernetes are used to store sensitive information. This blog post will show how to secure Kubernetes secrets using Hashicorp vault.

A retrospective on public cloud breaches of 2022   #attack, #defend
Looking back on publicly disclosed cloud breaches of 2022, and what we can learn from them.


A binary written in Go to systematically manage external modules from Github for use in Terraform.

Rbac-tool simplifies querying and creating Kubernetes RBAC policies.

A GitHub Action step that fetches outputs from a Terraform Cloud workspace.

Example of accessing Amazon API Gateway with Amazon Cognito User Pools and Okta OpenID Connect Federation.

Creation of Continuous Integration pipelines dynamically using an AWS Step Function based approach to create standardised pipelines for an organisation.


Wiz: Your new partner in cloud security
It’s time for you to see the Wiz cloud security platform in action. Observe up close why more than 30% of Fortune 100 companies trust us to protect their cloud and simplify their cloud journey. This 10-min demo illustrates how Wiz seamlessly integrates with your full cloud environment, providing full visibility of all your layers and a complete view of true risk.
See the power of the Wiz platform

From the cloud providers

AWS Icon  How to use AWS Private Certificate Authority short-lived certificate mode
Post comparing general-purpose mode CAs to short-lived mode CAs.

AWS Icon  How to monitor and query IAM resources at scale
Two-part blog post providing recommendations for using IAM APIs, and sharing useful details on how IAM works.

AWS Icon  Understanding and Cost Optimizing Amazon EKS Control Plane Logs
This post provides an overview of each type of Amazon EKS control plane log type, and discusses the value provided by them. In addition, the post explores ways to obtain insights from these logs while optimizing on cost.

GCP Icon  Cloud IAM Google Cloud
A sketchnote on GCP IAM.

GCP Icon  Securing Cloud Run Deployments with Least Privilege Access
How to protect your Cloud Run deployments by implementing least privilege access for Cloud Run services and service consumers.

Azure Icon  Public Preview: Customer-managed keys for Azure NetApp Files volume encryption
Azure NetApp Files volumes now support encryption with customer-managed keys (CMK), using Azure Key Vault for key storage, to enable an extra layer of security for data at rest.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.