Release Date: 26/03/2023 | Issue: 180
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

Do you love spending time on security questionnaires?
Didn’t think so.
That’s why we at TrustCloud wrote this guide to answering the most commonly asked questions, from our analysis of hundreds of questionnaires from Fortune 500 companies like Google, Amazon, 3M, Visa, and Verizon in our TrustShare platform.
We cover topics including policy management, pen testing, security incident management plans, and more. Read the guide to learn what enterprises are looking for during security reviews, so you can pass them faster.

This week's articles

How we built DMARC Management using Cloudflare Workers   #build, #cloudflare
How Cloudflare built their new DMARC Management solution entirely on top of the Workers platform.

A Guide to Delegated Administrator in AWS Organizations and Multi-Account Management   #aws, #explain, #iam
A guide to managing multiple AWS Accounts using AWS Organizations and how to reduce blast radius by leveraging Delegated Administrator capabilities to avoid usage of the management root account.

Using Service Control Policies to protect security baselines   #aws, #defend
Post illustrating a specific use case of SCPs that protects the security baseline, or landing zone, configuration you've created for accounts.

Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research   #attack, #aws
Public disclosure of a CloudTrail bypass in AWS Service Catalog and other logging research.

Mitigating SSRF in 2023   #attack, #aws, #defend
Article reviewing the different ways of triggering SSRF and discussing which mitigation techniques are most effective.

Implementing Magic Links with Amazon Cognito: A Step-by-Step Guide   #aws, #build, #iam
A popular passwordless authentication method is magic links. Although this is not something that Cognito supports out of the box, it can be implemented using its Lambda hooks.

The illustrated guide to S3 pre-signed URLs   #aws, #build
Article discussing in great detail what pre-signed URLs are, how to use them, and some best practices to keep in mind.

Network policies are not the right abstraction (for developers)   #explain, #kubernetes
Post examining multiple flaws that prevent network policies, on their own, from being an effective solution for a real-world use case.

The 4 Kubernetes policy types   #explain, #kubernetes
Post introducing the four types of policies available in Kubernetes (API Objects, Admission Controllers, ValidatingAdmissionPolicy, and Dynamic Admission Controls) and provide guidance on how they should be used.

Top 15 Kubectl plugins for security engineers   #defend, #kubernetes
This article aims to address the most common or useful Kubernetes plugins for improving your security posture.

Kubernetes Removals and Major Changes In v1.27   #build, #kubernetes
Article identifying and describing some of the planned (breaking) changes for the Kubernetes v1.27 release.

Escalating Privileges with Azure Function Apps   #attack, #azure
Undocumented APIs used by the Azure Function Apps Portal menu allowed for arbitrary file reads on the Function App containers.


CLI tool for directly patching container images using reports from vulnerability scanners.

An incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer's Azure Active Directory (AzureAD), Azure, and M365 environments.

CLI tool to perform cost analysis on your AWS account with Slack integration.

Scripts and Lambdas to help with automated deployment of AWS Shield Advanced.

Passwordless authentication with Amazon Cognito: FIDO2 (WebAuthn), Magic Link, SMS OTP Step Up.


Exclusive Research: The State of Cloud-Native Security Report 2023
Life Moves Fast in the Cloud.
If it feels like it’s getting harder to keep your organization secure, you’re not alone. Based on a survey of 2,500 InfoSec pros, Prisma Cloud’s 3rd annual report helps cybersecurity leaders gain insights into the top challenges facing their peers in cloud-native development and security. Key Findings:
  • 90% of orgs can’t detect, contain, and resolve cyber threats within an hour
  • 77% of orgs say aligning security tools with security goals is challenging
Read the findings now!

From the cloud providers

AWS Icon  Simplify management of Network Firewall rule groups with VPC managed prefix lists
How to use managed prefix lists to simplify management of AWS Network Firewall rules and policies across a VPC.

AWS Icon  How to use Amazon Macie to reduce the cost of discovering sensitive data
Macie offers several capabilities to help reduce the cost of discovering sensitive data, including automated data discovery, which can reduce your spend with new data sampling techniques that are custom-built for S3.

AWS Icon  AWS Clean Rooms Now Generally Available: Collaborate with Your Partners without Sharing Raw Data
Clean Rooms is an analytics service that helps companies and their partners more easily and securely analyze and collaborate on their collective datasets without sharing or copying each other's data.

AWS Icon  Use backups to recover from security incidents
Key AWS services and features that provide backup and recovery solutions to restore your data based upon the lessons the AWS CIRT has learned when supporting customers experiencing security events.

GCP Icon  Your cloud, your way: Google Distributed Cloud Hosted is generally available
Google Distributed Cloud (GDC) Hosted is an air-gapped cloud solution for customers with stringent data management and sovereignty requirements.

Azure Icon  General availability: Azure Virtual Network Manager
Azure Virtual Network Manager (AVNM) is now generally available. AVNM is a one-stop shop for managing the connectivity and security of your network resources at scale.

Azure Icon  Generally available: Encryption scopes on hierarchical namespace enabled storage accounts
You can now use separate encryption keys for each customer in a single hierarchical namespace enabled storage account.

Azure Icon  Public preview: Listener TLS certificates management available in the Azure portal
You can now manage the TLS certificates associated with Listeners through Azure portal.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.