Release Date: 02/04/2023 | Issue: 181
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

Why Secure Access to Cloud Infrastructure is Painful
Can you enumerate every network socket that can be used to hack into your cloud environment and steal your data? When counting, are you including the laptops of people already authenticated and have access? The purpose of opening this question is not to instill fear. Trying to answer it probably leads to "it’s complicated," and the complexity of access is what this article will cover.

This week's articles

Attackers have better things to do than corrupt your builds   #attack, #ci/cd
This posts clarifies the clucking and clamoring over attackers exploiting vulns or corrupting build pipelines (spoiler alert: it isn't worth their time and effort to).

AWS KMS Threat Model   #aws, #defend, #explain
What are the threats in letting an AWS service manage the encryption of your data instead of creating a Customer Managed Key?

A Guide to S3 Logging   #aws, #monitor
Here's what you should do about S3 Logging.

Harvesting Logs for Fun and Profit   #attack, #monitor
Post looking at the kinds of things you might find in your logs. The juicy bits are Personal Identifying Information (PII) or security credentials.

Zero Trust Access to Private Webapps on AWS ECS with Cloudflare Tunnel   #aws, #build, #cloudflare
How to use Cloudflare Tunnel to securely access a Flask webapp running in a private subnet in ECS on Fargate, without exposing the app to the public internet.

The Old Faithful: Why SSM Parameter Store still reigns over Secrets Manager   #aws, #explain
Post exploring why the tried-and-true SSM Parameter Store is still the preferred choice for many developers and dive into the advantages it has over Secrets Manager.

Identify and remediate common cloud risks with the Datadog Cloud Security Atlas   #attack, #aws, #defend
Datadog announced the release of their Cloud Security Atlas, a searchable database of real-world attacks, vulnerabilities, and misconfigurations designed to help you understand and remediate risk in cloud environments.

Public Access Key - 2023   #attack, #aws, #ci/cd
Timeline of events when an AWS IAM Access Key was published to GitHub.

Vault Secrets Operator: A new method for Kubernetes integration   #announcement, #hashicorp, #kubernetes, #vault
The Vault Secrets Operator implements a first-class Kubernetes Operator pattern for HashiCorp Vault along with a set of CRDs responsible for synchronizing Vault secrets to Kubernetes Secrets natively.

Unauthorized access to organization secrets in GitHub   #attack, #ci/cd
A security issue in GitHub's Security Advisory feature allowed researchers to access ANY organization's codespace secrets without authorization.

Super FabriXss: From XSS to an RCE in Azure Service Fabric Explorer by Abusing an Event Tab Cluster Toggle   #attack, #azure
Post exploring the details of the Azure vulnerability, "Super FabriXss," the risks it poses, as well as recommendations on how to mitigate it.

Riding the Azure Service Bus (Relay) into Power Platform   #attack, #azure
A deserialization issue on the Azure Service Bus (Relay) service that allowed remote code execution on Microsoft servers.

Introducing self-service SBOMs   #ci/cd, #defend
GitHub announced a new Export SBOM function that allows anyone with read access to a GitHub cloud repository to generate an NTIA-compliant SBOM with a single click.

Introducing Microsoft Security Copilot: Empowering defenders at the speed of AI   #announcement, #azure
Security Copilot combines an advanced large language model (LLM) with a security-specific model from Microsoft. This security-specific model in turn incorporates a set of security-specific skills and is informed by Microsoft's unique global threat intelligence. Security Copilot runs on Azure's infrastructure.


GitHub App to watch for PRs merged without a reviewer approving.

Kubectl plugin for Kubernetes OpenID Connect authentication (kubectl oidc-login).

Sample logging architectures for Fluent Bit and FluentD on Amazon EKS.

A light weight, zero dependency python library that simplify managing your AWS boto3 session in your application code.


Too Many Developers with Production Access?
Consider an attacker who obtained one of your developer’s credentials; what sort of access would they have? Sym helps keep production safe by replacing permanent access with just-in-time (JIT) access that is automated, auditable, and intelligent. Here's how Sym works:
  • Developers make requests in Slack
  • Authorization is determined by custom code and/or other humans in Slack
  • Access is automatically revoked when the job is done
  • Logs are sent to any logging destination
Secure your production infrastructure with Sym!

From the cloud providers

AWS Icon  Amazon GuardDuty Now Supports Amazon EKS Runtime Monitoring
AWS announced the general availability of Amazon GuardDuty EKS Runtime Monitoring to detect runtime threats from over 30 security findings to protect your EKS clusters. The new EKS Runtime Monitoring uses a fully managed EKS add-on that adds visibility into individual container runtime activities, such as file access, process execution, and network connections.

AWS Icon  Amazon GuardDuty simplifies enforcement of threat detection across all accounts in an Organization
GuardDuty has added new functionality to its integration with AWS Organizations to make it even simpler to enforce threat detection across all accounts in an organization.

AWS Icon  How to use Amazon GuardDuty and AWS WAF v2 to automatically block suspicious hosts
An automation pattern that you can use to automatically detect and block suspicious hosts that are attempting to access your AWS resources.

AWS Icon  AWS Cost Anomaly Detection now automatically configured for all new Cost Explorer users
Cost Anomaly Detection uses machine learning to continuously monitor, detect, and alert customers of unexpected cost increases. The default configuration allows new Cost Explorer users to quickly improve cost controls with zero effort.

GCP Icon  Why (and how) Google Cloud is adding attack path simulation to Security Command Center
GCP added an advanced simulation engine to attack path analysis that will identify assets that are most vulnerable to attack, which can help defenders know where to apply the right security controls to better protect their cloud environment.

GCP Icon  Gleaning security insights from audit logs with Log Analytics
Cloud Audit logs can help customers meet their compliance and security requirements. Here's how to derive actionable insights from Log Analytics.

GCP Icon  Workload Identity for GKE made easy with open source tools
Kaniko allows limited credential exposure to help GKE workloads authenticate to other services safely.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.