Release Date: 07/05/2023 | Issue: 186
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

Keeping VPNs and firewall rules updated across the global hybrid infrastructure
with multiple clouds, availability zones, and offices is challenging. Learn more about going beyond network perimeter security by adopting device trust in this blog from Teleport, the easiest and most secure way to access all your infrastructure.

This week's articles

Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations   #aws, #azure, #gcp, #monitor
Post describing a hypothetical scenario of a cloud platform compromise with multiple components that would require investigation. Each component is an example of a real intrusion tactic that Mandiant has investigated across various cloud platforms, sometimes with logs available and sometimes without logs available.

Move Over, Dockerfiles! The New Way to Craft Containers   #build, #containers
Creating Docker images can sometimes be a pain. Here are alternatives for crafting containers, like ko, Bazel, Nix, and apko, and their strengths and weaknesses.

Testing Zero Touch Production Platforms and Safe Proxies   #attack
Post providing an overview of ZTP tools and services, exploring their security role in DevSecOps, and outlining common pitfalls to watch out for when testing them.

Mitigating Risky Pull Requests with Monocle Risk Advisor   #build, #ci/cd
Part two of the "Mitigating Risky Pull Requests with Monocle Risk Advisor" series explores how Monocle's risk scores can help developers make informed decisions about merging pull requests.

Google Online Security Blog: So long passwords, thanks for all the phish   #defend
You can now create and use passkeys on your personal Google Account. When you do, Google will not ask for your password or 2-Step Verification (2SV) when you sign in.

Exploiting misconfigured Google Cloud Service Accounts from GitHub Actions   #attack, #ci/cd, #gcp
A misconfigured GitHub Action using a GCP Workload Identity Federation Service Account could allow any GitHub Action to assume the role.

Use Amazon CodeWhisperer for Your AWS Security   #aws, #build, #defend
Some code generations examples from Amazon CodeWhisperer to secure your AWS accounts.

Public Report: AWS Nitro System API & Security Claims   #attack, #aws
AWS engaged NCC Group to conduct an architecture review of the AWS Nitro System design, with focus on specific claims AWS made for the security of the Nitro System APIs.

AWS Identity Center: A Guide to Privilege Escalation and Identity and Access Management   #aws, #iam, #monitor
Post covering Identity Center, as well as how to secure and monitor it.

When Good APIs Go Bad: Uncovering 3 Azure API Management Vulnerabilities   #attack, #azure
Two SSRF and a file upload path traversal in the Azure API Management service, which allowed access to internal Azure assets.


Awesome free cloud native security learning labs. Includes CTF, self-hosted workshops, guided vulnerability labs, and research labs.

HASH is a framework for creating and launching low interactive honeypots. You can also refer to the companion blog post.

CLI tool to perform cost analysis on your Azure subscription.

An operator to manage ephemeral Kubernetes resources.


The Cloud Security Workflow Handbook
The Wiz research team surveyed security orgs at hyper-scaling enterprises to uncover how they’re adapting in 2023. They packed their best-practices, frameworks, and templates into this playbook including:
  • A breakdown of the 3 pillars of the modern cloud security operating model best-in-class orgs are moving to.
  • A 4-step roadmap used by the fastest-growing companies to adapt to the new threat landscape.
  • Plus: Goals and KPI templates for your team to track based on maturity stage presented in a convenient cheat sheet.
Download the Handbook for Free

From the cloud providers

AWS Icon  How to scan your AWS Lambda functions with Amazon Inspector
Two new Amazon Inspector features that scan your Lambda function application package dependencies, as well as your application code, for security vulnerabilities.

AWS Icon  Amazon Inspector now allows customers to search its vulnerability intelligence database
Amazon Inspector now allows customers to search its vulnerability intelligence database if any of the Inspector scanning types is activated.

AWS Icon  Amazon GuardDuty Malware Protection adds on-demand scanning
Amazon GuardDuty Malware Protection adds a new capability that allows customers to initiate on-demand malware scans of EC2 instances, including instances used to host container workloads.

AWS Icon  AWS Verified Access is now generally available
AWS announced the general availability of AWS Verified Access, a service that helps you provide secure access to your corporate applications without using a VPN. Built based on AWS Zero Trust principles, you can use Verified Access to implement a work-from-anywhere model with added security and scalability.

AWS Icon  Just-in-Time Least Privileged Access to AWS Administrative Roles with Okta and AWS Identity Center
How to leverage Okta Access Requests and AWS IAM Identity Center to provide just-in-time access to cloud resources.

AWS Icon  Get details on security finding changes with the new Finding History feature in Security Hub
How to use the new Finding History feature in Security Hub to track and understand the history of a security finding.

GCP Icon  Resource hierarchy strategies for divested organizations
Best practices for managing divestitures from the standpoint of the Google Cloud resource hierarchy.

GCP Icon  Introducing Organization Restrictions, a new way to keep threat actors out
Now you can restrict access to only-authorized Google Cloud organizations by using Organization Restrictions.

GCP Icon  New asset query simplifies asset inventory management in Security Command Center
Security Command Center users can now perform SQL-like queries to get detailed information on where assets are located and how they are configured.

GCP Icon  Extending Zero Trust access to multi-cloud applications
The new app connector can help provide Zero Trust access to applications in multi-cloud environments.

GCP Icon  3 new ways to authorize users to your private workloads on Cloud Run
Identity Aware Proxy, Regional Internal Load Balancer, and Shared VPC Ingress for Cloud Run offer new design patterns for internal apps.

Azure Icon  Token protection in Azure AD Conditional Access
Learn how to use token protection in Conditional Access policies.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! πŸ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
Β© 2019-present, CloudSecList by Marco Lancini.