Release Date: 14/05/2023 | Issue: 187
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

JupiterOne: Know What You’re Defending
Perhaps the biggest problem in cybersecurity today is that companies don’t have a good understanding of what they’re defending. JupiterOne solves this foundational issue by collecting everything you own into a single system of record that includes cloud infrastructure, endpoints, DNS, SaaS apps, and more.
It connects the dots using graph-based technologies, allowing you to ask complex Attack Surface Questions, like “Show me all VMware-based systems associated with our crown jewels and that have something facing the internet.”
Start your free account today

This week's articles

Equifax Controls Framework   #strategy
Equifax has released an open-source controls framework that provides security guidance for cloud-native applications. The framework includes a set of controls that are mapped to security frameworks such as NIST.

Cloud Security Jobs   #strategy
A job board for cloud security professionals that scans and compiles the best open positions, from entry level to CISO (executive).

Cybersecurity Incident Simulation @ Uber   #monitor
A three-pronged approach for simulating cybersecurity incidents, which consists of tabletop exercises, red team operations, and atomic simulations.

My Love/Hate Relationship with Cloud Custodian   #aws, #defend
Cloud Custodian is a powerful tool for managing and enforcing policies in cloud environments, but it can be difficult to learn and use effectively. The author shares their experiences with using Cloud Custodian, including its benefits and drawbacks, and offers tips for getting started with the tool.

An AWS IAM Wishlist   #aws, #defend, #iam
A wishlist of AWS IAM feature requests: IAM Authorization Debugging, Mapping of API Calls/IAM Permissions/CloudTrail Events, SCP Audit Mode, SCP for Resources, and API Request Parameters as Condition Keys.

Cloud Run Security design overview   #explain, #gcp
This article outlines the security features provided by Cloud Run, including automatic TLS encryption, secure communication between services, and integration with Cloud IAM for access control.

Manage multiple Terraform projects in monorepo   #aws, #azure, #build, #terraform
A look at one possible way to organize and manage a monorepo setup, which will contain multiple projects and Terraform modules, with deployments spanning across multiple targets such as AWS accounts or Azure subscriptions.

Secure Data Sharing: Charting a course for the EU's Digital Future   #strategy
Palantir, a data analytics company, has published a report proposing a framework for secure data sharing in the European Union. The report suggests that data should be shared in a way that preserves privacy and security, while also enabling innovation. The framework includes a set of principles and best practices for data sharing, as well as recommendations for policy and regulatory changes.

SIEM Content, False Positives and Engineering (Or Not) Security   #defend, #monitor, #strategy
This SIEM content and false positives debate is a micro instantiation of a much bigger debate: the paradox between consuming security and engineering security.


A collection of sample queries for AWS CloudTrail Lake.

Automatically provision RDS database users using SSO as a source of truth.

Terraform Cloud Workflows for GitHub
Prescriptive workflows that implement best practices when interacting with Terraform Cloud.

Terraform Cloud Workflows for GitLab
Gitlab CI/CD templates for Terraform Cloud.

Sample code and notebooks for Generative AI on Google Cloud.


Put compliance on autopilot so you can get back to building and growing
Vanta is your single platform for continuously monitoring your controls, reporting on security posture, and streamlining audit readiness. Over 5,000 global customers leverage Vanta to proactively demonstrate trust and security. Customers report saving hundreds of hours in manual work and up to 85% of compliance costs.
Watch the 3-minute demo to learn more

From the cloud providers

AWS Icon  A walk through AWS Verified Access policies
This post provides an overview of trust providers and policies, then walks through a Verified Access policy for securing your corporate applications.

AWS Icon  Detect threats to your data stored in RDS databases by using GuardDuty
This post provides an overview of how to get started with RDS Protection, dives into its finding types, and walks through examples of how to investigate and remediate findings.

AWS Icon  Introducing Cedar, an open-source language for access control
AWS open-sourced the Cedar policy language and authorization engine. You can use Cedar to express fine-grained permissions as easy-to-understand policies enforced in your applications, and you can decouple access control from your application logic.

AWS Icon  Private Access to the AWS Management Console is generally available
AWS announced the general availability of AWS Management Console Private Access. Private Access is a new security feature that allows customers to limit access to the Console from their VPC or connected networks to a set of trusted AWS accounts and organizations.

GCP Icon  Simpler, faster, and repeatable regulatory reporting
Google Cloud has announced the launch of a new solution aimed at helping financial services companies automate regulatory reporting.

GCP Icon  Introducing Duet AI for Google Cloud - an AI-powered collaborator
Duet AI for Google Cloud is an always-on AI collaborator that provides help to users of all skill levels where they need it.

GCP Icon  Google I/O 2023: Making AI more helpful for everyone
A summary of what Google announced at Google I/O 2023.

GCP Icon  Using GitHub Actions with Google Cloud Deploy
Deploy containers to Google Cloud with GitHub Actions and Google Cloud Deploy targets - Kubernetes, Anthos, and Cloud Run.

GCP Icon  Manage IAM permissions with the Google Cloud mobile app
Administrators can use the Google Cloud mobile app to manage their organization's cloud identities and access while on the go.

Azure Icon  Microsoft Azure security evolution: Embrace secure multitenancy, Confidential Compute, and Rust
Microsoft's ongoing commitment to and investments in security, this time on Secure Multitenancy.

Azure Icon  Generally available: Azure Bastion now support shareable link
Shareable links allows users to connect to target resources via Azure Bastion without access to the Azure portal.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.