Release Date: 04/06/2023 | Issue: 190
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

BeyondCorp, Zero Trust Architecture Strategy, and Teleport
BeyondCorp comes from a realization that VPN perimeter network security is obsolete. As soon as an attacker breaches the perimeter, they have unrestricted access to the resources. With the release of a memorandum discussing federal Zero Trust Architecture (ZTA) strategies, zero trust has entered the mainstream at the government level. Although the memo focuses on government agencies, it has a clear structure and strong foundations for any modern company...
Keep reading the Teleport blog

This week's articles

Exploring Firecracker MicroVMs for Multi-Tenant Dagger CI/CD Pipelines   #ci/cd, #defend
Experimenting with the feasibility of running Dagger CI/CD pipelines isolated from each other using Firecracker microVMs to provide a strong security model in a multi-tenant scenario. When a customer runs a pipeline, their containers are executed in an isolated environment.

Detect Anomalies In Our AWS Infrastructure   #aws, #monitor
Low-maintenance Cloud-Based Anomaly Detection System with Bytewax, Redpanda, and AWS.

Warden: Real Time Anomaly Detection at Pinterest   #defend, #monitor
Pinterest Engineering has developed a real-time anomaly detection system called Warden, which uses machine learning to identify unusual activity and potential security threats on their platform.

How to get rid of AWS access keys - Part 1: The easy wins   #aws, #defend, #iam
Learn how to identify unused and unnecessary long-lived IAM User access keys.

Misconfiguration Spotlight: Securing the EC2 Instance Metadata Service   #attack, #aws
A look at how the EC2 Instance Metadata Service can be taken advantage of.

How to choose the right API Gateway auth method   #aws, #build, #iam
API Gateway supports quite a few authentication and authorization methods, plus, you can always authenticate users inside your endpoint. So, the big question is, how do you choose the right one for your API?

Passkeys, the end of passwords and account takeovers?   #build, #explain
A deep-dive blogpost on how to implement Passkeys and how to think about the threat model and security guarantees they offer.

Understanding networking in Kubernetes   #explain, #kubernetes
An in-depth analysis of Kubernetes networking, including container-to-container, pod-to-pod, pod-to-service, ingress, and egress communication.

Google Trust Services ACME API available to all users at no cost   #announcement, #build, #gcp
Google now offers general availability of Google Trust Services ACME endpoint allowing anyone to get TLS certificates for their websites for free.

Packaging Open Policy Agent policies with Nix   #containers, #opa
Howto use Nix to turn Open Policy Agent policies into standalone CLI tools.


Macaron is a supply chain security analysis tool from Oracle Labs that checks conformance to SLSA framework. You can also refer to the companion blog post.

Fast, Declarative, Reproducible, and Composable Developer Environments.

Crowdsourced list of sensitive IAM Actions.

A tool that traces TCP interactions with the EC2 Instance Metadata Service (IMDS), assisting in identifying the processes making IMDSv1 calls on a host.


Ready to reduce the need for countless spreadsheets and endless email threads β€” while saving up to 85% of compliance costs?
Vanta is your trust management platform for continuously monitoring your controls, reporting on security posture, and streamlining audit readiness. Maintain centralized visibility into your security status and automate up to 90% of the work for SOC 2, ISO 27001, GDPR, HIPAA, and more.
Take a tour of Vanta’s platform to see how it works

From the cloud providers

AWS Icon  Amazon Security Lake is now generally available
AWS announced the general availability of Amazon Security Lake, first announced in a preview release at 2022 re:Invent.

AWS Icon  Get custom data into Amazon Security Lake through ingesting Azure activity logs
How to configure your Amazon Security Lake solution with cloud activity data from Microsoft Azure Monitor activity log, which you can query alongside your existing AWS CloudTrail data.

AWS Icon  Updated whitepaper available: Architecting for PCI DSS Segmentation and Scoping on AWS
AWS has re-published the whitepaper Architecting for PCI DSS Scoping and Segmentation on AWS to provide guidance on how to properly define the scope of your Payment Card Industry (PCI) Data Security Standard (DSS) workloads that are running in the AWS Cloud.

AWS Icon  Announcing the AWS Blueprint for Ransomware Defense
AWS released the AWS Blueprint for Ransomware Defense, a new resource that both enterprise and public sector organizations can use to implement preventative measures to protect data from ransomware events.

GCP Icon  Announcing Google Cloud Cross-Cloud Interconnect
Google Cloud is announcing Cross-Cloud Interconnect, which lets you connect any cloud to Google Cloud via their secure, high-bandwidth global network.

GCP Icon  Introducing new ways Security Command Center can protect identities
SCC has released new capabilities to help detect compromised identities and protect against risks from external attackers and malicious insiders.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! πŸ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
Β© 2019-present, CloudSecList by Marco Lancini.