Release Date: 18/06/2023 | Issue: 192
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up
πŸ›‘οΈ The re:Inforce edition πŸ›‘οΈ
With re:Inforce happening this past week, this CloudSecList issue will have a more extensive section showcasing the primary security-related announcements that came out of it.
Back to business as usual from next week!

Cloud misconfiguration is the third highest cause of security breaches. Misconfigurations are easier to prevent than to fix.
Developers report it can take days to weeks to provision, and it shouldn't!
Creating a win-win is possible. Where developers get the cloud infrastructure they need faster than they can get a coffee break. The best part – it's built on a library of golden patterns and protected by guardrails. Netflix Infrastructure Security teams call these solutions paved roads. Resourcely offers cloud infrastructure paved roads as a service.

This week's articles

Kubernetes Grey Zone: Risks in Managed Cluster Middleware   #attack, #kubernetes
Little is known about the risks managed clusters bring to the table, compared to a vanilla Kubernetes distribution.

Messing Around With AWS Batch For Privilege Escalations   #attack, #aws
How to achieve privilege escalation via misconfigured AWS Batch.

AWS API Gateway header smuggling and cache confusion   #attack, #aws
Post diving into two potential security issues identified in AWS API Gateway authorizers.

Spotted: How we discovered Privilege Escalation, missing CloudTrail data and a race condition in AWS Directory Service   #attack, #aws
A set of bugs in AWS Directory Service. One of them could be used for privilege escalation by an authenticated user with sufficient permissions.

AWS Pentest Methodology   #attack, #aws
A high-level methodology of how one could conduct a penetration test inside the AWS platform.

Executing Arbitrary Code & Executables in Read-Only FileSystems   #attack, #containers, #kubernetes
Different methods of executing arbitrary code and executables in read-only file systems where writable folders are marked as noexec, focusing on pods within the Kubernetes context.

Terraform 1.5 brings config-driven import and checks   #announcement, #hashicorp, #terraform
HashiCorp Terraform 1.5 is now generally available, featuring a config-driven import workflow and a new language primitive for infrastructure validations.

Vault Secrets Operator for Kubernetes now GA   #announcement, #build, #hashicorp, #kubernetes, #vault
The Vault Secrets Operator implements a first-class Kubernetes Operator for Vault, along with CRDs responsible for synchronizing Vault secrets to Kubernetes Secrets.


Rdsconn makes connecting to an AWS RDS instance inside a VPC from your laptop easier.

A collection of ARM-based detections for Azure/AzureAD based TTPs. You can also refer to the companion blog post.

Create your own vulnerable by design AWS penetration testing playground. You can also refer to the companion blog post.

Generation of SLSA3+ provenance for artifacts created in a Docker container
A GitHub Actions workflow that achieves SLSA Build Track Level 3 for provenance generation.


Ready to reduce the need for countless spreadsheets and endless email threads β€” while saving up to 85% of compliance costs?
Vanta is your trust management platform for continuously monitoring your controls, reporting on security posture, and streamlining audit readiness. Maintain centralized visibility into your security status and automate up to 90% of the work for SOC 2, ISO 27001, GDPR, HIPAA, and more.
Take a tour of Vanta’s platform to see how it works

From the cloud providers

AWS Icon  Announcing Live Tail in Amazon CloudWatch Logs, providing real-time exploration of logs
You can now view your logs interactively in real-time as they're ingested, which helps you to analyze and resolve issues across your systems and applications.

AWS Icon  Simplify How You Manage Authorization in Your Applications with Amazon Verified Permissions
Amazon Verified Permissions is a scalable permissions management and fine-grained authorization service for the applications that you build. Using Cedar, developers and admins can define policy-based access controls using roles and attributes for more granular, context-aware access control.

AWS Icon  Simplify fine-grained authorization with Amazon Verified Permissions and Amazon Cognito
How to use Amazon Cognito and Verified Permissions together to add fine-grained authorization to your applications.

AWS Icon  Amazon S3 Dual-Layer Server-Side Encryption with Keys Stored in AWS Key Management Service (DSSE-KMS)
Amazon launched S3 dual-layer server-side encryption with keys stored in AWS Key Management Service (DSSE-KMS), a new encryption option in S3 that applies two layers of encryption to objects when they are uploaded to an S3 bucket.

AWS Icon  Secure Connectivity from Public to Private: Introducing EC2 Instance Connect Endpoint
Amazon launched EC2 Instance Connect (EIC) Endpoint, a new feature that allows you to connect securely to your instances and other VPC resources from the Internet.

AWS Icon  Move Payment Processing to the Cloud with AWS Payment Cryptography
Amazon shared the availability of AWS Payment Cryptography, an elastic service that manages payment HSMs and keys for payment processing applications in the cloud.

AWS Icon  AWS IAM Identity Center now supports automated user provisioning from Google Workspace
You can now connect a Google Workspace to AWS IAM Identity Center once and manage access to AWS accounts and applications centrally, in IAM Identity Center.

AWS Icon  AWS Config supports recording exclusions by resource type
AWS Config now offers support for excluding resource types from configuration change tracking.

AWS Icon  AWS Security Hub launches a new capability for automating actions to update findings
Post walking through new capabilities within AWS Security Hub that you can use to take automated actions to update findings.

AWS Icon  Prevent account creation fraud with AWS WAF Fraud Control
AWS introduced AWS WAF Fraud Control - Account Creation Fraud Prevention (ACFP) to help protect your application's sign-up pages against fake account creation by detecting and blocking fake account creation requests.

AWS Icon  AWS Control Tower adds 10 new AWS Security Hub controls
These new controls target services such as Amazon APIGateway, AWS CodeBuild, Amazon Elastic Compute Cloud, Amazon Elastic Load Balancer, Amazon Redshift, Amazon SageMaker, and AWS WAF.

GCP Icon  IAM: There and back again using resource hierarchies
Google Cloud has introduced resource hierarchies to make IAM management easier.

GCP Icon  Introducing Secure Web Proxy for egress traffic protection
Google's new Secure Web Proxy is now generally available. This cloud-first network security offering provides web egress traffic inspection, protection, and control.

GCP Icon  A better way to stay ahead of attacks: Security Command Center adds attack path simulation
Security Command Center's new attack path simulation automatically analyzes a customer's environment to pinpoint where and how vulnerable resources may be attacked.

Azure Icon  Public preview: Confidential Virtual Machines (VM) support in Azure Virtual Desktop
Users can now specify an AMD SEV-SNP based confidential VM for their Windows 11 Azure Virtual Desktop, allowing the execution of sensitive desktop workloads by protecting data in use.

Azure Icon  Generally Available: Managed identity authentication in Azure Monitor container insigh
Managed Identity is a secure & simplified authentication model where our agent uses the cluster's managed identity to send data to Azure Monitor.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! πŸ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
Β© 2019-present, CloudSecList by Marco Lancini.