Release Date: 02/07/2023 | Issue: 194
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up
Introducing the "Jobs" Section!
As pre-announced on Twitter, I am introducing a new section in the newsletter: Jobs!
Looking for a job? Looking to hire? Check out the new Jobs section below!

Check out the newly released Snyk's
The State of Application Security in Cloud Modernization report!
Get an inside view of the rate of modernization & DevOps automation and risks that organizations are seeing in the cloud.

This week's articles

Defending Continuous Integration/Continuous Delivery (CI/CD) Environments   #ci/cd, #defend
The NSA and CISA are releasing a cybersecurity information sheet to provide recommendations and best practices for improving defenses in cloud implementations of development, security, and operations (DevSecOps).

How to get rid of AWS access keys - Part 2: Reducing Privileges   #aws, #defend, #iam
How to reduce the privileges of AWS access keys in order to mitigate their risk.

Leveraging AWS SSO (aka Identity Center) with Google Workspaces   #aws, #build, #gsuite
A Better way to configure AWS Identity Center to use Google Workspace/Cloud Identity with SCIM Support.

Verifying Container Image Signatures Within CRI Runtimes   #build, #kubernetes
The process of verifying container image signatures and the benefits of implementing this practice in a Kubernetes environment.

Shrink to Secure: Kubernetes and Secure Compact Containers   #build, #containers, #kubernetes
Reduce the size of your Kubernetes containers to reduce security vulnerabilities CVE. Some tools to make this happen: Chainguard Apko and Melange,, WolfiOS.

How to add, use, and update .terraform.lock.hcl without pain   #explain, #terraform
The article discusses the importance of using Terraform lockfiles. It explains how lockfiles work, why they are necessary, and provides practical examples on how to use them effectively in Terraform projects.

8 Terraform continuous validation use cases for AWS, Google Cloud, and Azure   #aws, #azure, #defend, #gcp, #terraform
How to use Terraform "check" blocks and continuous validation with AWS, Google Cloud, and Azure services.

AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice   #attack, #aws
While doing research on Microsoft SQL (MSSQL) Server, a GoSecure ethical hacker found an unorthodox design choice that ultimately led to a web application firewall (WAF) bypass.


The Kubernetes Bill of Materials (KBOM) standard provides insight into container orchestration tools widely used across the industry.

Private Terraform Registry Manager.

A collection of "fake" Terraform modules designed to mimic AWS and GCP resources.

A series of tools to develop a comprehensive map from SDK calls to IAM actions, and evaluation of managed policies.

EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.

GitHub token permissions Monitor and Advisor actions. You can also refer to the companion blog post.

OIDC Modules
Terraform modules that help to set up an OIDC integration between GitLab and GCP. You can also refer to the companion blog post.


Teleport Assist: AI-powered conversation with your infrastructure
Teleport Assist utilizes GPT-4 to answer questions, bring insights, perform operations and request access to your infrastructure using natural language. Teleport Assist can act as an assistant, running playbook and queries with your permissions.
Try Teleport Assist for free for 14 days with Teleport Team

From the cloud providers

AWS Icon  New AWS AppFabric Improves Application Observability for SaaS Application
A fully managed service that aggregates and normalizes security data across SaaS applications to improve observability and help reduce operational effort and cost with no integration work necessary.

GCP Icon  Cybrary: Closing the cybersecurity skills gap with affordable tools and training
Cybersecurity training with a plan that offers full access to the platform and all of its skills development content, including custom learning paths.

GCP Icon  Security Command Center Asset API Deprecation
Google is killing the Security Command Center "assets" feature and recommends moving to Cloud Asset Inventory instead.

GCP Icon  GKE Security Posture now generally available with enhanced features
The interface is designed to streamline the security management of your GKE clusters, and now includes a range of powerful features such as misconfiguration detection and vulnerability scanning.

GCP Icon  How to migrate sensitive data with confidence using Google Cloud's CDMC-certified architecture
New and existing Google Cloud customers can migrate their sensitive data to the cloud with greater confidence thanks to the newly CDMC-certified architecture.

Azure Icon  Public preview: Using a common port for public and private listeners
Azure Application Gateway now supports configuring the same port number for public and private listeners.

Azure Icon  Public Preview: Azure NetApp Files double encryption at-rest
Azure NetApp Files now supports multiple encryption layers for increased data security.


Hiring? Feature your listings below - reach out now at [email protected]

Security Engineers - Figma
Figma is hiring for Security Engineers in Corp Security, Abuse Prevention, Safe Components, and Consulting.

Security Engineer, Detection & Response - OpenAI
OpenAI is looking for a Security Engineer in London with experience in Detection & Response.

Security Engineer - Dell
Dell is looking for a Security Engineer in Singapore with experience in Kubernetes and Docker.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.