Release Date: 16/07/2023 | Issue: 196
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

Cloud misconfiguration is the third highest cause of security breaches. Misconfigurations are easier to prevent than to fix. Developers report it can take days to weeks to provision, and it shouldn't!

Creating a win-win is possible. Where developers get the cloud infrastructure they need faster than they can get a coffee break. The best part – it's built on a library of golden patterns and protected by guardrails. Netflix Infrastructure Security teams call these solutions paved roads. Resourcely offers cloud infrastructure paved roads as a service.

This week's articles

Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email   #attack, #azure
Microsoft has mitigated an attack by a China-based threat actor Microsoft tracks as Storm-0558 which targeted customer emails. Storm-0558 primarily targets government agencies in Western Europe and focuses on espionage, data theft, and credential access.

Secrets Revealed in Container Images: An Internet-wide Study on Occurrence and Impact   #containers, #defend
In this paper, researchers analyzed 337,171 images from Docker Hub and 8,076 other private registries unveiling that 8.5% of images indeed include secrets.

PCI/DSS Controls with Falco   #containers, #monitor
Learn how Falco detects failed/misconfigured PCI/DSS Controls.

Enforcing Secure and Cost-Effective Infrastructure as Code with Terraform, OPA, and Infracost   #build, #opa, #terraform
Post exploring the implementation of OPA and Infracost in a Terraform project, featuring a basic AWS setup with EC2 and RDS resources.

detection-and-response-pipeline   #monitor
A compilation of suggested tools/services for each component in a detection and response pipeline, along with real-world examples.

Summary of Upcoming Changes in OCI Image and Distribution Specs v1.1   #announcement, #containers
Article which highlights improvements in areas such as image layout, content addressability, and distribution manifests, aiming to enhance security, interoperability, and performance in container image management.

PodSecurityPolicy migration with Kyverno   #defend, #kubernetes
The article discusses how to migrate from PodSecurityPolicy (PSP) to Kyverno, a Kubernetes policy engine. It explains the challenges of migrating and provides step-by-step instructions on how to perform the migration.

Terraform apply as code: The multispace pattern   #explain, #terraform
How to use the Terraform Cloud/Enterprise provider to coordinate applies and destroys on downstream workspaces in Terraform Cloud.

Introducing passwordless authentication on   #announcement, #ci/cd
Passkeys are now available in public beta. Opting in lets you upgrade security keys to passkeys, and use those in place of both your password and your 2FA method.


Python bindings for the Cedar Policy project.

An IAM policy statement parser and query tool aims to simplify the process of collecting and understanding permission policy statements for users and roles in AWS IAM. You can also refer to the companion blog post.

A dashboard that shows AWS IAM data per service.

Host your own Helm Chart Repository.

docker-compose v2.20.0 Released
This version introduce include keyword which allow you to use an existing Compose configuration as part of your Compose stack.


US Data Privacy (USDP) is an exclusive consumer data privacy framework available only from Vanta. It's the one-stop solution for complying with consumer data privacy laws throughout the US.
USDP provides one comprehensive set of controls that gets you compliant with all current US state-level privacy laws: CCPA/CPRA, CPA, CTDPA, UCPA, and VCDPA.
The framework is constantly being updated to keep up with new and evolving regulations.
Download the USDP checklist to learn more

From the cloud providers

AWS Icon  Running GitHub Actions in a private Subnet with AWS CodeBuild
You can now define GitHub Actions steps directly in the BuildSpec and run them alongside CodeBuild commands.

AWS Icon  Refining IAM Permissions Like A Pro
How to detect unused IAM permissions and update them to move safely toward a least privilege environment.

AWS Icon  Consolidating controls in Security Hub: The new controls view and consolidated findings
You can use these features to manage controls across standards and to consolidate findings, which can help you significantly reduce finding noise and administrative overhead.

Azure Icon  Azure AD is Becoming Microsoft Entra ID
Microsoft is rebranding Azure AD to Microsoft Entra ID.

Azure Icon  KMS v2 on Azure Kubernetes Service now Supporting Encryption of Secrets Beyond the 2k Limit
You can now encrypt more than 2000 secrets when running your AKS cluster with KMS v2 enabled.

Azure Icon  General availability: ExpressRoute private peering support for BGP communities
Set BGP community tags on traffic sent from Azure to on-premises over ExpressRoute, enabling a greater variety of hybrid network designs.


Hiring? Feature your listings below - reach out now at [email protected]

Offensive Security Engineer - AWS Bug Bounty
AWS is looking for an experienced Security Engineer to assess and holistically test incoming submissions while driving resolution of overarching trends.

Senior Infrastructure Security Engineer - Chime
Chime is hiring for Senior Infrastructure Security Engineers in San Francisco.

Threat Intelligence Engineer - Amazon
The role will support the daily operation of our threat intelligence program, specifically focused around automation and building out systems like the threat intelligence platform and malware analysis pipeline.

Application and Infrastructure Security Engineer - Netflix
The Application and Infrastructure Security (AIS) team conducts risk discovery, security strategy development and execution, identification and execution of high impact security initiatives across Netflix applications and infrastructure.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.