Release Date: 20/08/2023 | Issue: 201
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

How to implement JIT access in AWS | Sym
Securing your infrastructure without slowing down is hard. By implementing just-in-time (JIT) access, you can address both speed and security concerns by making access temporal and streamlining the request process.
Our guide on implementing JIT access in AWS walks through:
  • The principle of least privilege
  • Least privilege in the cloud and AWS
  • Designing least privilege policies
  • Replacing risky access with automation
Download the JIT access guide to learn more

This week's articles

How Threat Actors Use GitHub   #attack, #ci/cd
The article explains how threat actors leverage GitHub for command and control & data exfiltration, malware delivery, and supply chain attacks.

Third-Party GitHub Actions: Effects of an Opt-Out Permission Model   #attack, #ci/cd, #defend
Post sharing how the world's most popular repositories fail to manage their build permissions, as well as walking through the why and the how of proper permissions management in GitHub Actions.

How to identify when you've lost control of your SIEM (and how to rein it back in)   #monitor
The article explains how to recognize when you have lost control of your SIEM. It provides signs to look out for, such as excessive false positives and having trouble answering basic investigative questions.

Identifying & Reducing Permission Explosion in AWS   #aws, #iam
The slides of a BlackHat 2023 talk that discusses how to identify, fix, and prevent permission explosion in your AWS environment.

When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability   #attack, #aws
Threat actors used SugarCRM's zero-day CVE-2023-22952 and cloud account misconfigurations to access credentials.

What's new for security in Kubernetes 1.28   #explain, #kubernetes
A recap of some of the interesting new security changes in Kubernetes 1.28.

Unleashing in-toto: The API of DevSecOps   #defend, #supply-chain
The article discusses the importance of integrating security into the DevOps process and introduces In-Toto, an open-source framework that provides a way to verify the integrity of software supply chains. It explains how In-Toto can be used as an API in DevSecOps to ensure the security and trustworthiness of software.

An Azure Tale of VPN, Conditional Access and MFA Bypass   #attack, #azure
A walkthrough review of the implementation of an on-prem VPN server that used Azure AD as the idP and enforced MFA via conditional access policies.

Terraform best practices for reliability at any scale   #aws, #build, #terraform
At scale, many Terraform state files are better than one. But how do you draw the boundaries and decide which resources belong in which state files? What are the best practices for organizing Terraform state files to maximize reliability, minimize the blast-radius of changes, and align with the design of cloud providers?

How to setup geofencing and IP allow-list for Cognito user pool   #aws, #build
AWS recently announced that is now possible to enable WAF protection for Cognito user pools. And one of the things you can do with this is to implement geo-fencing and IP allow/deny lists.


Simple Workspace Attack Tool (SWAT) is a tool for simulating malicious behavior against Google Workspace in reference to the MITRE ATT&CK framework.

Tools for attacking Azure Function Apps.

Ansible role to apply a security baseline. Systemd edition.

Tool for obfuscating and deobfuscating data. You can also refer to the companion blog post.

Get notified when actions are taken in the AWS Console.


Prevent cyberattacks from hurting your business with NordPass, a password manager designed by the team behind NordVPN. NordPass Business has been audited by Cure53 and is ISO 27001 and SOC 2 Type 1 certified.
NordPass is an intuitive tool that your employees will actually use. And that's ideal because password managers work their best magic when everyone in the company uses them. But if your team needs help, NordPass offers tech support 24/7.
Get started with a 14-day free trial

From the cloud providers

AWS Icon  How to use AWS Verified Access logs to write and troubleshoot access policies
How to manage the Verified Access logging configuration and how to use Verified Access logs to write and troubleshoot access policies faster.

AWS Icon  How to automate the review and validation of permissions for users and groups in AWS IAM Identity Center
How to automate your IAM Identity Center users and groups permission review process with AWS SDK and AWS serverless services.

AWS Icon  How to Connect Your On-Premises Active Directory to AWS Using AD Connector
This blog post will shows how AD Connector works as well as walk through how to enable federated console access, assign users to roles, and seamlessly join an EC2 instance to an Active Directory domain.

AWS Icon  Cost considerations and common options for AWS Network Firewall log management
This blog post walks you through logging configuration best practices, discusses three common architectural patterns for Network Firewall logging, and provides guidelines for optimizing the cost of your logging solution.

GCP Icon  Direct VPC egress in Cloud Run sends traffic over a VPC easily
Now with direct VPC egress, you can send traffic from Cloud Run services and jobs directly to a VPC without needing to proxy through a VPC connector.

Azure Icon  Generally available: Azure Key Vault references for secrets in Azure Container Apps
You can now use Azure Key Vault references to access your secrets in Azure Container Apps.


Hiring? Feature your listings below - reach out now at [email protected]

Senior Product Security Engineer - Databricks
Databricks is looking for Security Engineers to help with security design reviews, threat models, manual code reviews, exploit writing and exploit chain creation.

Senior Cloud Security Engineer - Google Cloud
Google is looking for Security Engineers to support Google Cloud customers with specific classes of security and abuse incidents identified within their GCP environments.

Detection Engineer 2 - Datadog
We're building a platform that engineers love to use. Join us, and help usher in the future.

Senior Security Engineer - Patreon
Patreon is looking for a senior security engineer with experience and interest in both cloudsec and appsec to join their remote-friendly infrastructure team.

Platform Security Engineer - Trustpilot
Trustpilot is looking for a Platform Security Engineer to advance the security of their products, data, and infrastructure.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.