Release Date: 17/09/2023 | Issue: 205
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

Top 10 CI/CD Security Risks
CI/CD pipelines are the heartbeat of software development and pipeline weaknesses are common targets for bad actors looking to instigate an attack. Get practical security tips on how to proactively identify and remediate the most critical CI/CD pipeline weaknesses, so that you can prevent issues like data leakage and malicious code injection.
Get the guide now

This week's articles

ISO27001 and SOC2 Type II from Greenfield to Success   #strategy
Post delving into Clarity AI's experience in successfully obtaining ISO27001 and SOC2 Type 2 certifications within 10 months, shedding light on their strategies and insights for fellow scale-up companies.

Cloud storage security: What's new in the threat matrix   #defend
Microsoft has released an updated Cloud Storage Threat Matrix, providing security professionals with a comprehensive understanding of the threats and countermeasures related to cloud storage. The matrix covers various attack techniques and provides guidance on how to protect against them.

The shadow workflow's evil twin: A nearly invisible attack chain   #attack, #saas
A shadow workflow is a technique for using SaaS automation apps to provide a code execution-like method for conducting malicious actions from a legitimate source using OAuth integrations.

The Azure Metadata Protection You Didn't Know Was There   #azure, #defend
Some Azure services have an additional, not widely known, protection mechanism against session token exfiltration.

The Hidden Dangers of Using Terraform's Remote-Exec Provisioner   #attack, #terraform
The remote-exec provisioner in Terraform can pose significant security risks to your infrastructure without proper control and awareness, such as exfiltrating sensitive information.

AWS Console Session Traceability: How Attackers Obfuscate Identity Through the AWS Console   #attack, #aws
Attackers can take advantage of a quirk of the default AWS configuration (without SourceIdentity configured) to potentially make detecting and attributing their actions more difficult.

How Attackers Can Misuse AWS CloudFront Access to 'Make It Rain' Cookies   #attack, #aws
Post exploring two different attack scenarios: Cookie Theft via CloudFront Function, and Data Exfiltration via Lambda Function Modification.

A security community success story of mitigating a misconfiguration   #attack, #aws, #defend
Learn about the process of preventing security issues by changing things outside of your environment by looking at how a misconfiguration was occurring when Github Actions were integrated with AWS IAM roles and the improvements made that have now made this misconfiguration much less likely.

Persistent Threat: New Exploit Puts Thousands of GitHub Repositories and Millions of Users at Risk   #attack, #ci/cd
A new vulnerability has been discovered that could allow an attacker to exploit a race condition within GitHub's repository creation and username renaming operations. This technique could be used to perform a Repojacking attack.

Policy management in Kubernetes is changing   #kubernetes, #opa
With Kubernetes 1.28, Kubernetes Validating Admission Policies are now in beta stage. Does that mean it is the end of third party tools like Kyverno and OPA Gatekeeper?


Collection of tools for analyzing open source packages.

A python script that will help automatically enumerate and acquire relevant data from an AWS environment.


Tines's Essential Guide to No-Code Automation for Security Teams serves as the ultimate resource on no-code automation for security practitioners. It provides an overview of what no-code automation is, why it is a critical skill for those at the forefront of security operations, and how to bring the power of no-code automation to your security team. In addition, the playbook includes a variety of resources, from customer case studies and success stories to tips to prepare for the future and best practices for implementation.
View the full guide here

From the cloud providers

AWS Icon  Operating models for Web App Security Governance in AWS
The article discusses different operating models for web application security governance in AWS. It provides examples of different models, including centralized, distributed, and hybrid approaches.

AWS Icon  Access accounts with AWS Management Console Private Access
With this feature, you can limit access to the console only to a specified set of known accounts when the traffic originates from within your network.

AWS Icon  Understanding DDoS simulation testing in AWS
Post explaining when it's appropriate to perform a DDoS simulation test on an application running on AWS, and what options you have for running the test.

AWS Icon  SCP evaluation
Amazon updated the AWS Organizations service control policy (SCPs) evaluation page explaining how SCPs are evaluated with Allow and Deny statements.

AWS Icon  AWS Identity and Access Management provides action last accessed information for more than 140 services
IAM now provides action last accessed information for more than 140 services to help you refine the permissions of your IAM roles.

GCP Icon  Deploy, secure, and monitor streaming service with Media CDN
Post walking through the steps of securely turning up Google Cloud Media CDN.

GCP Icon  Light the way ahead: Platform Engineering, Golden Paths, and the power of self-service
What is a Golden Path? Who is a Golden Path for? When to build Golden Paths?

GCP Icon  Introducing Infrastructure Manager powered by Terraform
Infrastructure Manager uses Terraform to provision and manage Google Cloud resources using an integrated Infrastructure as Code (IaC) approach.

GCP Icon  Effective alerting in Google Cloud
Understanding the relevance of what we're monitoring can help us support triage in advance.

Azure Icon  Public Preview: Configure customer-managed keys on existing Cosmos DB accounts
Configure customer-managed keys for your existing Azure Cosmos DB account with Azure Key Vault.

Azure Icon  Azure Front Door Standard and Premium support bring your own certificated based domain validation
Azure Front Door Standard and Premium support bring your own certificated based domain validation, streamlining the steps and efforts required to validate domain ownership.

Azure Icon  Introduction to Azure DevOps Workload identity federation (OIDC) with Terraform
Azure DevOps is starting to support Workload Identity Federation. This post is going to cover the end-to-end process of configuring and using Workload identity federation in Azure DevOps for your Terraform deployments.

Azure Icon  Announcing Microsoft Defender for Cloud capabilities to counter identity-based supply chain attacks
How a new alert enrichment in Microsoft Defender for Cloud can help to detect and remediate identity-based supply chain attacks.

Azure Icon  General availability: Sensitive Data Protection for Application Gateway Web Application Firewall
Protect the sensitive data getting stored in your Web Application Firewall (WAF) using log scrubbing on Azure's regional Web Application Firewall running on Application Gateway.


Hiring? Feature your listings below - reach out now at [email protected]

Cloud Security Engineer - Wolt
Wolt is hiring a Security Engineer to focus on cloud security and incident response.

Senior Security Engineer - Confluent
Confluent is hiring a Senior Security Engineer to focus on cloud security. The role involves designing and implementing security controls, conducting security assessments, and collaborating with engineering teams to ensure the security of Confluent's cloud-native platform.

Data Loss Prevention SecOps Analysis Team Lead - CapitalOne
The role involves leading a team to develop and implement data loss prevention strategies and technologies, as well as managing incidents and conducting investigations.

Cloud Networking Engineering Manager - Netflix
Netflix is looking for an experienced Engineering Manager who will lead and grow a team of senior engineers for the Cloud Networking group in the Network Platform organization.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.