Release Date: 24/09/2023 | Issue: 206
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

Ever Wondered Who Still Has Access to Your Tools Post-Offboarding?
Mismanaged exits have led to breaches in 20% of businesses. While SaaS tools like Atlassian and Slack might be on your radar, it's the unexpected ones in Shadow IT that can catch you off guard. Resmo provides a comprehensive sweep, ensuring no access is left unchecked.
👉 Don't let oversight be your downfall. Start securing your SaaS stack.

This week's articles

How to Rotate Leaked API Keys   #aws, #azure, #ci/cd, #defend, #gcp
A collection of API key rotation tutorials for AWS, GCP, GitHub , and more.

Source Code Management Platform Configuration Best Practices   #ci/cd, #defend
Guide exploring the best practices for securing GitHub and GitLab, covering topics that include user authentication, access control, permissions, monitoring, and logging.

When MFA isn't actually MFA   #attack, #saas
Retool experienced a security breach due to a spear phishing attack in August 2023. Attackers used social engineering tactics, compromising an employee's Google Authenticator, which exposed multi-factor authentication (MFA) codes.

AWS's Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation   #attack, #aws
The Sysdig Threat Research Team (TRT) has uncovered a novel cloud-native cryptojacking operation which they've named AMBERSQUID. This operation leverages AWS services not commonly used by attackers, such as AWS Amplify, AWS Fargate, and Amazon SageMaker.

The MGM Breach and the Role of IdP in Modern Cyber Attacks   #attack, #iam, #saas
A deep dive into the recent MGM breach and some insights into the actor behind the attack and possible mitigations.

38TB of data accidentally exposed by Microsoft AI researchers   #attack, #azure
Wiz Research found a data exposure incident on Microsoft's AI GitHub repository, including over 30,000 internal Microsoft Teams messages - all caused by one misconfigured SAS token.

Security flaws in an SSO plugin for Caddy   #attack
The Trail of Bits team identified 10 security vulnerabilities within the caddy-security plugin for the Caddy web server that could enable a variety of high-severity attacks in web applications, including client-side code execution, OAuth replay attacks, and unauthorized access to resources.

Ransomware Strikes Azure Storage: Are You Ready?   #attack, #azure, #defend
Post discussing Azure Storage Accounts, pointing out forensic artifacts in Azure that can help investigate ransomware attacks, and offering methods for attack detection.

Maintaining persistence via Shared sessions on Cloud Workstations   #attack, #gcp
When an owner initiates a session and performs actions like gcloud auth login, the session state persists, shared across multiple users accessing the workstation through the same URL. This means that any user with access to the workstation can view and interact with the session artifacts created by the owner.

Passkeys are generally available on GitHub   #announcement, #ci/cd
All users can now register a passkey to sign in without a password.


Iamlive, which generates least privilege roles by intercepting network calls to your cloud environment, now supports also Azure and GCP.

A collection of authentication Go packages related to OIDC, JWKs, Distributed Claims, LDAP.

Container image linter for security.

PMV is a tiny utility for working with the 1password CLI.

A repository providing sample templates for security playbooks against various scenarios when using AWS.


CNAPP for Dummies
Wiz partnered with Wiley to create the Cloud Native Application Protection Platform (CNAPP) for Dummies eBook. This free 48-page PDF includes everything you *need* to know to secure the changing landscape of cloud-native applications and protect your cloud environment today. You’ll learn:
  • The fundamentals of cloud-native security
  • Powerful tactics to strengthen security measures
  • Best practices for getting started
  • Techniques to shift security up the pipeline (and ahead of threats)
  • 10 strategies for maximizing the potential of your CNAPP
Get your free guide here.

From the cloud providers

AWS Icon  Manage roles and entitlements with PBAC using Amazon Verified Permissions
Post covering roles and entitlements, how they are applicable in apps authorization decisions, how customers implement roles and authorization in their app today, and how to shift to a centralized PBAC model by using Amazon Verified Permissions.

AWS Icon  How to implement cryptographic modules to secure private keys used with IAM Roles Anywhere
How you can use PKCS #11-compatible cryptographic modules, such as YubiKey 5 Series and Thales ID smart cards, with your on-premises servers to securely store private keys.

GCP Icon  Introducing the unified Chronicle Security Operations platform
Chronicle's latest update unifies our SOAR and SIEM solutions, integrates Mandiant's attack surface management technology, and offers more robust application of threat intelligence.

GCP Icon  Managed service egress with Private Service Connect interfaces
New PSC interfaces allow a service producer to access a consumer's network, while maintaining the separation of producer and consumer roles.

GCP Icon  Go from logs to security insights faster with Dataform and Community Security Analytics
The open-source Community Security Analytics (CSA) provides pre-built queries and reports you can use on top of Log Analytics powered by BigQuery.

GCP Icon  Manage infrastructure with Workload Identity Federation and Terraform Cloud
Terraform Cloud workspaces integrate with Workload Identity Federation to authenticate and then impersonate Google Cloud service accounts.

Azure Icon  Authenticate Azure Monitor logs connector in Logic App with managed identity
When you enable managed identity authentication in Logic App and grant it permissions in Log Analytics workspace or Application Insights component, you can query data without needing to provide credentials, secrets, or Azure AD tokens, for Azure Monitor Logs connector authentication.

Azure Icon  General Availability: GitHub Advanced Security for Azure DevOps
How to enable GitHub Advanced Security for Azure DevOps code scanning, secret scanning, and dependency scanning in Azure DevOps and connect to Microsoft Defender for Cloud.


Hiring? Feature your listings below - reach out now at [email protected]

Senior Security Engineer, Threat Detection & Response - Airbnb
The Threat Detection and Response team (TDR) at Airbnb is focused on automating security detection, responding to security incidents, and working with partner teams to build capabilities that support the incident lifecycle.

Senior Cloud Security Engineer - Snowflake
Snowflake is looking for experts in cloud security architecture and operations who can help them maintain highly defensible cloud infrastructure, and follow SecDevOps best practices to reduce toil for their team and their internal customers.

Cloud Security Engineer - ComplyAdvantage
The role requires expertise in cloud security, containerization, and Kubernetes, and involves designing and implementing security solutions.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.