Release Date: 30/06/2024 | Issue: 244
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
๐Ÿ“™ The CloudSec Engineer is out now!

The CloudSec Engineer is a practical guide on how to enter, establish yourself, and thrive in the Cloud Security industry as an individual contributor.

You can head over to engineer.cloudsecbooks.com to find more information about the book, its contents, and where to buy it.
Sponsor

Learn Azure and on-prem Red Teaming
With affordable and enterprise-like labs, Altered Security offers multiple Red Team hands-on courses with industry recognized certifications. Join more than 30K professionals from 130+ countries.
Enjoy 20% OFF on all courses using HackerSummer20OFF (Stripe) from 1st July to 22nd July 2024.

This week's articles


Single Sign-On Or Single Point of Failure?
Has reliance on SSO left orgs with a single point of exploitation? Doyensec's latest research explores various IdP compromise scenarios and their impacts, as well as how to harden and detect these attacks in Teleport installations.   #attack   #defend   #saas


Attack Paths Into VMs in the Cloud
Virtual machines (VMs) are a significant attack target. Focusing on three major CSPs, this research summarizes the conditions for possible VM attack paths.   #attack   #aws   #azure   #gcp


Cryptographic Agility and Key Rotation
Google engineers discuss how to actually migrate to Post-Quantum Cryptography and explore the role cryptographic agility and key rotation play in this process.   #build   #strategy


Phishing Incident Report: Facts and Timeline
The AnyRun team provides an interest postmortem and the first results of their investigation into the recent incident and share a full account of the events.   #defend   #monitor   #saas


AWS OIDC Provider Enumeration
A post expanding on Nick Frichette's discovery of enumerable OIDC providers in AWS using the known_aws_accounts dataset.   #attack   #aws


Publicly Exposed AWS SSM Command Documents
An analysis of the thousands of public SSM Command documents, including identification of secret leakage.   #attack   #aws


Understanding the Risks of Long-Lived Kubernetes Service Account Tokens
By preferring short-lived tokens over long-lived ones and enforcing policies with tools like Kyverno, organizations can significantly reduce the risk of token-based security incidents.   #defend   #kubernetes

Tools


tfprovidercheck
CLI to prevent malicious Terraform Providers from being executed.


SlimFaas
The slimest and simplest Function As A Service.


Wut.dev
Wut.dev is a client-side browser for AWS Organizations and SCPs.


domain-protect-gcp
Protect against subdomain takeover in GCP.


CloudCommotion
Cloud Commotion intends to cause chaos to simulate security incidents.


dorothy
Dorothy is a tool to test security monitoring and detection for Okta environments. You can also refer to the companion blog post.

From the cloud providers


#AWS   How to use AWS Certificate Manager to enforce certificate issuance controls
An overview of the new IAM condition keys available with ACM.


#AWS   Use private key JWT authentication between Amazon Cognito user pools and an OIDC IdP
By redirecting the IdP token endpoint in the Cognito user pool's external OIDC IdP configuration to a route in an API Gateway, you can use Lambda functions to customize the request flow between Cognito and the IdP.


#GCP   New Cloud KMS Autokey can help encrypt your resources quickly and efficiently
Cloud KMS Autokey incorporates recommended practices that can significantly reduce the toil associated with managing your own encryption keys.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini