Release Date: 25/08/2024 | Issue: 252
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

On August 27th, SentinelOne humbly invites you to a good cloud security event.
Alongside speakers from AWS, Snyk, SANS, and more - plus a thoroughly ridiculous guest performance by Forrest Brazeal - we’ll dig deep on AWS and K8s security, ThreatOps for the cloud, and just what the heck we’re going to do about AI.

You can register for free and watch from home, so you really have no excuse not to come. See you there!

This week's articles


The Hunt for ALBeast: A Technical Walkthrough
A configuration-based vulnerability hidden within thousands of applications using the AWS ALB authentication feature.   #attack   #aws


An AWS IAM Security Tooling Reference
A guide to tools for auditing AWS IAM.   #aws   #iam


Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments
An extensive cloud extortion campaign leveraging exposed .env files of at least 110k domains to compromise organizations' AWS environments.   #attack   #aws


Holding Cloud Vendors to a Higher Security Bar
An opinionated, critical look at the state of security of vendor cloud integrations, along with recommendations for documenting and adhering to cloud security best practices for both vendors and customers.   #saas   #strategy


What is the probability that you can successfully assume an IAM role in a random AWS account?
This research collected valid IAM role ARNs that live in random AWS accounts and subsequently tried to assume them.   #attack   #aws


How some Let's Encrypt renewal failures pointed to an AWS traffic hijacking issue
A BGP-based feature of the AWS Direct Connect service allowed a third party to inject an incorrect route for an external IP assigned to an AWS customer, effectively hijacking their AWS-sourced traffic.   #attack   #aws


AiTM Phishing with Azure Functions
A phishing toolkit that runs serverless on Azure, based on Azure Functions to phish some Entra ID credentials and cookies.   #attack   #azure


The gift that keeps on giving: A new opportunistic Log4j campaign
The attack uses obfuscated LDAP requests to evade detection, leading to the execution of malicious scripts on compromised systems.   #attack   #saas


AWS IAM: A Comprehensive Guide Toward Least Privilege
Some AWS mechanisms we can use to achieve more robust permissions on AWS: Organizations, SCPs, IAM Access Analyzer, permission boundaries, and more.   #aws   #explain   #iam


Privilege Escalation via AWS Signer to Sign Code using Unauthorized ACM Certificate
AWS ACM has a missing security boundary that allows users with AWS Signer permissions, but without ACM permissions, to sign code using any ACM certificate within the same account.   #attack   #aws

πŸ“™ The CloudSec Engineer is out now!

The CloudSec Engineer is a practical guide on how to enter, establish yourself, and thrive in the Cloud Security industry as an individual contributor.

You can head over to engineer.cloudsecbooks.com to find more information about the book, its contents, and where to buy it."

Tools


example-permissions-boundary
Two example IAM permissions boundary policies as a starting point for creating your own permissions boundary to meet the security needs of your organization.


apeman
AWS Attack Path Management Tool.

From the cloud providers


#AWS   Amazon S3 now supports conditional writes
You can now check for the existence of an object before creating it.


#AWS   Making sense of secrets management on Amazon EKS for regulated institutions
Some of the key decisions involved in choosing between External Secrets Operator (ESO), Sealed Secrets, and ASCP for the Kubernetes Secrets Store Container Storage Interface (CSI) Driver, specifically for FSI customers with regulatory demands.


#AWS   Using Amazon GuardDuty Malware Protection to scan uploads to Amazon S3
A solution that uses Amazon EventBridge, AWS Lambda, and Amazon S3 to copy scanned S3 objects to a destination S3 bucket.


#GCP   Introducing delayed destruction for Secret Manager, a new way to protect your secrets
This new capability helps to ensure that secret material cannot be erroneously deleted, either by accident or as part of an intended malicious attack.


#GCP   "WireServing" Up Credentials: Escalating Privileges in Azure Kubernetes Services
An attacker with access to a vulnerable Microsoft Azure Kubernetes Services cluster could have escalated privileges and accessed credentials for services used by the cluster.


#AZURE   Announcing mandatory multi-factor authentication for Azure sign-in
Required MFA for all Azure users will be rolled out in phases starting in the 2nd half of calendar year 2024 to provide our customers time to plan their implementation.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! πŸ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
Β© 2019-present CloudSecList Β· Marco Lancini