Release Date: 24/11/2024 | Issue: 265
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Cloud. Insurance.
Do those two words seem strange next to one another? That’s because true cloud commitment insurance has never existed before Archera.
Unlike a traditional FinOps platform, Archera is a cloud insurance provider that takes the risk out of forecasting your cloud spend. They actually reimburse you (right into your bank account!) if you overcommit on AWS Savings Plans or reserved instances. And they offer long or shorter term commitments—as low as 30 days—to provide flexibility.
Bet big on growth in the new year with less risk.
Check out Archera’s insured commitments

This week's articles


Cross-IdP impersonation: Hijacking SSO to access downstream apps
Cross-IdP impersonation is a growing trend as a method of hijacking SSO to access downstream apps, without needing to compromise accounts on your company's main IdP.   #attack   #saas


Attestations: A new generation of signatures on PyPI
PyPI has introduced index-hosted digital attestations, improving upon traditional PGP signatures to enhance security, usability, and cryptographic verification in the Python ecosystem.   #announcement   #defend   #supply-chain


Securing AWS Lambda - How Misconfigurations Can Lead to Lateral Movement
How several misconfigurations and user-defined code issues in AWS Lambda could lead to potential credential theft and lateral movement.   #attack   #aws


Sketchy Cheat Sheet - Story of a Cloud Architecture Diagramming Tool gone wrong
A series of vulnerabilities found in Google's Architecture Diagramming Tool, leading to its eventual decommissioning due to security concerns.   #attack   #gcp


The Dark Side of Domain-Specific Languages: Uncovering New Attack Techniques in OPA and Terraform
A deep dive into both new and known techniques for abusing infrastructure-as-code and policy-as-code tools.   #attack   #iac   #opa   #terraform


Access approvals considered harmful
If we're unsure about access being safe, adding an approval step can just be kicking the can down the road.   #iam   #process   #strategy


Azure Detection Engineering: Log idiosyncrasies you should know about
Post sharing a few inconsistencies found in Azure logs which make detection engineering more challenging.   #azure   #monitor


Resource Control Policies: Closing the data perimeter gap
This post explores this new feature, how it helps, what its limits are, and what we might see in the future.   #aws   #explain   #iam

Sponsor CloudSecList in 2025

If you want to get your product in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, take a look at:
🔗 cloudseclist.com/sponsor

Tools


sansshell
A non-interactive daemon for host management.


webvm
Virtual Machine for the Web.


semgr8s
Semgrep-based Policy Controller for Kubernetes.


duckdb_gsheets
DuckDB extension to read and write Google Sheets using SQL.

From the cloud providers


#AWS   AWS Application Load Balancer announces CloudFront integration with built-in WAF
A new one-click integration on Application Load Balancer (ALB) to attach an Amazon CloudFront distribution from the ALB console.


#AWS   Important changes to CloudTrail events for AWS IAM Identity Center
AWS recommends that you update your workflows that process the userName, principalId, userIdentity type, or group displayName fields in CloudTrail events for IAM Identity Center before these changes take effect on January 13, 2025.


#AWS   AWS announces Block Public Access for Amazon Virtual Private Cloud
AWS announced Virtual Private Cloud (VPC) Block Public Access (BPA), a new centralized declarative control that enables network and security administrators to authoritatively block Internet traffic for their VPCs.


#AWS   Centrally managing root access for customers using AWS Organizations
AWS Identity and Access Management (IAM) is launching a new capability allowing security teams to centrally manage root access for member accounts in AWS Organizations. You can now easily manage root credentials and perform highly privileged actions.


#AWS   AWS Command Line Interface adds PKCE-based authorization for single sign-on
AWS CLI v2 now supports OAuth 2.0 authorization code flows using the Proof Key for Code Exchange (PKCE) standard. This provides a simple and safe way to retrieve credentials for AWS CLI commands.


#AWS   Amazon CloudWatch launches Observability Solutions for AWS Services and Workloads on AWSw
Solutions cover monitoring tasks including installing and configuring Amazon CloudWatch agent, deploying pre-defined custom dashboards and setting metric alarms.


#AWS   Updated whitepaper: Architecting for PCI DSS Segmentation and Scoping on AWS
This update brings significant enhancements by offering practical and actionable design patterns at the network layer, tailored to support PCI DSS.


#AWS   Introducing Amazon CloudFront VPC origins
A new feature that enables content delivery from applications hosted in private subnets within their VPC.


#GCP   Shift-left your cloud compliance auditing with Audit Manager
Google announced that their Audit Manager service, which can digitize and help streamline the compliance auditing process, is now generally available.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present CloudSecList · Marco Lancini