Release Date: 04/05/2025 | Issue: 286
Know someone who'd find this useful? Forward this email
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.
Sponsor

Secure your cloud workspace before, during and after a breach
Your Google Workspace or Microsoft 365 platform is where your company works, communicates, and collaborates. Protecting it with a patchwork of native security and point solutions leaves gaps with the biggest being visibility after an attacker has made it inside your cloud workspace.

Material detects and stops more threats, responds faster to attacks, and protects data even after a breach, all without disrupting workflows or slowing your employees down.
See the Material Difference

This week's articles


Grafana security update: no customer impact from GitHub workflow vulnerability
On April 26, an unauthorized user exploited a vulnerability with a GitHub workflow to gain unauthorized access to tokens, all of which have now been invalidated.   #announcement   #attack   #supply-chain


Agent of Chaos: Hijacking NodeJS's Jenkins Agents
Praetorian found vulnerabilities in Node.js's CI/CD pipelines, which could lead to remote code execution and potential supply chain attacks.   #attack   #defend   #supply-chain


AWS Built a Security Tool. It Introduced a Security Risk.
The "Account Assessment for AWS Organizations" tool, designed to audit resource-based policies for risky cross-account access, ironically introduced cross-account privilege escalation risks due to flawed deployment instructions.   #attack   #aws   #iam


Shadow Roles: AWS Defaults Can Open the Door to Service Takeover
Post walking through multiple real-world scenarios, including how a malicious Hugging Face model can escalate privileges, how limited Glue access can impact other services, and how a single default role can ultimately lead to full control of an AWS account.   #attack   #aws


Insecure credential storage plagues MCP
Many MCP environments store long-term API keys for third-party services in plaintext on the local filesystem, often with insecure, world-readable permissions.   #ai   #attack


Preventing Cross-Service Confused Deputy Attacks in AWS ELB Logging
Post highlighting the inconsistency in AWS services regarding S3 bucket permissions and encryption methods.   #aws   #defend


Tag Your Way In: New Privilege Escalation Technique in GCP
This post introduces a novel privilege escalation technique in Google Cloud Platform (GCP) that exploits IAM Conditions in combination with tagBindings.   #attack   #gcp   #iam


Kubernetes v1.33: User Namespaces enabled by default
In Kubernetes v1.33 support for user namespaces is enabled by default. This means that, when the stack requirements are met, pods can opt-in to use user namespaces.   #announcement   #containers   #kubernetes


The Invisible Enemy: Unmasking Microsoft 365's Logging Blind Spots
Blog dissecting the limitations of Microsoft's activity logs, walking through real-world simulations using the msInvader tool, and highlighting what gets seen and what silently slips through the cracks.   #azure   #monitor

Sponsor

Eliminate misconfiguration with Fix by Resourcely
Remediating cloud resources is full of manual work: coordinating with stakeholders, prioritizing, planning rollouts, fast rollbacks, tracking progress, and more. Fix by Resourcely makes remediation painless, reducing MTTR and helping security teams move faster.

Become a Design Partner

Tools


cloud-snitch
Map visualization and firewall for AWS activity, inspired by Little Snitch for macOS.


github-oidc-utils
A wrapper around GitHub's OIDC API that also inspects the sub claim formats for both the organization or the repository.


mcp-installer
An MCP server that installs other MCP servers for you.


kye
Know Your Enemies - Check external access on your AWS account.


gcp-sa-key-checker
A recon tool for GCP Service Account Keys that requires no permissions. You can also refer to the companion blog post.

From the cloud providers


#AWS   AWS Systems Manager launches just-in-time node access
Customers can create zero standing privileges to nodes by requiring operators to request access to nodes managed by AWS Systems Manager that are running on AWS, hybrid, and multi-cloud environments before remotely connecting using AWS Systems Manager Session Manager.


#AWS   AWS Account Management now supports IAM-based account name updates
Using the new API, customers will no longer need root access to manage their account names, and they will be able to use authorized IAM principals within the account.


#GCP   Building an open ecosystem for AI-driven security with MCP
LLMs promise significant gains for security teams to augment human expertise in areas like threat detection, investigation, and response.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! ๐Ÿ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at feedback.cloudseclist.com!

Thanks,
Marco
Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
ยฉ 2019-present CloudSecList ยท Marco Lancini