Release Date: 26/04/2020 | Issue: 34
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

This week's articles

Pillaging AWS ECS Task Definitions for Hardcoded Secrets
In addition to EC2 user data and Lambda Functions, ECS task definitions can be a great place to pillage for hardcoded secrets. The RhinoSecurity team added two modules to Pacu, aimed to make the process of enumerating ECS simple for anyone looking to test resources in ECS.

Disable most AWS CloudTrail logging without triggering GuardDuty
Second post from the RhinoSecurity team. In short, an attacker can use the "cloudtrail:PutEventSelectors" API and configure the event selectors in a way that nothing besides KMS events are logged.

How to monitor Kubernetes audit logs
How to leverage the power of Kubernetes audit logs to get deep insight into your clusters. The article explains what Kubernetes audit logs are, as well as how to configure audit log collection and monitoring with Datadog.

Attacking and Auditing Docker Containers and Kubernetes Clusters
Free course content, lab setup instructions, and documentation of a hands on training.

How we trained our SOC analysts to be effective in AWS
Interesting threads discussing how to train SOC analysts for cloud (AWS) environments: learn how it works, learn how you can break it, practice responding.

Become an IAM Policy Master in 60 Minutes or Less
re:Invent 2018 talk which covers the different types of policies and describes how they work together to control access to resources in AWS accounts and across AWS organizations.

Open Policy Agent: Authorization for the Cloud
Nice article from OPA co-creator @tlhinrichs on the 3 most common OPA use cases.

Increasing Developer Velocity in the Cloud Operating Model
Joint whitepaper co-authored by GitHub and HashiCorp, which discusses how HashiCorp tools and the GitHub platform work together to enable organizations to adopt a strong CI/CD workflow and increase developer velocity.

Announcing HashiCorp Cloud Engineering Certifications
HashiCorp announced their own certifications program, starting with the "TerraformCertified" and "VaultCertified" exams.


aws-iam-authenticator is a tool that allows to use AWS IAM credentials to authenticate to a Kubernetes cluster.

Lateral Movement Graph for Azure AD
AzureADLateralMovement allows to build Lateral Movement graphs for Azure Active Directory entities (Users, Computers, Groups and Roles). As a plus, it is compatible with Bloodhound.

From the cloud providers

AWS Icon  Establishing your best practice AWS environment
Amazon released some advice on how to set up your multi-account structure in AWS.

AWS Icon  AWS Security Hub launches the Foundational Security Best Practices standard
AWS Security Hub has launched a new security standard: AWS Foundational Security Best Practices v1.0.0, based on CIS controls.

AWS Icon  Use AWS Control Tower to set up new multi-account AWS environments in AWS Organizations
AWS Organizations customers can now use AWS Control Tower to manage newly created organizational units (OUs) and accounts. This allows cloud administrators and architects to set up an AWS Control Tower landing zone with an existing Organization.

AWS Icon  How to track changes to secrets stored in AWS Secrets Manager using AWS Config and AWS Config Rules
You can now use AWS Config to track changes to secrets’ metadata, such as secret description and rotation configuration, relationship to other AWS sources such as the KMS Key used for secret encryption, Lambda function used for secret rotation, and attributes such as tags associated with the secrets.

AWS Icon  Identify the identity responsible for the actions performed using IAM roles
IAM now makes it easier to identify who is responsible for an AWS action performed by an IAM role when viewing AWS CloudTrail logs. Adding the new service-specific condition, "sts:RoleSessionName", in an IAM policy, enables you to define the role session name that must be set when an IAM principal (user or role) or application assumes the IAM role. AWS adds the role session name to the AWS CloudTrail log when the IAM role performs an action, making it easy to determine who performed the action.

AWS Icon  Amazon GuardDuty simplifies multi-account threat detection with support for AWS Organizations
Amazon GuardDuty added support for AWS Organizations to simplify threat detection across all existing and future accounts in an organization.

GCP Icon  Security blueprint: PCI on GKE
The first in a series of GCP Security Blueprints. The first one covers PCI on GKE, and contains a set of Terraform configurations and scripts that demonstrate how to bootstrap a PCI environment in Google Cloud. This blueprint enables you to quickly and easily deploy workloads on GKE that align with PCI DSS in a repeatable, supported, and secure way.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! πŸ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
Β© 2019-present, CloudSecList by Marco Lancini.