Release Date: 10/05/2020 | Issue: 36
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

This week's articles

Privilege Escalation in Google Cloud Platform
Similar to what they did for AWS in the past, this blog post from the RhinoSecurity team aims to provide a source for privilege escalation techniques, this time for Google Cloud Platform (there is also a part 2 which covers non-IAM related methods). If you are not interested in the details of each privilege escalation, consider jumping on the new privilege escalation scanner for GCP.

Secure your team's code with code scanning and secret scanning
Code scanning is now available as a GitHub-native experience. With code scanning enabled, every 'git push' is scanned for new potential security vulnerabilities, and results are displayed directly in your pull request. In addition, secret scanning is also now available for private repositories.

Following the CloudTrail: Generating strong AWS security signals with Sumo Logic
A blog post explaining how the Expel team uses a SIEM (in this example, Sumo Logic) to generate security leads from AWS signals. The post also shares some detection use cases (with examples) to try out in your own environment, regardless of what SIEM you use.

Validate Kubernetes API Versions With Conftest
How to use Conftest and Open Policy Agent for validating Kubernetes API versions, leveraging the CI pipeline to notify on the usage of deprecated APIs.

How to monitor OPA Gatekeeper with Prometheus metrics
If you have deployed OPA Gatekeeper, monitoring this admission controller is as relevant as monitoring the rest of the Kubernetes control plane components. If something breaks here, Kubernetes won't deploy new pods in your cluster; and if it's slow, your cluster scale performance will degrade.

Monitor and Notify on AWS Account Root User Activity and Other Security Metrics
Organizations usually end up piping all cloud API logs to a SIEM (Elasticsearch, Splunk, etc.) and creating alerts based on user and service activity, but what about personal accounts? This article shares a monitoring setup "on a budget" to use in private AWS account. In addition, the companion GitHub repo provides a Terraform module that creates a multi-regional Trail, connects it with a CloudWatch Log Group, and creates a number of metric filters and metric alerts to receive SNS notifications for high noise actions.

aws-vault Vulnerable to DNS Rebinding Attacks
aws-vault's EC2 metadata service proxy is vulnerable to DNS rebinding attacks. Web pages you visit might be able to steal your AWS credentials if you have the server running on localhost.


An AWS IAM security assessment tool which scans accounts for violations of Least Privilege and identifies policies that can lead to Privilege Escalation, Data Exfiltration, Resource Exposure, and Infrastructure Modification. It also generates a nice HTML report that can help with triaging and remediation, as well as identifying high-value IAM principals to target during a penetration test.

Splunk Attack Range
The Attack Range is a detection development platform which allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk.

From the cloud providers

AWS Icon  IAM Access Analyzer flags unintended access to S3 buckets shared through access points
To help you identify buckets that can be accessed publicly or from other AWS accounts or organizations, IAM Access Analyzer now analyzes access point policies in addition to bucket policies and bucket ACLs. This helps you find unintended access to S3 buckets that use access points.

AWS Icon  AWS IAM introduces updated policy defaults for IAM user passwords
To improve the default security for all AWS customers, AWS is adding a default password policy for IAM users in AWS accounts. This update will be made globally to the IAM service on August 3rd, 2020.

AWS Icon  Amazon CloudWatch now monitors Prometheus metrics - Now in Beta
You can use Amazon CloudWatch to monitor Prometheus metrics from Amazon Elastic Kubernetes Service (EKS) and Kubernetes clusters. With this new feature, DevOps teams can automatically discover services for containerized workloads such as AWS App Mesh, NGINX, and Java/JMX.

GCP Icon  Windows Server containers on GKE now GA
Google launched the preview of Windows Server container support in Google Kubernetes Engine (GKE) earlier this year, which is now generally available for production use.

GCP Icon  Understanding forwarding, peering, and private zones in Cloud DNS
How to use some of Google's DNS constructs to connect multiple zones to your on-premises DNS infrastructure, using a combination of zones, peering, and forwarding.

Azure Icon  Azure Security Center enhancements
At Ignite 2019, Microsoft announced the preview of more than 15 new features for Azure Security Center. This blog provides an update for the features that are now generally available to all customers.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.