Release Date: 17/05/2020 | Issue: 37
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

This week's articles

Abusing the osquery 'curl' table for pivoting into cloud environments
Any attacker that obtains query access to an osquery fleet can query the AWS metadata service using the curl table. This is turn allows attacker to obtain valid temporary credentials to access the AWS APIs with the instance-assigned privileges in a convenient and scalable fashion.

CloudGoat AWS Scenario Walkthrough: EC2_SSRF
New CloudGoat challenge designed to simulate how an attacker can exploit an AWS environment by leveraging various security misconfigurations to become a full admin user. This walkthrough will demonstrate the reconnaissance and exploitation steps required to complete this simulation utilizing Rhino's AWS pentest framework, Pacu.

Introducing the new alerting framework for Elastic Observability, Elastic Security, and the Elastic Stack
Elastic announces a new alerting framework that delivers a first-class alerting experience natively within the SIEM, Uptime, APM, and Metrics applications as part of the Kibana 7.7 release.

Azure Policy Initiatives vs Azure Policies: When should I use one over the other?
An overview of each service and why you should use one over the other.

Securing K8s Ingress Traffic with HashiCorp Vault PKIaaS and JetStack Cert-Manager
Installing certificates with a wildcard on Kubernetes doesn't solve cloud security problems, it only masks them. Learn how to use HashiCorp Vault for PKI management in k8s along with JetStackHQ's cert-manager.


Stormspotter creates an "attack graph" of the resources in an Azure subscription. It enables red teams and pentesters to visualize the attack surface and pivot opportunities within a tenant, and supercharges your defenders to quickly orient and prioritize incident response work.

AirIAM is an AWS IAM to least privilege Terraform execution framework. It compiles AWS IAM usage and leverages that data to create a least-privilege IAM Terraform that replaces the exiting IAM management method. AirIAM was created to promote immutable and version-controlled IAM management to replace today's manual and error prone methods.

From the cloud providers

AWS Icon  Explore AWS Global Infrastructure
Nice interactive map that shows the interconnectivity of the different AWS regions.

AWS Icon  AWS Foundational Security Best Practices standard now available in Security Hub
AWS Security Hub launched a new security standard called "AWS Foundational Security Best Practices". This standard implements security controls that detect when AWS accounts and deployed resources do not align with the security best practices.

AWS Icon  Enhanced Amazon Macie Now Available with Substantially Reduced Pricing
Amazon Macie is a fully managed service that helps discover and protect sensitive data, using machine learning to automatically spot and classify it. After some negative feedback, AWS made available a new, enhanced version of Macie with a simplified pricing plan (which reduced the price by 80%).

GCP Icon  Container Threat Detection conceptual overview
A high-level overview of Container Threat Detection concepts and features. Container Threat Detection can detect the most common container runtime attacks and alert in Security Command Center and optionally in Cloud Logging.

GCP Icon  Using logging for your apps running on Kubernetes Engine
Cloud Logging, and its companion tool Cloud Monitoring, are full featured products that are both deeply integrated into GKE. This blog post goes over how logging works on GKE and some best practices for log collection.

GCP Icon  New WAF capabilities in Cloud Armor for on-prem and cloud workloads
Google made a new WAF, including Cloud Armor, generally available to all customers, including features such as: geo-based access control, pre-configured WAF rules for SQLi and XSS, custom rules for Layer 7 filtering policies, and a Security Command Center integration.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.