Release Date: 05/07/2020 | Issue: 44
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

This week's articles

The Current State of Kubernetes Threat Modelling
A post summarising the outcome produced by three main initiatives which took upon the challenge of threat modelling a Kubernetes cluster, so that anyone can use them as a starting point for their own (custom) threat modelling exercise. (Disclaimer: I did write this post)

Controlling egress traffic with Istio
Post presenting a working example of how to control egress traffic from specific source workloads to specific external services using Istio.

Cross-Cluster Traffic Mirroring with Istio
How to tackle the usual problem of testing in dev environments which do not have any (real) traffic? The Trivago team leveraged the traffic mirroring feature of Istio to replicate traffic from production to development environments. Watch out for customer data!

Encrypting Data while Preserving Formatting with the Vault Enterprise Transform Secrets Engine
Vault 1.4 Enterprise introduced a new secrets engine called Transform. Transform is a secrets engine that allows Vault to encode and decode sensitive values residing in external systems such as databases or file systems. The Transform engine allows to ensure that when a system is compromised, and its data is leaked, that the encoded secrets remain uncompromised even when held by an adversary.

Elastic Security opens public detection rules repo
Elastic open sourced detection-rules, a set of rules written for Elastic Security, with coverage for many MITRE ATT&CK techniques. It also includes a few for CloudTrail.

What Modern CI/CD Should Look Like
An opinionated article describing how large cloud providers don't seem to be providing best guidance on secure CI/CD workflows.

Tools for Cloud Examination
Interesting presentation describing how to setup a response environment and how to perform forensics in the cloud.

Inside Microsoft Threat Protection: Attack modeling for finding and stopping lateral movement
How to identify and augment incidents using behavioral evidence of lateral movement, detected through statistical modeling.

Using Malicious Azure Apps to Infiltrate a Microsoft 365 Tenant
Post describing a new attack vector: Azure Applications. Attackers can create, disguise, and deploy malicious Azure apps to use in their phishing campaigns. Once the attacker convinces the victim to click-to-install malicious Azure apps, they can map the user's organization, gain access to the victim's files, read their emails, send emails on their behalf (great for internal spear phishing), and a whole lot more.


Konstraint is a CLI tool to assist with the creation and management of constraints when using Gatekeeper.

From the cloud providers

AWS Icon  AWS Serverless Security Workshop
Workshop covering techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora. In particular, it focuses on 5 domains: identity & access management, infrastructure, data, code, logging & monitoring.

AWS Icon  Code signing using AWS Certificate Manager Private CA and AWS Key Management Service asymmetric keys
How to combine the asymmetric signing feature of the AWS Key Management Service (AWS KMS) and code-signing certificates from the AWS Certificate Manager (ACM) Private Certificate Authority (PCA) service to digitally sign any binary data blob and then verify its identity and integrity.

AWS Icon  How to build a CI/CD pipeline for container vulnerability scanning with Trivy and AWS Security Hub
How to build a continuous integration and continuous delivery (CI/CD) pipeline using AWS Developer Tools, as well as Trivy. You’ll build two Docker images, one with vulnerabilities and one without, to learn the capabilities of Trivy and how to send all vulnerability information to AWS Security Hub.

GCP Icon  Reinforcing our commitment to privacy with accredited ISO/IEC 27701 certification
Google Cloud is the first major cloud provider to receive an accredited ISO/IEC 27701 certification as a data processor. ISO/IEC 27701 (an extension of ISO/IEC 27001) provides guidance for implementing, maintaining, and continuously improving a Privacy Information Management System (PIMS).

GCP Icon  Detecting and responding to Cloud Logging events in real-time
Logging sinks can be used to build an event-driven system to detect and respond to log events in real time.

GCP Icon  A guide to setting up monitoring for object creation in Cloud Storage
Walkthrough on how to setup monitoring and alerting on object creation in Google Cloud Storage, using data access logs and logs-based metrics.

Azure Icon  Azure Container Registry: Securing container workflows
Azure Container Registry recently announced the general availability of features like Azure Private Link, customer-managed keys, dedicated data-endpoints, and Azure Policy definitions. These features provide tools to secure Azure Container Registry as part of the container end-to-end workflow.

Azure Icon  Announcing Azure Service Operator for Kubernetes
Microsoft released the Azure Service Operator, an open source project that allows users to expose several Azure services as Kubernetes operators.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.