Release Date: 19/07/2020 | Issue: 46
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

This week's articles

Byte Down: Making Netflix's Data Infrastructure Cost-Effective
Another very interesting post from the Netflix team detailing their approach and lessons learned in creating their data efficiency dashboard, which serves as a single source of truth for cost and usage trends for Netflix's data users.

Incident Response in the Cloud
Blog post walking through each phase you may encounter in a traditional incident response process and highlighting the differences introduced by cloud computing.

Detection and Response in AWS Mindmap
Nice mindmap from the Expel team, mapping ATT&CK cloud matrix techniques and common API calls used by redteams and attackers.

AWS Starter Kit - 2020 Edition
Collection of resources useful to get up to speed with AWS (happy to see CloudSecList mentioned!)

AWS Lambda abuse
Introduction to AWS Lambda in the context of DDoS attacks, outlining strategies that could be used to mitigate the impact of those attacks and create fail-safe serverless applications.

Container Breakouts – Part 1: Access to root directory of the Host
First post in a series showing container breakout techniques. The first post is about how to escape out of a container with access to the root directory of the host.

Windows Server Containers Are Open, and Here’s How You Can Break Out
Running any code in Windows Server Containers should be considered as dangerous as running admin on the host. These containers are not designed for sandboxing (as confirmed by Microsoft), and escapes are easy to perform.

Requesting Azure AD Request Tokens on Azure-AD-joined Machines for Browser SSO
How an attacker can leverage a compromised target to generate AzureAD tokens to reuse offline without knowing the credentials.

Azure File Shares for Pentesters
Azure services can be a handy way to bypass outbound domain filters/restrictions during assessments. Microsoft-hosted Azure file shares can be used, just like traditional on-prem SMB shares, to run tools and exfiltrate data.

Kubernetes CVE-2020-8559: Privilege escalation from compromised node to cluster
If an attacker is able to intercept certain requests to the Kubelet, they can send a redirect response that may be followed by a client using the credentials from the original request. This can lead to compromise of other nodes. You are only affected by this vulnerability if you treat the node as a security boundary, or if clusters share certificate authorities and authentication credentials.


PowerZure is a PowerShell project created to assess and exploit resources within Azure

From the cloud providers

AWS Icon  Updates to the security pillar of the AWS Well-Architected Framework
Highlights of the updates to the information in the Security Pillar whitepaper of the Well-Architected Framework, with an explanation of the new best practices and guidance.

AWS Icon  Implement automatic drift remediation for AWS CloudFormation using Amazon CloudWatch and AWS Lambda
How to use a custom AWS Lambda function and Amazon CloudWatch to implement automatic drift remediation and return resources created in a CloudFormation stack to compliance with the stack template.

AWS Icon  How to retroactively encrypt existing objects in Amazon S3 using S3 Inventory, Amazon Athena, and S3 Batch Operations
How to use Amazon S3 Inventory, Amazon Athena, and Amazon S3 Batch Operations to provide insights on the encryption status of objects in S3 and to remediate incorrectly encrypted objects in a scalable, resilient, and cost-effective way.

AWS Icon  Introducing the Cloud Development Kit for Terraform (Preview)
Amazon and HashiCorp introduced the developer preview of the Cloud Development Kit for Terraform (cdktf), that lets you define application infrastructure with familiar programming languages, while leveraging the providers and module definitions provided by Terraform. The CDK for Terraform preview is initially available in TypeScript and Python, with other languages planned in the future.

AWS Icon  Monitoring AWS Certificate Manager Private CA with AWS Security Hub
How to monitor your root CA and generate a security finding in Security Hub if your root is used to issue a certificate.

AWS Icon  Deploy a dashboard for AWS WAF with minimal effort
How to deploy a solution that will provide a fully automated dashboard for AWS Web Application Firewall (WAF) service. The solution uses logs generated and collected by AWS WAF, and displays them in a user-friendly dashboard.

AWS Icon  Identify, arrange, and manage secrets using enhanced search in AWS Secrets Manager
AWS Secrets Manager now allows to search secrets based on attributes such as secret name, description, tag keys, and tag values.

GCP Icon  Introducing Google Cloud Confidential Computing with Confidential VMs
Confidential Computing is a breakthrough technology which encrypts data in-use—while it is being processed. Confidential Computing environments keep data encrypted in memory and elsewhere outside the central processing unit (CPU).

GCP Icon  Compliance without compromise: Introducing Assured Workloads for Government
Google introduced Assured Workloads for Government, a new product that simplifies the compliance configuration process and provides seamless platform compatibility between government and commercial cloud environments.

GCP Icon  GCP Reference Architectures
GoogleCloudNext landing page with dozens of GCP reference architectures (smart home devices, rendering, gaming backends, distributed tracing, etc.).

GCP Icon  GKE best practices: Exposing GKE applications through Ingress and Services
Walk through of the different factors that should be considered when exposing applications on GKE, explain how they impact application exposure, and highlight which networking solutions each requirement will drive you toward.

GCP Icon  Mitigating Data Exfiltration Risks in GCP using VPC Service Controls
Post covering the basics of VPC Service Controls and how they can be used to mitigate data exfiltration risks in Google Cloud Platform.

GCP Icon  Using Cloud Asset Inventory feeds for dynamic configuration and policy enforcement
One underappreciated feature of Cloud Asset Inventory are feeds, which monitor resource and policy changes in real-time via a stream of events published to PubSub queues.

Azure Icon  Azure Files support and new updates in advanced threat protection for Azure Storage
Microsoft announced the preview of extending advanced threat protection for Azure Storage to support Azure Files and Azure Data Lake Storage Gen2 API, helping to protect data stored in file shares and data stores designed for enterprise big data analytics.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.