Release Date: 20/12/2020 | Issue: 68
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up
🎄 Holiday Break 🎄
After this issue, I will probably take a couple weeks off to disconnect and recharge.
CloudSecList will return in January!

This week's articles

Semgrep for Cloud Security   #iac, #defend
Experimenting with Semgrep to eradicate classes of (cloud) vulnerabilities from Infrastructure as Code. (Disclaimer: I did write this post)

Kubernetes RBAC Security Pitfalls   #k8s, #attack
Some common mistakes and vulnerabilities that you probably want to know about when designing, configuring or auditing Kubernetes authorization.

Escalating Away   #k8s, #attack
How you can use the escalate verb in k8s RBAC to get cluster-admin rights from cases where you already have escalate rights.

Gaining Persistency on Vulnerable Lambdas   #aws, #attack
What can an attacker do if they found a Remote Code Execution (RCE) vulnerability in a Lambda function?

Google Cloud Platform (GCP) Service Account-based Privilege Escalation paths   #gcp, #attack
The Praetorian team uncovered a GCP risk scenario in which privileges in a compromised service can be used to further escalate privileges.

Keeping your GitHub Actions and workflows secure: Preventing pwn requests   #ci/cd, #attack
How to prevent a common GitHub Workflow mistake that could leave your project open to abuse by fork-based Pull Requests.

8 easy steps to improve your security posture in Azure   #azure, #defend
Slides from the equally named talk recorded at the Virtual Azure Community Day. Video is also available.

Run the Docker daemon as a non-root user (Rootless mode)   #docker, #build
Rootless mode graduated from experimental in Docker Engine v20.10. Rootless mode allows running the Docker daemon and containers as a non-root user to mitigate potential vulnerabilities in the daemon and the container runtime.

Shifting Threat Modeling Left: Automated Threat Modeling Using Terraform   #terraform, #defend
Learn how automated threat modeling can be performed just by looking at Terraform code.

OPA the Easy Way feat. Styra DAS!   #opa, #defend
In KubeCon NA 2020, Styra (creators of OPA) launched a free edition of their Declarative Authorisation Service (DAS). This blog post explains the features of Styra DAS Free edition and how it simplifies OPA policy administration.


KaiMonkey provides example vulnerable infrastructure to help cloud security, DevSecOps and DevOps teams explore and understand common cloud security threats exposed via infrastructure as code. is an open-source system delivered as GitHub Action or Docker Image for creating and managing Kubernetes clusters with simple manifests by GitOps approach.

From the cloud providers

AWS Icon  AWS CloudShell: Command-Line Access to AWS Resources
Amazon launched AWS CloudShell, with the goal of making the process of getting to an AWS-enabled shell prompt simple and secure, with as little friction as possible. Every shell environment that you run with CloudShell has the AWS CLI v2 installed and configured so you can run aws commands fresh out of the box.

AWS Icon  AWS CloudTrail Update: Turn on in All Regions & Use Multiple Trails
Starting immediately, you can simply specify that a trail will apply to all regions and CloudTrail will automatically create the same trail in each region. In addition with support for multiple trails, different stakeholders in the company can create and manage their own trails for their own needs.

AWS Icon  VPC Reachability Analyzer
Amazon announced VPC Reachability Analyzer, a network diagnostics tool that troubleshoots reachability between two endpoints in a VPC, or within multiple VPCs.

AWS Icon  AWS Systems Manager Fleet Manager
Fleet Manager is a new console based experience in Systems Manager that enables systems administrators to view and administer their fleets of managed instances from a single location, in an operating-system-agnostic manner, without needing to resort to remote connections with SSH or RDP.

AWS Icon  Introducing AWS Systems Manager Change Manager
AWS launched AWS Systems Manager Change Manager, a new change management capability for AWS Systems Manager. It simplifies the way ops engineers track, approve, and implement operational changes to their application configurations and infrastructures.

AWS Icon  Get started with fine-grained access control in Amazon Elasticsearch Service
Amazon Elasticsearch Service (Amazon ES) provides fine-grained access control, powered by the Open Distro for Elasticsearch security plugin. The security plugin adds Kibana authentication and access control at the cluster, index, document, and field levels that can help you secure your data.

AWS Icon  Detecting sensitive data in DynamoDB with Macie
How to use Macie to detect sensitive data in Amazon DynamoDB tables by exporting the data to Amazon S3 so that Macie can scan the data.

AWS Icon  Use Macie to discover sensitive data as part of automated data pipelines
How to integrate Amazon Macie as part of the data ingestion step in your data pipeline. This solution provides an additional checkpoint that sensitive data has been appropriately redacted or tokenized prior to ingestion.

GCP Icon  How to Automate Governance Best Practices With Google Data Catalog and Terraform
Scripts and Terraform automation to help you ensure best practices in Google Data Catalog.

GCP Icon  Run shell commands and orchestrate Compute Engine VMs with Cloud Workflows
Automate the execution of shell commands in a fully serverless and secure way without managing private keys.

Azure Icon  Microsoft Cloud App Security (MCAS) Activity Log in Azure Sentinel
The Microsoft Cloud App Security (MCAS) connector lets you stream alerts and Cloud Discovery logs from MCAS into Azure Sentinel. This will enable you to gain visibility into your cloud apps, get sophisticated analytics to identify and combat cyberthreats, and control how your data travels, more details on enabling and configuring the out of the box MCAS connector.

Azure Icon  SolarWinds Post-Compromise Hunting with Azure Sentinel
To make it easier for security teams to visualize and monitor their environments for this attack the MSTIC team has shared a SolarWinds Post Compromise hunting workbook via Azure Sentinel and Azure Sentinel GitHub.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.