Release Date: 02/05/2021 | Issue: 85
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

Threats in the Cloud During COVID-19
Prisma Cloud by Palo Alto Networks is hosting a LinkedIn Live event on May 4th on the topic of their latest Unit 42 Cloud Threat Report, which centers around the impact of COVID-19 on cloud security. RSVP to the live event to hear how organizations globally increased their cloud workloads by more than 20% during the pandemic, leading to an explosion of security incidents. To learn more about the Unit 42 team’s findings and recommendations, download the report here.

This week's articles

Automating Cartography Deployments on Kubernetes   #kubernetes, #build
Open sourcing an automated process to get Neo4J and Cartography up and running in a Kubernetes cluster, using HashiCorp Vault as a secrets management engine.

What's New in ATT&CK v9? Data Sources, Containers, Cloud, and more   #kubernetes, #monitor
Blog providing details on new data sources, cloud changes, container techniques and more additions to ATT&CK v9.

Falcosidekick + OpenFaas = a Kubernetes Response Engine   #kubernetes, #monitor
Post explaining the basic concepts for integrating your own Response Engine into K8S with the stack Falco + Falcosidekick + OpenFaaS.

Why You Shouldn't Use Config Maps to Store Sensitive Data in K8s   #kubernetes, #build
It's recommended to store sensitive data of cloud native applications using a built-in secrets object type rather than Kubernetes Configmaps.

Terraform Recommended Practices   #terraform, #explain
Guide describing HashiCorp's recommended Terraform practices and how to adopt them.

Docker Security Cheat Sheet   #docker, #build
Cheat sheet aiming to provide an easy to use list of common security mistakes and good practices that will help you secure your Docker containers.

How to monitor AWS SQS with Prometheus   #aws, #monitor
How to monitor AWS SQS with Prometheus, leveraging the data offered by CloudWatch exporting the metrics to Prometheus using the YACE exporter (Yet Another CloudWatch Exporter).

Secure Deployment: 10 Pointers on Secrets Management   #build
Secrets management is an important indicator of security maturity. This blog gives 10 pointers on how to do secrets management well.

Create Reproducible Security in Kubernetes with Helm 3 and Helm Charts   #kubernetes, #defend
How to use Helm and Helm Charts to create reproducible security in Kubernetes deployments, with a particular emphasis on user management with RBAC, secrets management, and chain of custody and provenance files.

Argo's Threat Model   #kubernetes, #attack
Another excellent threat model exercise conducted by Trail of Bits, this time on ArgoCD.


A tool focused on analysing and attacking Docker images.

Mirror images into your own registry and swap image references automatically.

Helps you to export your cluster's kube-bench reports to remote targets like multiple Amazon S3 buckets, Azure blob storage, etc. in one-go with ease.

From the cloud providers

AWS Icon  Disaster Recovery (DR) Architecture on AWS, Part II: Backup and Restore with Rapid Recovery
Different backup and restore strategies to meet the DR needs for your workload.

AWS Icon  Hands-on walkthrough of the AWS Network Firewall flexible rules engine
How to deploy a demo AWS Network Firewall within your AWS account to interact, first-hand, with its rules engine.

GCP Icon  Sign here! Creating a policy contract with Configuration as Data
Configuration as Data is an emerging cloud infrastructure management paradigm that allows developers to declare the desired state of their applications and infrastructure, without specifying the precise actions or steps for how to achieve it. Config Connector is the tool that allows you to express configuration as data in Google Cloud. There is also a sample repo.

GCP Icon  Build security into Google Cloud deployments with our updated security foundations blueprint
Google launched an updated version of their Google Cloud security foundations guide and corresponding Terraform blueprint scripts, which provide step-by-step guidance for creating a secured landing zone into which you can configure and deploy your Google Cloud workloads.

GCP Icon  Choose the best way to use and authenticate service accounts on Google Cloud
There are a variety of authentication methods that service accounts can employ, and it's important to use the right one based on your needs.

GCP Icon  Risk governance of digital transformation: guide for risk, compliance & audit teams
Whitepaper describing what a cloud transformation means for risk, compliance, and audit functions, and how to best position those programs for success in the cloud world.

GCP Icon  The evolution of Kubernetes networking with the GKE Gateway controller
Google announced the Preview release of the GKE Gateway controller, GCP's implementation of the Gateway API. Over a year in the making, the GKE Gateway controller manages internal and external HTTP/S load balancing for a GKE cluster or a fleet of GKE clusters.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.