Release Date: 09/05/2021 | Issue: 86
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

🟠 Middleware, middleware everywhere - and lots of misconfigurations to fix 🟠
If you attended the common nginx misconfigurations training, or are familiar with the project called Gixy created by Yandex, then you have an understanding of how easy it is to find middleware misconfigurations 😅. However these two research projects didn’t cover all of them. Frans Rosen, Security Advisor at Detectify, found several unthinkable exploits and he disclosed them on Detectify Labs.
👉 Take me to the research on Detectify Labs

This week's articles

Cloud Incident Response Framework   #defend
The Cloud Security Alliance released a new framework which aims to be the go-to guide for cloud customers to effectively prepare for and manage cloud incidents.

Making the Internet more secure one signed container at a time   #docker, #build
Google's introduction to Cosign, a tool which simplifies signing and verifying container images, aiming to make signatures invisible infrastructure - basically, it takes over the hard part of signing and verifying software for you.

Google Cloud IAM: Designs for Self-Service Privilege Escalation   #gcp, #defend
How Praetorian helped design security controls and observability features for Google Cloud IAM in a client's GCP environment. They also generated two technical artifacts for implementing these solutions: ephemeral-iam, which implements a token-based privilege escalation tool, and a technical guide to using Trusted Platform Modules (TPMs) for service account credential storage.

Unified threat detection for AWS cloud and containers   #aws, #docker, #monitor
Someone's AWS credentials were leaked. Follow this fictional story while the attacker persists their permissions, escalates, and uses the cloud for crypto mining.

Top trends from analyzing the security posture of open-source Helm charts   #docker, #defend
BridgeCrew scanned thousands of Helm charts available on Artifact Hub and shared their findings and trends.

Improving CIS Benchmark Alerting and Remediation in AWS   #aws, #defend
How to implement CIS alerts and automated remediation with EventBridge.

Hardening Palantir's Kubernetes Infrastructure with Cilium   #kubernetes, #defend
Palantir's InfoSec team shares their experience using Cilium to harden their Kubernetes Infrastructure.

Automate Patching Using AWS Systems Manager   #aws, #build
How to use AWS Systems Manager to create an automated schedule of patches for your EC2 instances.

Building an AWS Organization? Be sure to integrate....AWS IAM Access Analyzer   #aws, #build
Third post in a "Be sure to integrate..." series, which looks at 3 baseline services that should be enabled and integrated into your AWS Organization. The first post looked at AWS Security Hub, the second at GuardDuty, and this third post covers IAM Access Analyzer.

Password reset code brute-force vulnerability in AWS Cognito   #aws, #attack
The password reset function of AWS Cognito allows attackers to change the account password if a six-digit number (reset code) sent out by E-mail is correctly entered. By using concurrent HTTP request techniques, it was shown that an attacker can do more guesses on this number than mentioned in the AWS documentation (1587 instead of 20). If the attack succeeds and the attacked accounts do not have multi-factor authentication enabled, a full take-over of the attacked AWS Cognito user accounts would have been possible. The issue was fixed by AWS on 2021-04-20.

Monitor HashiCorp Vault Metrics and Logs   #vault, #monitor
A deep dive into the key metrics and logs for monitoring the health and performance of HashiCorp Vault.

Retrieve HashiCorp Vault Secrets with Kubernetes CSI   #vault, #kubernetes, #build
How to use CSI to expose secrets on a volume within a Kubernetes pod and retrieve them using the beta Vault Provider for the Kubernetes Secrets Store CSI Driver.


In the world of infrastructure-as-code security there are several tools for users to choose from. The goal of this repository is to help compare the different options so that users can choose the tool that best fits their own needs.

Pypi module to enable workload identity federation from AWS to GCP without the need for static credentials.

Find AWS resources that are not logging, and turn them on.

A tool for exploring and exploiting Firebase datastores. See also the companion blog post.

JAF is an Accenture, internally developed, red team-oriented tool for interacting with Jenkins build servers. You can also read the companion blog post.

From the cloud providers

AWS Icon  Introducing CloudFront Functions - Run Your Code at the Edge with Low Latency at Any Scale
AWS announced the availability of CloudFront Functions, a new serverless scripting platform that allows you to run lightweight JavaScript code at the 218+ CloudFront edge locations at approximately 1/6th the price of Lambda@Edge.

AWS Icon  IAM makes it easier for you to manage permissions for AWS services accessing your resources
How to use "aws:PrincipalIsAWSService", a new global AWS IAM condition key, to write policies that restrict access to your data from untrusted identities and unexpected network locations while safely granting access to AWS services.

AWS Icon  IAM 10th Anniversary: Top Recommendations for Working with IAM
A blog series featuring top recommendations for using IAM from AWS Heroes and APN Ambassadors, who will share recommendations which are driven from personal experiences using a service that's foundational for the security of AWS customers.

AWS Icon  Top Recommendations for IAM from Our AWS Heroes - Part 2: The Visual Editor and Federation
How the IAM visual editor helps you create policies by providing helpful documentation and the correct syntax. You'll also learn why you should use federation due to the short-term credentials made possible by IAM roles.

AWS Icon  AWS Audit Manager now offers three new frameworks
AWS Audit Manager now offers three new prebuilt standard frameworks: NIST Cybersecurity Framework version 1.1, AWS Foundational Security Best Practices, and AWS Well-Architected framework.

GCP Icon  Solving the Workload Identity sameness with IAM Conditions
Workload Identity however has a single Identity pool per project, which means two identical KSA's across two identical namespaces across two GKE clusters, will inherit the same IAM policy binding and therefore the same permissions. This is called the "Identity sameness".

GCP Icon  SRE at Google: Our complete list of CRE life lessons
The complete list of Customer Reliability Engineering (CRE) life lessons published in the past five years in one convenient location.

Azure Icon  What's New: Azure Sentinel: Zero Trust (TIC3.0) Workbook
The Azure Sentinel: Zero Trust (TIC3.0) Workbook provides an automated visualization of Zero Trust principles cross walked to the Trusted Internet Connections framework. This workbook leverages the full breadth of Microsoft security offerings across Azure, Office 365, Teams, Intune, Windows Virtual Desktop, and many more.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.