Release Date: 30/05/2021 | Issue: 89
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

Are you building cloud applications with a distributed team? Check out Teleport, an open source identity-aware access proxy for cloud resources. Teleport provides secure access to anything running somewhere behind NAT: SSH servers, Kubernetes clusters, internal web apps and databases. Teleport ensures best security practices like role-based access, preventing data exfiltration, providing visibility and ensuring compliance. And best of all, it doesn't get in the way.
Download it today at

This week's articles

DNS infrastructure at Hulu   #explain
Post describing the evolution of Hulu's DNS infrastructure from a simple setup to a more distributed configuration that is capable of reliably handling a significantly higher request volume.

Detecting and Mitigating CVE-2021-25737: EndpointSlice validation enables host network hijack   #kubernetes, #monitor
A CVE has been found in Kubernetes kube-apiserver where an authorized user could redirect pod traffic to private networks on a Node. This post explains how Kubernetes is impacted and how to mitigate and detect it with Falco and OpenPolicyAgent.

DevSecOps Series: Shifting Security Left   #strategy
Post describing the different components of running a DevSecOps program as well as some of the (hard) lessons learned through the years.

Cloudbite - Bite-sized cloud learning with spaced repetition   #aws, #explain
Nice small website providing flashcards to learn cloud skills.

The CKA for security engineers   #kubernetes, #explain
There are many descriptions of the CKA exam process on the internet, but not that many from a security engineering perspective. This post discusses how a security engineer found the course, the preparation they did, and their experience of the exam.

Top 20 Dockerfile best practices   #docker, #explain
How to prevent security issues and optimize containerized applications by applying a quick set of Dockerfile best practices in your image builds.

Attacking Kubernetes Clusters Through Your Network Plumbing   #kubernetes, #attack
The use of routing daemons on Kubernetes clusters is opening some new threat models against known routing protocols' security limitations. An attacker can exploit these new game rules to manipulate data traffic throughout the cluster from low-privileged access to a single node in the cluster.

Locking Down SSH - The Right Way   #defend
A little guide for locking down a VPS or similar to ensure your SSH connection is as secure as can be.

Taking TeamTNT's Docker Images Offline   #docker, #defend
TeamTNT staged malicious images on Docker Hub using a legitimate user's Docker Hub account. The credentials to this Docker Hub account were accidentally committed to a public GitHub repo.

AWS Secrets Manager on Kubernetes using AWS Secrets CSI driver Provider   #aws, #build
Recently, AWS published a new backend implementation for the Secrets Store CSI Driver that allows using AWS Secrets Manager as a Secret Provider.

The Attack Path Management Manifesto   #strategy
Perspective, thoughts, and vision for directly dealing with the problem of Attack Paths.


Yor is an open-source tool that helps add informative and consistent tags across infrastructure-as-code frameworks such as Terraform, CloudFormation, and Serverless. Yor is built to run as a GitHub Action automatically adding consistent tagging logics to your IaC. Yor can also run as a pre-commit hook and a standalone CLI. You can also review the companion blog post.

Angle-grinder allows you to parse, aggregate, sum, average, min/max, percentile, and sort your data. You can see it, live-updating, in your terminal. Angle grinder is designed for when, for whatever reason, you don't have your data in graphite/honeycomb/kibana/sumologic/splunk/etc. but still want to be able to do sophisticated analytics.

crane is a tool for interacting with remote images and registries.

A kubectl plugin to show out-of-date images running in a cluster. The plugin will scan for all pods in all namespaces that you have at least read access to. It will then connect to the registry that hosts the image, and (if there's permission), it will analyze your tag to the list of current tags.

This repository contains a collection of cheatsheets put together for tools related to pentesting organizations that leverage cloud providers.

CONVEX is a group of CTFs that are independently deployable into participant Azure environments.

CLI tool to generate terraform files from existing infrastructure (reverse Terraform).

A plugin which allows users to create secrets with secure input prompt to prevent information leakages through terminal history, shoulder surfing attacks, etc.


AWS Auditing
A collection of tools useful when auditing an AWS account for security misconfigurations.

Sponsor CloudSecList

If you want to get yourΒ productΒ or job ad in front of thousands of security professionals, ranging from engineers to CISOs and VCs, at companies ranging from small start-ups to Fortune500 and FAANG, you can reach out at
πŸ“¨ [email protected] πŸ“¨

From the cloud providers

AWS Icon  How to monitor expirations of imported certificates in AWS Certificate Manager (ACM)
A Lambda function that makes use of CloudWatch rules to report back those certificates that are due to expire within a pre-defined amount of time.

AWS Icon  Building fine-grained authorization using Amazon Cognito, API Gateway, and IAM
How to use an Amazon Cognito user pool as a user directory and let users authenticate and acquire the JSON Web Token (JWT) to pass to the API Gateway.

AWS Icon  Use EC2 Instance Connect to provide secure SSH access to EC2 instances with private IP addresses
How to use Amazon EC2 Instance Connect to use SSH to securely access your EC2 instances running on private subnets within a VPC.

AWS Icon  Working with AWS Directory Service for Microsoft Active Directory
How to use AWS Directory Service with the AWS Transfer Family to securely provide permissions for file transfers to users in your AD groups.

AWS Icon  Visualize your AWS Infrastructure with Amazon Neptune and AWS Config
How to use Amazon Neptune with AWS Config to get an insight of your landscape on AWS and map out relationships.

AWS Icon  Audit companion for the AWS PCI DSS Quick Start
How to use automation to reduce the pain of manual and repetitive evidence collection. This will help you focus more on the compliance architecture rather than on evidence collection.

GCP Icon  New OS configuration management tool for VM Manager
A new version of OS configuration management within VM Manager makes it easier to manage large fleets of Compute Engine virtual machines.

Azure Icon  Who Watches the SOC Team? Enabling Audit/Risk Teams to Monitor the SOC
Blog discussing methods to monitor the actions of the SOC team from a risk and auditing standpoint.

Azure Icon  Announcing 15+ New Azure Sentinel Data Connectors
Microsoft announced over 15 new out-of-the-box data connectors for Azure Sentinel to enable data collection for leading products across different industries and clouds.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! πŸ‘Œ

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
Β© 2019-present, CloudSecList by Marco Lancini.