Release Date: 11/07/2021 | Issue: 95
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

How do you keep your APIs Secure? 🤔
Most web apps have greater security risk in the form of exposed APIs rather than the UI. But how do you know if your APIs are secure?
Check out this API Security Testing guide from StackHawk and learn how you can find and fix API vulnerabilities to keep your apps on lock. 🔒
StackHawk's API Security Testing Guide

This week's articles

Hardening AWS EKS security with RBAC, secure IMDS, and audit logging   #kubernetes, #defend
First in a series of blog posts looking into the default settings used in AWS Elastic Kubernetes Service (EKS) deployments, and demonstrating how small misconfigurations or unwanted side-effects may put our clusters at risk.

Automated GDrive Backups with ECS and S3   #aws, #build
Architecture and implications of an automated process aiming to backup a GDrive account, relying on ECS Fargate and S3 Glacier. Disclaimer: I did write this post.

Revisiting Macie   #aws, #explain
Macie has come a long way from the initial release in 2018. It now supports Delegated Admin like GuardDuty, it has a proper Boto3 API, and there was even an 80% price reduction last year. You can also check the companion repository.

SimuLand: Understand adversary tradecraft and improve detection strategies   #azure, #attack
SimuLand is an open-source initiative by Microsoft to help security researchers deploy lab environments that reproduce well-known techniques used in real attack scenarios, actively test and verify the effectiveness of related Microsoft 365 Defender, Azure Defender, and Azure Sentinel detections, and extend threat research using telemetry and forensic artifacts generated after each simulation exercise. You can also check out the companion repository.

Open Policy Agent: The Top 5 Kubernetes Admission Control Policies   #kubernetes, #opa, #defend
These are the top five Kubernetes admission control policies that you should have running in your cluster right now.

How to defend against DNS exfiltration in AWS?   #aws, #defend
When and how Route 53 Resolver DNS Firewall and GuardDuty can help you block and detect suspicious traffic.

A deep dive into code to cloud tracing with Yor   #iac
With Yor, you can trace a misconfigured cloud resource back to code and pinpoint the ideal fix location in git.

13 Best Practices for using Helm   #kubernetes, #explain
13 best practices to help you create, operate, and upgrade applications using Helm.

Observing gRPC-based Microservices on Amazon EKS running Istio   #kubernetes, #monitor
Observing a Kubernetes-based distributed application using Jaeger, Zipkin, Prometheus, Grafana, and Kiali on Amazon EKS running Istio Service Mesh.

AuthZ: Carta's highly scalable permissions system   #design
How the Carta's team rebuilt their permissions system on a new platform based on Google Zanzibar.

The Service Mesh: What Every Engineer Needs to Know about the World's Most Over-Hyped Technology   #explain
If you're a software engineer working anywhere near backend systems, the term "service mesh" has probably infiltrated your consciousness some time over the past few years.


AWS-based secrets management for Kubernetes. Leverages users' Kubernetes OIDC authentication tokens for AWS Secrets Manager secrets management.

Azure JWT Token Manipulation Toolset. May aid offensive practitioners in assessing conditional access policies for organizations utilizing Azure/Office365.

Open source IaC security scanner for public Helm charts.

This Plugin for Policy Reporter brings additional Kyverno specific information to the Policy Reporter UI. See what Policies in your Cluster exist, how they are configured and if there are any violations assiciated with them in a graphical UI.

From the cloud providers

AWS Icon  Build an end-to-end attribute-based access control strategy with AWS SSO and Okta
Post discussing the benefits of using an attribute-based access control (ABAC) strategy, and describing how to use ABAC with AWS Single Sign-On (AWS SSO) when you're using Okta as an identity provider (IdP).

AWS Icon  How to monitor and track failed logins for your AWS Managed Microsoft AD
AWS Directory Service for Microsoft Active Directory provides customers with the ability to review security logs on their AWS Managed Microsoft AD domain controllers by either using a domain management EC2 instance or by forwarding domain controller security event logs to CloudWatch Logs.

AWS Icon  How to integrate third-party IdP using developer authenticated identities
Amazon Cognito identity pools enable you to create and manage unique identifiers for your users and provide temporary, limited-privilege credentials to your application to access AWS resources.

AWS Icon  Automate resolution for IAM Access Analyzer cross-account access findings on IAM roles
How to automatically resolve IAM Access Analyzer findings generated in response to unintended cross-account access for IAM roles. The solution automates the resolution by responding to the Amazon EventBridge event generated by IAM Access Analyzer for each active finding.

AWS Icon  AWS Firewall Manager now supports central monitoring of VPC routes for AWS Network Firewall
AWS Firewall Manager allows to centrally monitor route configurations for AWS Network Firewall, and get alerts on routes non-compliant with their configuration.

GCP Icon  Managing log-based alerts
GCP released native email support for log alerting.

GCP Icon  Research shows that enterprises look to cloud providers for security
A recent Google-commissioned study highlights how enterprises are more confident than ever in cloud security.

Azure Icon  What's new: ASIM Authentication, Process, Registry and enhanced Network schemas
Microsoft added to the networking and DNS schemas the Authentication, Process Events, and Registry Events schemas and delivered normalized content based on the two.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.