Release Date: 18/07/2021 | Issue: 96
CloudSecList is a newsletter for busy professionals who want to keep up to date with the cloud security industry. Hand-curated by Marco Lancini.

If you received it, you either subscribed or someone forwarded it to you. If you fit in the latter camp and want to subscribe, then you can click on this button:
Sign Up

Learn About the First Known Malware Targeting Windows Containers
In June, Palo Alto Networks' Unit 42 Threat Research team discovered Siloscape, the first known malware targeting Windows containers. Unit 42 researchers had previously only seen malware targeting Linux due to the popularity of that OS in cloud environments.
Watch the webinar on-demand to learn about the malware and how to protect against it, and visit the Unit 42 blog for a deep dive.

This week's articles

State of Kubernetes Security Report   #kubernetes, #strategy
The State of Kubernetes Security Report examines how companies are adopting Kubernetes, containers, and cloud-native technologies while meeting the challenges of securing their Kubernetes applications.

Announcing the results of Istio's first security assessment   #kubernetes, #istio
The assessment evaluated Istio's architecture as a whole for security related issues with focus on key components like istiod (Pilot), Ingress/Egress gateways, and Istio's overall Envoy usage as its data plane proxy. An important conclusion from the report is that the auditors found no "Critical" issues within the Istio project.

Getting Partial AWS Account IDs for any Cloudfront Website   #aws, #attack
A bug in AWS ACM allows to import valid TLS certificates for domains you don't own. Combined with a new Cloudfront feature this allows to extract AWS Account IDs for websites hosted on CloudFront.

Windows Container Forensics   #docker, #forensics
Post detailing both the research process and useful findings about Windows containers. It primarily focuses on the filesystem layers and does not cover containerised registry hives.

What I have learned from doing a year of Cloud Forensics in Azure AD   #azure, #forensics
Post sharing experience, challenges, and a methodology on doing Cloud forensics in Azure AD.

AWS Incident Response Playbook Samples   #aws, #defend
A collection of playbooks covering several common scenarios faced by AWS customers. They outline steps based on the NIST Computer Security Incident Handling Guide, that can be used to gather evidence, contain and then eradicate the incident, recover from the incident, and conduct post-incident activities.

Swimming past 2FA, part 1: How to spot an Okta MITM phishing attack   #monitor
Crafty attackers are finding new ways to bypass multiple-factor authentication. Find out how the Expel SOC detected an attack and get some tips on how your org can prevent credentials phishing.

Managing SSH Access at Scale with HashiCorp Vault   #vault, #defend
How to build scalable, role-based SSH access with SSH certificates and HashiCorp Vault.

Using Yor and Checkov to authorize IaC modifiers from CI/CD   #iac, #ci/cd
Authorize who can modify an IaC resource straight from your CI/CD pipeline using auto-tagging with Yor and policy-as-code with Checkov.

MITRE ATT&CK mappings released for built-in Azure security controls   #azure, #defend
The Security Stack Mappings for Azure research project was recently published, introducing a library of mappings that link built-in Azure security controls to the MITRE ATT&CK techniques they mitigate against.

File Permissions: the painful side of Docker   #docker, #explain
The whole issue with file permissions in docker containers comes from the fact that the Docker host shares file permissions with containers (at least, in Linux).


A proof-of-concept project that aims to sign and verify container images using cosign and OPA (Open Policy Agent).

AWS Security Analytics Bootstrap enables customers to perform security investigations on AWS service logs by providing an Amazon Athena analysis environment that's quick to deploy, ready to use, and easy to maintain.

Use the 1Password Connect Terraform Provider to reference, create, or update items in your 1Password Vaults.

kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster.

Have you ever wondered what an application architecture would look like if you committed to using mostly all graduated or incubating projects from the Cloud Native Computing Foundation? This repo, the CNCF Projects App, attempts to answer that question with an example expense application that is made up almost exclusively of CNCF projects.

From the cloud providers

AWS Icon  TLS-enabled Kubernetes clusters with ACM Private CA and Amazon EKS
How to set up end-to-end encryption on Amazon EKS with AWS Certificate Manager Private Certificate Authority.

AWS Icon  Protect public clients for Amazon Cognito by using an Amazon CloudFront proxy
How to implement a lightweight proxy to an Amazon Cognito endpoint, which can be used with an application client secret to control access to unauthenticated API operations.

AWS Icon  Easily Manage Security Group Rules with the New Security Group Rule ID
A security group rule ID is an unique identifier for a security group rule. When you add a rule to a security group, these identifiers are created and added to security group rules automatically.

AWS Icon  How to create auto-suppression rules in AWS Security Hub
How to create automated suppression rules for specific types of findings in AWS Security Hub, such as ones that are an accepted risk by design, or have a compensating control.

Azure Icon  Advancing application reliability with the Azure Well-Architected Framework
The Microsoft Azure Well-Architected Framework is a set of guiding tenets that can be used to improve the quality of a workload. The framework consists of five pillars of architecture excellence: Cost Optimization, Operational Excellence, Performance Efficiency, Reliability, and Security. Incorporating these pillars helps produce high-quality, stable, and efficient cloud architecture.

Azure Icon  Privileged Identity Management with Azure Lighthouse enables Zero Trust
Azure Lighthouse makes it easier for service providers to automate their management of customer infrastructure. At the same time, it provides fine-grained access control that places the customer in charge of which resources are available to which service providers.

Azure Icon  Advancing resiliency threat modeling for large distributed systems
Post sharing insights into Microsoft's journey as they worked towards advancing their postmortem and resiliency threat modeling processes.

Azure Icon  Manage RDP and SSH connectivity at scale with Azure Bastion
Azure Bastion is a fully managed jumpbox-as-a-service that provides secure RDP and SSH connectivity to VMs deployed in any local or peered Azure Virtual Networks. Remote connectivity is established directly from the Azure Portal, over a transport layer security (TLS) connection, to the public IP address of Azure Bastion. From there, Azure Bastion establishes RDP and SSH sessions to the private IP address of the target VMs in the local or peered Virtual Network.

Thanks for reading!

If you found this newsletter helpful, I'd really appreciate if you could forward it to your friends and colleagues! 👌

If you have questions, comments, or feedback, let me know on Twitter (@lancinimarco / @CloudSecList), or at!

Forward Forward
Twitter Tweet
Share Share

How did you like this issue of CloudSecList?

1       2       3       4       5

Archives View in browser Sponsorship
© 2019-present, CloudSecList by Marco Lancini.