These are the slides from Dino's keynote at H2HC. It starts with the mentality shift from thinking about the security of single machines ('box') to the security of many all at once, as fleet-wide scale security is incredibly powerful and makes some hard problems simple. Another main take-away is that in the cloud there are many somewhat overlapping, but mutually inconsistent, security models. Among them, the cloud provider's IAM (like AWS IAM) is the only security model that really matters, with everything else being 'defence in depth' at best.

This week, Google released two features to help protect and control GKE environments and support regulatory requirements: the general availability of GKE application-layer Secrets encryption, so you can protect your Kubernetes Secrets with envelope encryption; and customer-managed encryption keys (CMEK) for GKE persistent disks in beta, giving you more control over encryption of persistent disks.

Ever wondered how to aggregate all Kubernetes security events across AWS container services? Using AWS FireLens, you can route Falco events from several clusters into AWS CloudWatch, centralizing all security events in one view.

A blog post describing how to use Istio to secure multi-cloud Kubernetes applications, with zero code changes or redeployments, by leveraging the App Identity and Access Adapter.

That's a nice utility for easily managing session tokens and assume AWS IAM roles from the command line.

NCC released a tool for standing up (and tearing down!) purposefully insecure cloud infrastructure with Terraform. Sadcloud was created to easily allow security researchers to misconfigure AWS for training purposes, or to assess AWS-related security tools.

AWS playing catch up with GCP, this time deciding to use CoreOS Clair in ECR to carry out static analysis of vulnerabilities. The ECR API, the AWS CLI and SDKs have been extended with image scanning functionalities, and a managed service has been implemented for use in a CI pipeline. AWS also put together a sample available on GitHub that shows how you can utilize the new image scanning-related ECR APIs to perform scheduled re-scans of container images.

Many Kubernetes users want a LTS release channel that gets fewer updates, but patched actively. Apparently it is now possible on GKE: --release-channel=[stable|regular|rapid]

The imgcrypt library provides API extensions for containerd to support encrypted container images.