#build, #defend, #kubernetes

The top eight most popular open source Kubernetes security tools identified by a Redhat survey: OPA, KubeLinter, Kube-bench, Kube-hunter, Terrascan, Falco, Clair, and Checkov.

#attack, #defend, #docker

This research demonstrates the importance of keeping track of the images that you use, and not assuming that even official images from Docker Hub will be maintained in perpetuity.

#defend, #strategy

How to orienteer in a cloud environment, dig in to identify the risks that matter, and put together actionable plans that address short, medium, and long term goals. You can also refer to the companion check list.

#explain, #kubernetes

Kubernetes v1.22 provides an alpha release for the successor of Pod Security Policy (PSP), called Pod Security Admission (PSA). This post took an initial look at PSA and will cover what you need to know about how it works, and how you can start playing with it.

#announcement, #explain, #terraform

Terraform introduced new planning options: "refresh=false", "-refresh-only", and "-replace".

#attack, #azure

How anyone with a local administrator access to AD FS server (or proxy), can create arbitrary sign-ins events to Azure AD sign-ins log.

#build, #gcp, #kubernetes

How to manually configure a GKE cluster, and how to use the new Config Controller to provision and configure services via automation.

#explain, #kubernetes, #opa

Gatekeeper has recently introduced the ability to mutate resources. Mutation means that policy can change Kubernetes resources based on different criteria.

#build, #kubernetes

How do you ensure the stability of your Kubernetes clusters? How do you know that your manifests are syntactically valid? Are you sure you don't have any invalid data types? Are any mandatory fields missing?

#aws, #build, #kubernetes

How to securely integrate AWS Lambda with an existing Kubernetes environment without codes changes.

#build, #kubernetes, #monitor

How FluentBit can be useful to gather Kubernetes audit logs and forward them to some HTTP endpoint.

A simple to use web-based Gatekeeper policies manager. You can also refer to the companion blog post.

KubeView displays what is happening inside a Kubernetes cluster (or single namespace), it maps out the API objects and how they are interconnected.

n8n is an extendable workflow automation tool.

AWS Backup announces AWS Backup Audit Manager, a new feature that allows you to audit and report on the compliance of your data protection policies to help you meet your business and regulatory needs.

A hands-on solution you can use for automated disk collection across multiple AWS accounts. This solution will help your incident response team set up an automation workflow to capture the disk evidence they need to analyze to determine scope and impact of potential security incidents.

By default, AWS Config stores data in an S3 bucket. Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. When configuration snapshots and configuration history data are aggregated in Amazon S3, you can use Athena to query the JSON data directly using SQL statements. You can then visualize your Athena SQL views and queries in Amazon QuickSight, which lets you easily create and publish interactive BI dashboards by creating data sets.

This whitepaper provides cloud accreditation best practices to help you capitalize on the security benefits of commercial cloud computing while maximizing efficiency, scalability, and cost reduction.

IAM Access Analyzer extended policy generation allowing to generate policies based on access activity stored in a designated account.

How to implement service-to-service authorization using OAuth 2.0 access tokens for microservice APIs hosted on Amazon EKS.

The Google Secret Manager native integration with Cloud Functions makes it easier to access secrets for authenticating to upstream APIs and services.

Google Cloud recently launched On-Demand Scanning to general availability. This new feature checks for vulnerabilities both in locally stored container images and images stored within GCP registries.

Compared with Container Registry, Artifact Registry lets you store non-container artifacts, and provides better security and more flexibility.

gRPC-based services can now be configured via the Traffic Director control plane to use TLS and mutual TLS to establish secure communications.

The scalability and ease of use of fully managed compute now comes with enterprise-grade guardrails at the network level.