Azure customers on Linux machines - which account for over half of all Azure instances according to Microsoft - are at risk if they use any of the services relying on OMI (Open Management Infrastructure), a Windows Management Infrastructure (WMI) for UNIX/Linux systems. The RCE is the simplest RCE you can ever imagine: simply remove the auth header and you are root. This Twitter thread is also useful to understand the impact of this flaw.

Google makes use of custom metadata to authorize access to AI Notebooks and their web UIs. Individuals granted access via custom metadata need not have any IAM permissions on the compute instance, on the service account running the Notebook or even be a member of the Organization. This kind of authorization bypasses a specific Organization Policy Constraint which restricts cross-domain resource sharing.

Between the 3rd and 10th of September, secure environment variables of all public repositories hosted on Travis were injected into PR builds. This Twitter thread can help put some perspective on this.

Last month, NSA and CISA released a report detailing the security hardening they recommend be applied to Kubernetes cluster. The guidance the document contains is generally reasonable, but there are several points which are either incorrect or do not provide sufficient context for administrators to make good security-focused decisions.

A website built in order to provide an alternate, community-driven source of truth for AWS identity.

The IAM Vulnerable tool helps you learn how to identify and then exploit intentionally vulnerable IAM configurations that allow for privilege escalation.

Newcomers to AWS can sometimes get confused by what it means to have AWS credentials. This article aims to explain the basics of AWS authentication, that is, the way you gain an identity that you can use to access AWS services.

GitHub Actions has a new functionality that can vend OpenID Connect credentials to jobs running on the platform. This is very exciting for AWS account administrators as it means that CI/CD jobs no longer need any long-term secrets to be stored in GitHub.

How do you measure the success or maturity of a Threat Detection program? What should a Threat Detection team roadmap look like? What is the north star for Threat Detection?

How to call Google Cloud APIs from AWS or Azure without managing secret keys impersonating a service account.

HashiCorp Terraform Cloud run tasks allow you to integrate third-party tools into the pre-apply stage of a Terraform Cloud run.

An anonymous & ephemeral (and free) Docker image registry.

approver-policy is a cert-manager approver that allows users to define policies that restrict what certificates can be requested.

ClusterSecret operator makes sure all the matching namespaces have the secret available. New namespaces, if they match the pattern, will also have the secret. Any change on the ClusterSecret will update all related secrets.

This package allows you to authenticate to AWS with Amazon's signature version 4 signing process with the python requests library.

I've spent some time overhauling and reorganising the "Culture & Engineering" section on CloudSecDocs, now with more resources on topics like engineering decisions, personal development, technical leadership, and management

Amazon Route 53 Resolver DNS Firewall and AWS Network Firewall help you protect your VPC workloads by inspecting network traffic and applying deep packet inspection rules to block unwanted traffic.

Use the CLI (aws accessanalyzer validate-policy) or the API (ValidatePolicy) in IAM Access Analyzer to perform programmatic validation as part of your CI/CD workflows, helping you construct correct & secure IAM policies & SCPs.

How customers can continue to use AWS services in compliance with the evolving EU data protection landscape following the Schrems II ruling and recent EDPB recommendations.

How to deploy sample IAM policies for three personas: sysadmins, security analysts, and DevOps engineers or application builders.

What the three most important AWS WAF rate-based rules are for proactively protecting web applications against common HTTP flood events, and how to implement these rules.

Network Forensics and Telemetry solution to enable Threat Hunting; brings together Packet Mirroring, Open source and your choice of SIEM.

Event Threat Detection has launched new detectors in public preview: "Credential Access: Privileged Group Joinability Risk", "Persistence: IAM Anomalous Group Grant", "Credential Access: External Member In Privileged Group".

The unattended project recommender analyzes usage activity on projects in your organization and provides recommendations that help you discover, reclaim or remove unattended projects.

Microsoft announced new Azure Firewall capabilities as well as updates for August 2021 including new Azure Firewall supported regions, auto-generated self-signed certificates for Azure Firewall Premium SKU, and more.