A newly discovered security flaw in GitHub allows leveraging GitHub Actions to bypass the required reviews mechanism and push unreviewed code to a protected branch, potentially allowing malicious code to be used by other users or flow down the pipeline to production.

AWS WAF's defaults make bypassing trivial in POST requests, even when you enable the AWS Managed Rules.

Post explaining how to abuse Service Principals to escalate rights in Azure and how to protect yourself against it.

Did you know that OpenID Connect can be used to build trust between two different clouds? Learn how a new OIDC feature in GitHub Actions replaces passwords.

There has been a major regression in many organizations, who now tolerate risks inside containers that never would have been allowed on virtual machines. A lot of the blame seems to rest with Dockerfiles: we need guardrails against common mistakes.

Got engineers with AdministratorAccess? Here's how to deploy reduced privilege IAM roles for people without breaking their workflows.

GCP offers powerful security controls to mitigate API-based data exfiltration called VPC Service Controls. To execute a successful and secure cloud architecture with VPC Service Controls, it is important to understand exactly how they work.

This blog is the second in a multi-part series to cover the available logs and telemetry of the Azure platform, discuss the security insights that we can obtain from them and also to highlight existing blind spots that can save you a few headaches down the line.

How to use Cloudflare Tunnel to connect my Kubernetes Lab to the Cloudflare network, and Auditable Terminal to connect to it using nothing more than a browser. Disclaimer: I did write this post.

If you're familiar with Kubernetes, you're likely familiar with the Kubernetes API and the concept of controllers, but despite the seeming simplicity of the core ideas, there are plenty of details that may be surprising once you scratch the surface.

A handy generator of boilerplate YAML for Kubernetes resources.

Snowcat gathers and analyzes the configuration of an Istio cluster and audits it for potential violations of security best practices. You can also check the companion blog post.

Boilerplate example of managing OPA with kustomize.

A beginner-friendly CTF about Kubernetes security.

kdigger is a context discovery tool for Kubernetes penetration testing.

The IAM docs on policy evaluation have been updated with a table that explains how resource policies can or can't grant access beyond a permissions boundary.

AWS Network Firewall now offers new configuration options for rule ordering and default drop, making it easier to write and process rules to monitor your virtual private cloud (VPC) traffic.

AWS Instance Scheduler is a solution that helps you control your AWS resource cost by configuring start and stop schedules for their Amazon Elastic Compute Cloud (Amazon EC2 On-Demand Instances) and Amazon Relational Database Service (Amazon RDS) instances.

AWS Backup announced the availability of AWS Backup Vault Lock. This new feature enhances customers' ability to protect backups from inadvertent or malicious actions. It helps customers implement safeguards that ensure they are storing their backups using a Write-Once-Read-Many (WORM) model.

How to create a multi-stage Dockerfile that uses eksctl, kubectl, and aws-auth. This will allow you to call Kubernetes APIs to create and manage resources through a unified control plane.

On paper, setting up GCP logging sinks is relatively easy. In reality, as soon as VPC Service Controls are involved, you suddenly find yourself locked out of every "how-to" tutorial; they likely won't work with your security setup.

Analyzing Endpoints Forensics - Azure Sentinel Connector can enable more-powerful forensic analysis through techniques such as streaming a computer's EPP (Endpoint Protection) health status, policies, settings, and configuration in addition to IoT vulnerable assets, data events & vulnerabilities.

Azure Monitor container insights for Azure Arc enabled Kubernetes is now generally available. You can now monitor all Kubernetes, AKS or non-AKS through container insights.

Azure Static Web Apps adds support for access restrictions by IP addresses and service tags.

Azure Static Web Apps adds support for programmatically assigning custom user roles using Azure Functions.