#aws, #defend

There are two services on AWS that can make SOC 2 easier for you and your company, AWS Config and AWS Security Hub. These two services have built-in rules (Config) and controls (Security Hub) that directly address SOC 2 criteria and controls.

#defend, #kubernetes

Kubernetes is driven by an HTTP API server which allows complete configuration and control of Kubernetes runtime. Therefore, securing access to the API server is one of the most critical security controls to ensure resilient Kubernetes in production.

#aws, #defend

Blog post from SkyScanner, introducing some recent improvements to CFRipper that have enabled them to detect issues more accurately, allow for increasing levels of customization, and facilitate dynamic stack exemptions for engineering squads.

#explain, #gcp, #iam

2 use cases where the GCP IAM model is limited, requiring some trickery to get right.

#announcement, #kubernetes

This new merging algorithm running on the Kubernetes API server replaces the client side apply feature with a server-side implementation, helping users and controllers manage their resources.

#aws, #monitor

Use the recent S3 Object Lambda functionality in AWS to enrich S3-based logs with valuable intelligence.

#attack, #docker, #kubernetes

A page listing CVEs affecting Kubernetes/runc/ContainerD/Docker.

#announcement, #defend, #terraform

Semgrep 0.70+ now supports scanning Terraform source files (HCL) for misconfigurations and security flaws.

Detect, track and alert on infrastructure drift.

CloudSplaining on AWS Managed Policies. It automatically downloads and keeps a local copy of all AWS IAM Managed Policies, and also runs Cloudsplaining on each.

Open source IaC security scanner for public Helm charts.

Ottr is a serverless framework for Public Key Infrastructure (PKI) that aims to provide a robust and scalable method to manage end-to-end certificate rotations using an agentless approach.

Terraform Validator can run pre-deployment checks on Terraform plans for policy compliance.

This post provides strategies that you can use to prepare your organization to respond to secure baseline deviations. These strategies take the form of best practices around AWS account structure, OUs and SCPs, forensic VPC and network infrastructure, evidence artifacts to be collected, AWS services to be used, forensic analysis tool infrastructure, and user access and authorization to the above.

How to use AWS CloudTrail and Amazon Athena to analyze AWS KMS API usage. In a hub and spoke account model, cross-account AWS KMS API quotas are applied to the spoke account when the spoke account accesses SSE-KMS encrypted S3 bucket in the hub account.

This blog post explains how to modify and deploy the code to apply AWS Landing Zone specific baselines such as IamPasswordPolicy and EnableNotifications into AWS Control Tower using Customizations for the AWS Control Tower.

Post describing a multi-environment solution that uses a cloud native CI/CD pipeline to build, test, and deploy a Serverless ChatOps bot that integrates with AWS Control Tower Account Factory for AWS account vending.

Google announced the general availability of new security capabilities for Traffic Director which provide fully-managed workload credentials for Google Kubernetes Engine (GKE) via CA Service.

New container image streaming in Google Kubernetes Engine slashes the time it takes to boot your applications.

Azure offers trusted launch as a seamless way to bolster the security of Generation 2 VMs. Designed to protect against boot kits, rootkits, and kernel-level malware, trusted launch is comprised of secure boot, virtual trusted platform module (vTPM), and boot integrity monitoring.

Defender for Cloud Apps helps you gain visibility of your deployed cloud apps, discovers shadow IT, and protects your sensitive information.

Microsoft announced Azure Container Apps, an app centric hosting service for serverless containers. It is built with microservices in mind on the foundation of powerful open-source technology in the Kubernetes ecosystem.

Microsoft announced the public preview of capabilities that enable developers to secure their deployments to Azure through OpenID Connect's integration between Azure AD and GitHub Actions.