Slides from the talk Christie Wilson (@bobcatwilson) delivered at QCon San Francisco 2019. The first half is a refresher of cloud native topics, but from slide 52 it gets very interesting with a nice description of Tekton and of its main components.

In this blog post, the DeliveryTech team describe the massive cultural change they faced when they migrated from ECS to EKS, and from "JSON+CloudFormation" to "YAML+Terraform". The post also describes how they use anchore-engine for scanning container images for known vulnerabilities and to verify them against user-defined policies. For example, you can block containers that contain known vulnerabilities or that contain AWS access keys.

If you are looking for a high signal / low noise alert, then you might be interested in setting up Cloudtrail alerting rules that let you detect when someone makes a manual change in your AWS Console. This way you could get notified when, for example, one of your engineers manually add new security group ingress rules through the AWS Console.

GitHub can now scan public repositories for known token formats to prevent fraudulent use of credentials that were committed accidentally. As a service provider, you can partner with GitHub so that your token formats are included in their token scanning. Whenever a match of your token format is found, a payload is sent to an HTTP endpoint of your choice.

AWS just made pods first class citizens in IAM: rather than intercepting the requests to the EC2 metadata API to perform a call to the STS API to retrieve temporary credentials, AWS made changes in the identity APIs to recognize Kubernetes pods. By combining an OpenID Connect (OIDC) identity provider and Kubernetes service account annotations, you can now use IAM roles at the pod level.

As Scott Piper pointed out, looks like AWS is working to prevent bucket sniping. Athena used to just create and use the bucket "aws-athena-query-results-ACCOUNTID-REGION" on first use, or use that bucket if it already existed, which meant an attacker could create it in advance, causing problems. This problem class was blogged about by @iann0036 where he referred to it as bucket name squatting.

GCP introduced "Network Intelligence Center", Google Cloud’s network monitoring, verification, and optimisation platform across the cloud and on-prem data centers, along with an initial set of modules. Network Intelligence Center offers four modules: Connectivity Tests and Network Topology, both in beta; Performance Dashboard and Firewall Metrics & Insights in alpha; with several other modules to follow. So far it looks like Cloudmapper!

Red Hat open sourced Project Quay, the upstream project representing the code that powers Red Hat Quay and Quay.io

VMWare released Tern, an inspection tool to find the metadata of the packages installed in a container image. Plus, it can also analyze GCR images.