A reference architecture to securing the software supply chain.

We all know "infrastructure as code". It is expanding to bigger constructs , devsecops, workflow , data , documentation, and slowly getting into the business domain. This post analyzed the trends from over 50+ concepts "as code".

With Grafana's out-of-the-box security features, you can protect your instances against vulnerabilities and create security audit dashboards.

Some good practices for securing accounts and package repositories.

How granting rights to node/proxy resources in Kubernetes could allow for audit logs and other security controls to be bypassed.

How do you restrict network traffic between namespaces in a Kubernetes cluster? This guide shows how to prevent traffic between namespaces using Linkerd's traffic policies.

A great explanation of how docker credential helpers and registry authentication works.

What is the difference between a Docker Container and a Kubernetes Pod? Can a Pod be created with plain Docker commands? How are Pods implemented under the hood?

Build OCI images using APK directly without Dockerfile. You can also refer to the companion blog post.

Infrastructure-as-code where you work with high-level constructs instead of getting lost in low level cloud configuration.

Simple command line utility to transform a provided Kubernetes resource into a Kubernetes AdmissionReview request, as sent from the Kubernetes API server when dynamic admission control (i.e. webhook) is configured.

Zarf massively simplifies the setup & administration of kubernetes clusters "across the air gap".

Starbase collects assets and relationships from services and systems including cloud infrastructure, SaaS applications, security controls, and more into an intuitive graph view backed by a Neo4j database. You can also refer to the companion blog post.

How to configure AWS Single Sign-On to define attribute-based access control (ABAC) permissions to manage EC2 instances and AWS Systems Manager Session Manager for federated users.

This post describes the primary building blocks for using Bot Control, and how you can combine and customize them to address different scenarios.

Amazon is announcing an open source project, AWS Cloud Map MCS Controller for K8s, which allows a Kubernetes-native service discovery capability that works across Kubernetes (K8s) clusters.

How to build an analytics pipeline of your Security Hub findings, summarize the data with Amazon Athena, and visualize the data via QuickSight.

The AWS Security Reference Architecture (AWS SRA) is a holistic set of guidelines for deploying the full complement of AWS security services in a multi-account environment.

IAM deny policies let you set guardrails on access to Google Cloud resources. With deny policies, you can define deny rules that prevent certain principals from using certain permissions, regardless of the roles they're granted. You can also check this useful thread from @jasonadyke.

Announcing the general availability of the new Pub/Sub, Webhook, and Slack Notification channels.

A tutorial for writing and deploying customized Cloud Monitoring alert notifications to third party services.

Identities are a key aspect of Kubernetes security, and monitoring their activity is crucial for keeping your cluster secured. The Kubernetes audit log and the cloud control plane logs can be used for identifying suspicious activity of the identities in Kubernetes.

Microsoft announced a new addition to their database protection offering Microsoft Defender for Azure Cosmos DB in preview.