From the cloud providers
Say goodbye to SSRF on AWS EC2 Instances
AWS released v2 of the EC2 Instance Metadata Service (IMDSv2). With IMDSv2, every request is now protected by session authentication. IMDSv2’s combination of beginning a session with a PUT request, and then requiring the secret session token in other requests, is always strictly more effective than requiring only a static header. AWS analysis of real-world vulnerabilities found that this combination protects against the vast majority of SSRF vulnerabilities. But there is a caveat, both IMDSv1 and IMDSv2 will be available and enabled by default, and customers can choose which they will use.
Continuously monitor unused IAM roles with AWS Config
The IAM API now provides information about when a role has last been used to make an AWS request. In this post, AWS demonstrates how you can identify inactive roles using role last used information. Additionally, they show how to implement continuous monitoring of role activity using AWS Config.
Use IAM to share your AWS resources with groups of AWS accounts in AWS Organizations
You can now reference Organizational Units (OUs), which are groups of AWS accounts in AWS Organizations, in AWS Identity and Access Management (IAM) policies, making it easier to define access for your IAM principals (users and roles) to the AWS resources in your organization. AWS Organizations lets you organize your accounts into OUs to align them with your business or security purposes. Now, you can use a new condition key, aws:PrincipalOrgPaths, in your policies to allow or deny access based on a principal’s membership in an OU. This makes it easier than ever to share resources between accounts you own in your AWS environments.
Hardening your cluster's security
Google updated their GKE hardening guide with new security features and a new section "Secure Defaults". The goal: move as many items to secure defaults as possible.