#aws, #azure, #gcp, #kubernetes, #strategy

A comprehensive guide that provides a structured approach to reviewing the security architecture of a multi-cloud SaaS company and finding its most critical components.

#attack, #ci/cd

An analysis of several popular open-source projects highlighted a lack of proper input sanitization in GitHub Actions workflows, allowing malicious actors to inject code into the builds through issues and comments, and to access privileged tokens.

#defend, #kubernetes

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Technical Report, the Kubernetes Hardening Guidance.

#ci/cd, #defend

How to use the OpenSSF Scorecards GitHub Action to audit your GitHub and GitHub Actions configuration, and a breakdown of some of the issues raised by it.

#attack, #aws, #defend

Getting started in AWS security, and how companies are getting hacked on AWS. You can also check a nice interactive mindmap.

#attack, #opa

Rego is designed to be utilised for a very specific purpose, and thus its standard library is understandably not huge. Despite this, much like Terraform, there are still features which can be leveraged by an attacker for supply-chain attack vectors. If a consumer takes advantage of policies published by a third party, they should be aware of the following.

#attack, #gcp

The 'Google Cloud Platform Storage Explorer' tool crawls all of your Google Cloud projects and detects which have access to all storage data.

#attack, #azure

A comprehensive map of Azure and Azure AD attack paths.

#iac, #opa

Recently, tfsec added support for applying Rego policies to your Terraform code. Clear rules can be written against simple data structures, whilst providing the developer with a wealth of information in the event of a failure, such as path, line numbers, and highlighted code snippets.

#announcement, #vault

Vault 1.10 adds login MFA support, makes Vault an OIDC provider, adds support for PKI to use HSMs, and more.

Access Undenied parses AWS AccessDenied CloudTrail events, explains the reasons for them, and offers actionable remediation steps. You can also refer to the companion blog post.

The GKE Proof of Concept (PoC) Toolkit is a demo generator for Google Kubernetes Engine.

CRFS is a read-only FUSE filesystem that lets you mount a container image, served directly from a container registry (such as gcr.io), without pulling it all locally first.

Enterprise-ready Azure Policy-as-Code (PaC) solution (includes Az DevOps pipeline).

To reduce risk and unintended access, you can use Access Analyzer for S3 to identify S3 buckets within your zone of trust (Account or Organization) that are shared with external identities.

How to automate scaling in AWS Managed Microsoft AD using utilization metrics from your directory, which can cost-effectively improve resilience & performance of your directory.

How you can use Security Hub with a SIEM to store findings for longer than 90 days, aggregate findings across multiple administrator accounts, and correlate Security Hub findings with each other and other log sources.

Google Cloud Certificate Authority Service has a simple solution for your workload certificate needs across cloud and on-premises environments.