TL;DR: Everything that can be ephemeral, should be ephemeral.

Three-part series exploring how three fictional organizations would apply SLSA to meet their different needs: Part 1 - The Basics, Part 2 - The Details, Part 3 - Putting it all together.

A role trust policy that trusts a specific principal suggests that only that source principal has access to it, but it does not control access to that source principal, and so makes it seem like it limits access when it may not.

Self-paced course to learn fundamental AWS cloud security concepts, including AWS access control, data encryption methods, and how network access to your AWS infrastructure can be secured.

How to use Istio and OAuth2-Proxy to secure all your micro-service endpoints in a centralized and easily managed way on Kubernetes.

The AWS VPN Client application is affected by an arbitrary file write as SYSTEM, which can lead to privilege escalation.

Lightspin's Research Team obtained credentials to an internal AWS service by exploiting a local file read vulnerability on the RDS EC2 instance using the log_fdw extension.

The NetSPI team recently discovered a set of issues that allows any Azure user with the Subscription Reader role to dump saved credentials and certificates from Automation Accounts. In cases where Run As accounts were used, this allowed for a Reader to Contributor privilege escalation path.

A deliberately vulnerable CI/CD environment. You can also refer to the companion blog post.

A collection of Semgrep rules to facilitate vulnerability research.

Detect publicly accessible Lambda Function URLs in your AWS account.

AWS API Gateway management tool for creating on the fly HTTP pass-through proxies for unique IP rotation.

A curated list of policy-as-code resources like blogs, videos, and tools to practice on for learning Policy-as-Code.

Step-by-step guidance to enable SP-initiated single sign-on (SSO) into OpenSearch Dashboards using Okta.

How to pass calls to Amazon Cognito through a lightweight proxy. This pattern allows you to augment identity flows in your system with additional processing without having to change the client or the backend.

How to automatically resolve AWS Security Hub findings for previously deleted AWS resources. By using an event-driven solution, you can automatically resolve findings for AWS and third-party service integrations.

Automatic DLP for BigQuery, a fully managed service that continuously scans your data to give visibility of data risk, is now generally available.

A roundup of major functionality that has been added to Cloud EKM since it was first launched to GA.

How SPIFFE solves interoperability by combining SPIFFE and Google Workload Identity, to allow on-premise workloads to communicate with GCP APIs.

Private endpoints enable clients on an Azure virtual network to securely access Azure Static Web Apps through an IP address in the virtual network's address space over a private link.

Azure Monitoring Agent (AMA) is a native way to collect log files for Log Analytics. This new custom and IIS log capability is designed for you to collect text-based logs generated in your service or application.