Isovalent announced the open source release of Tetragon, an eBPF-based security observability and runtime enforcement platform that has been part of Isovalent Cilium Enterprise for several years.

By utilizing temporary credentials (credentials returned as the result of the AssumeRole operation) as honeytokens, we can deploy a honeytoken approach that scales with our environment, utilize existing detection mechanisms (CloudTrail alerting), and remove the need to run a set of infrastructure dedicated to managing IAM Users.

Slides of a post discussing the public catalog of AWS Customer Security Incidents, covering over twenty different public breaches. It walks through the technical details of these attacks, establish the common root causes, look at lessons learned, and establish how you can proactively secure your environment against these real world risks.

Researchers from Palo Alto Networks presented research findings on “trampoline pods”—pods with an elevated set of privileges required to do their job, but that could conceivably be used as a jumping off point to gain escalated privileges. You can also read GKE's response.

A post explaining RCE via Provider and Provisioners, supply chain attack scenarios and mitigations.

By creating a threat model that includes the kinds of attacks you want to mitigate, it's clear that managing secrets safely is extremely difficult. The problem is NOT that secrets are just base64 encoded; that was never meant as a security feature. And the problem cannot be simply waved away by software/cloud providers and their flashy documentation.

Learn how to implement security in the cloud at the application layer.

Principles and practices for good RBAC design for cluster operators.

The announcement of Envoy Gateway, a new member of the Envoy Proxy family aimed at significantly decreasing the barrier to entry when using Envoy for API Gateway (sometimes known as “north-south”) use cases.

Trivy now can scan kubernetes clusters. It reports vulnerabilities and misconfigurations when scanning a full cluster, namespace or a resource.

A Kubernetes shell that allows you to escape to the host while obfuscating itself from the API server.

A tool for securing CI/CD workflows with version pinning.

A kubectl plugin that lets you can see the running configuration of all containers that are running inside pods.

Post covering two fully managed certificate revocation status checking mechanisms provided by ACM PCA: the Online Certificate Status Protocol (OCSP) and certificate revocation lists (CRLs). OCSP and CRLs both enable you to manage how you can notify services and clients about ACM PCA-issued certificates that you revoke.

Incident Manager, a capability of AWS Systems Manager, announces expanded support for runbook automation to speed up incident diagnosis and resolution.

Learn more about how gcloud terraform vet allows you to apply pre-deployment checks and guardrails to your Terraform infrastructure configurations.

Customers who use a SAML-based identity provider are able to take advantage of Workload Identity Federation to reduce their use of long-lived service account keys.

Announcing Google Cloud's new Assured Open Source Software Service, which can help organizations add the same software that Google uses into their own workflows.

You can now have AKS take care of creating the Private Link Service association to the Kubernetes service identified by the frontend IP configuration of an internal Azure Load Balancer.

You can now store secrets in BYOK encrypted etcd using Key Management System (KMS).