This posts clarifies the clucking and clamoring over attackers exploiting vulns or corrupting build pipelines (spoiler alert: it isn't worth their time and effort to).

What are the threats in letting an AWS service manage the encryption of your data instead of creating a Customer Managed Key?

Here's what you should do about S3 Logging.

Post looking at the kinds of things you might find in your logs. The juicy bits are Personal Identifying Information (PII) or security credentials.

How to use Cloudflare Tunnel to securely access a Flask webapp running in a private subnet in ECS on Fargate, without exposing the app to the public internet.

Post exploring why the tried-and-true SSM Parameter Store is still the preferred choice for many developers and dive into the advantages it has over Secrets Manager.

Datadog announced the release of their Cloud Security Atlas, a searchable database of real-world attacks, vulnerabilities, and misconfigurations designed to help you understand and remediate risk in cloud environments.

Timeline of events when an AWS IAM Access Key was published to GitHub.

The Vault Secrets Operator implements a first-class Kubernetes Operator pattern for HashiCorp Vault along with a set of CRDs responsible for synchronizing Vault secrets to Kubernetes Secrets natively.

A security issue in GitHub's Security Advisory feature allowed researchers to access ANY organization's codespace secrets without authorization.

Post exploring the details of the Azure vulnerability, "Super FabriXss," the risks it poses, as well as recommendations on how to mitigate it.

A deserialization issue on the Azure Service Bus (Relay) service that allowed remote code execution on Microsoft servers.

GitHub announced a new Export SBOM function that allows anyone with read access to a GitHub cloud repository to generate an NTIA-compliant SBOM with a single click.

Security Copilot combines an advanced large language model (LLM) with a security-specific model from Microsoft. This security-specific model in turn incorporates a set of security-specific skills and is informed by Microsoft's unique global threat intelligence. Security Copilot runs on Azure's infrastructure.

GitHub App to watch for PRs merged without a reviewer approving.

Kubectl plugin for Kubernetes OpenID Connect authentication (kubectl oidc-login).

Sample logging architectures for Fluent Bit and FluentD on Amazon EKS.

A light weight, zero dependency python library that simplify managing your AWS boto3 session in your application code.

AWS announced the general availability of Amazon GuardDuty EKS Runtime Monitoring to detect runtime threats from over 30 security findings to protect your EKS clusters. The new EKS Runtime Monitoring uses a fully managed EKS add-on that adds visibility into individual container runtime activities, such as file access, process execution, and network connections.

GuardDuty has added new functionality to its integration with AWS Organizations to make it even simpler to enforce threat detection across all accounts in an organization.

An automation pattern that you can use to automatically detect and block suspicious hosts that are attempting to access your AWS resources.

Cost Anomaly Detection uses machine learning to continuously monitor, detect, and alert customers of unexpected cost increases. The default configuration allows new Cost Explorer users to quickly improve cost controls with zero effort.

GCP added an advanced simulation engine to attack path analysis that will identify assets that are most vulnerable to attack, which can help defenders know where to apply the right security controls to better protect their cloud environment.

Cloud Audit logs can help customers meet their compliance and security requirements. Here's how to derive actionable insights from Log Analytics.

Kaniko allows limited credential exposure to help GKE workloads authenticate to other services safely.