Companion blog post for the "Command and KubeCTL: Real-World Kubernetes Security for Pentesters" talk from Shmoocon 2020, covering the case study presented in the talk. I really like the walkthrough/scenario-based style of the slides by the way. (Slides and demos also provided)

A case study of AWS account takeover via misconfigured AWS Cognito.

Ever wondered what are the top level dependencies of Kubernetes? You can now have a look at this diagram.

When discussing the risk S3 buckets pose to organizations, the majority of the discussion is around public buckets and inadvertently exposing access. But what about data exfiltration from attackers that may have gained access through some other attack vector? This blog post looks for a simple way to detect cross account exfiltration from S3 buckets.

Introductory post referencing multiple resources and links useful to get started with Azure security.

Recently, the Linkerd community has been spending time tackling the challenge of multicluster Kubernetes. In this blog post, they outline the minimal requirements of a multi-cluster solution that makes cross-cluster traffic more reliable, secure and observable. In subsequent blog posts, they'll address some of the implementation choices.

This post explores how to access Secret Manager secrets from Terraform. Full sample code is also available on GitHub.

Virtual cluster is a mechanism to achieve hard multi tenancy in Kubernetes using nested clusters: the parent cluster can create child clusters that can use the same common resources. However, the control plane is isolated for each tenant.

The AWS Compliance Center offers a central location to research cloud-related regulatory requirements and how they impact different industries. Select the country you are interested in, and the AWS Compliance Center will display the country’s regulatory position regarding the adoption of cloud services.

AWS IAM now includes condition keys to make it easier to grant only the minimum level of access necessary for IAM principals (users and roles) and AWS services to take those actions. Using the aws:CalledVia condition key, you can create distinct access rules for the actions performed by your IAM principals, and for the subsequent actions taken by AWS services on your behalf. You could, for example, enforce that all actions for a principal are to or via CloudFormation.

AWS added partial support for PCI DSS version 3.2.1 requirements to AWS Security Hub. This post covers how to use the AWS Security Hub PCI DSS v3.2.1 standard, interpret your security score, remediate failed security checks, and more.

AWS KMS publishes API usage metrics to Amazon CloudWatch and Service Quotas allowing you to both monitor and manage your AWS KMS API request rate quotas. This functionality helps you understand trends in your usage of KMS and can help prevent API request throttling.

Google released Application Manager, an application delivery solution delivered as an add-on to GKE. Now available in beta, Application Manager allows developers to easily create a dev-to-production application delivery flow, while incorporating Google's best practices for managing release configurations.

Managed Service for Microsoft AD can help you manage authentication and authorization for your AD-dependent workloads, automate AD server maintenance and security configuration, and connect your on-premises AD domain to the cloud.

Last November Microsoft introduced Azure Firewall Manager preview for Azure Firewall policy and route management in secured virtual hubs. This week, the Azure Firewall Manager preview has been extended to include automatic deployment and central security policy management.