While performing penetration tests, active IAM credentials are often found by a variety of ways. These credentials can then allow to perform privileged actions in AWS services within an AWS account. This post goes through the process of gaining access to the AWS console using leaked API credentials and introduces a tool (AWS Consoler) to automatically convert CLI credentials into AWS console access.

The objective of this article is to provide a solid security foundation for a DigitalOcean Kubernetes cluster. Note that this tutorial covers basic security measures for Kubernetes, and is meant to be a starting point rather than an exhaustive guide.

Very interesting post explaining how the Terraform state works, how to inspect it, how to move and rename resources, and even delete them.

Continuously monitor AWS services for configurations that can lead to degradation of confidentiality, integrity, or availability, with results sent to Security Hub.

This tutorial builds on the legacy of Kubernetes The Hard Way by Kelsey Hightower. While KTHW is a great resource, it is aging and not using many new Kubernetes features which make manual cluster deployment both easier and more robust.

Learn some simple, low-effort steps to build a production-hardened proof-of-concept Vault deployment.

The HashiCorp Terraform Operator for Kubernetes leverages the benefits of Terraform Cloud with a first-class Kubernetes experience. This new Operator lets you define and create infrastructure as code natively in Kubernetes by making calls to Terraform Cloud.

RBAC is a good control to apply at the container platform level (Kubernetes), but it doesn't apply to the underlying nodes. That is where a Pod may not be able to delete an object in etcd using the API because it's restricted by RBAC, but it may delete important files in the system and even stop kubelet if properly programmed for that. To prevent this scenario, SCCs (Security Context Constraints) can come to the rescue.

This article explains how to use IAM roles for service accounts in EKS clusters, so to provide fine-grained permissions to pods.

Another cool Open Policy Agent use case: a set of rego policies to monitor Kubernetes APIs deprecations.

Knative Eventing has event sources, services, channels, subscriptions, brokers and triggers. It can be confusing. This blog post explains the delivery methods in Knative Eventing and when to use what.

Amazon GuardDuty introduces new pricing with an additional volume discount tier for threat detection.