AWS Service Control Policies (SCPs) are a way of restricting the actions that can be taken in an AWS account so that all IAM users and roles, and even the root user cannot perform them. This high quality article from SummitRoute points out important concepts of SCPs and then provides example SCPs that can be used.

A tale of how GCP service account keys left exposed in a Jupyter notebook led to an environment compromise.

How Cash App built its stack on top of Amazon EKS while leveraging AWS's managed services. If you are running at scale any application that requires operational excellence and fine-grained security policies, these slides might be of interest for you.

MKIT is a "Managed Kubernetes Inspection Tool" that validates several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster.

Do you restrict which Amazon Machine Images (AMIs) your users can deploy within your AWS accounts? Why does it matter?

Inspektor Gadget is a collection of gadgets for debugging and introspecting Kubernetes applications using BPF. One of the newest gadgets helps to write proper Kubernetes network policies: let Inspektor Gadget monitor and analyse the network traffic so it can suggest network policies itself.

The Zeek Network Security Monitor provides a powerful open-source platform for network traffic analysis, but lacks access to host-level semantics. The new Zeek Agent fills this gap by collecting endpoint data through custom probes and, optionally, by interfacing to osquery.

The release of Kubernetes 1.17 introduces several new features and sees others maturing toward or into general availability. This recap provides a rundown of some of the most notable changes, which include: major improvements in cluster network and routing controls and scalability, new capabilities in cluster storage, pod scheduling and runtime options, and better custom resource support.

New features for OpenPolicyAgent's Rego playground have just been released: common examples for kubernetes/envoy/app authorization, bundle serving to help you kick the tires, and improved support for context-aware policies.

The diagnostics functionality of Docker Desktop for Windows executes privileged operations under a folder that is controllable by standard users who are members of the 'docker-users' group, leading to an arbitrary DACL permissions overwrite.

Two DoS vulnerabilities affecting different components of Kubernetes: one for kubelet, and one for the API server.

If you're looking to improve your cloud security, a good place to start is to follow the top 10 most important cloud security tips that Stephen Schmidt, Chief Information Security Officer for AWS, laid out at AWS re:Invent 2019.

How an organization using a third-party identity provider can use AWS Lambda authorizers to implement a standard token-based authorization scheme for REST APIs that are deployed using API Gateway.

Improve Athena' security by connecting to it directly with an interface VPC endpoint instead of publicly over the internet.

Among others: all exams are now available via online proctoring, as well as certification expiration dates & benefits extended.