This week's articles
AWS SCP Best Practices
AWS Service Control Policies (SCPs) are a way of restricting the actions that can be taken in an AWS account so that all IAM users and roles, and even the root user cannot perform them. This high quality article from SummitRoute
points out important concepts of SCPs and then provides example SCPs that can be used.
Running Kubernetes clusters at scale: Square
How Cash App built its stack on top of Amazon EKS while leveraging AWS's managed services. If you are running at scale any application that requires operational excellence and fine-grained security policies, these slides might be of interest for you.
MKIT is a "Managed Kubernetes Inspection Tool" that validates several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster.
What's New in Kubernetes 1.17: A Deeper Look at New Features
The release of Kubernetes 1.17 introduces several new features and sees others maturing toward or into general availability. This recap provides a rundown of some of the most notable changes, which include: major improvements in cluster network and routing controls and scalability, new capabilities in cluster storage, pod scheduling and runtime options, and better custom resource support.
Rego Playground: New Features
New features for OpenPolicyAgent's Rego playground have just been released: common examples for kubernetes/envoy/app authorization, bundle serving to help you kick the tires, and improved support for context-aware policies.
Docker Desktop Local Privilege Escalation (CVE-2020-10665)
The diagnostics functionality of Docker Desktop for Windows executes privileged operations under a folder that is controllable by standard users who are members of the 'docker-users' group, leading to an arbitrary DACL permissions overwrite.