It is possible on AWS to have an isolated network where you cannot communicate in or out except through limited, controlled pathways. Setting something like this up has some gotchas. This post provides a CDK app to help you experiment and see these issues for yourself, with discussions of the gotchas, their mitigations, and limitations of those mitigations.

Microsoft created the first Kubernetes attack matrix: an ATT&CK-like matrix comprising the major techniques that are relevant to container orchestration security, with focus on Kubernetes.

A guide on AWS IAM global condition context keys and their caveats.

Walk through example of the HashiCorp Vault & Kubernetes sidecar injection integration method, by delivering database credentials from Vault to a Kubernetes pod using the Vault Agent Side-car Injector.

Inlets is a Cloud Native Tunnel written in Go, which creates a tunnel between two networks using a websocket and optional TLS for encryption. The main use-case for inlets is to expose a private API or service on the Internet, or to gain incoming network access (ingress) to a private network.

How K3s can serve as an easy command and control (C2) mechanism to remotely control compromised Linux machines.

Kpt is an OSS tool from Google for Kubernetes packaging that uses a standard format to bundle, publish, customize, update, and apply configuration manifests.

Walkthrough of a secure HashiCorp Packer image release process for an AWS environment.

This article explores the Service Catalog and other alternatives on how to provision cloud resources in Kubernetes.

Deprek8 is a set of Open Policy Agent (OPA) policies that allow you to check your repository for deprecated API versions. These policies offer a way to provide warnings and errors when something is in the process of being or has already been deprecated.

This post describes a very sophisticated phising attack that appeared that have originated from AWS, and concludes with mitigations against phishing attempts to compromise your AWS accounts.

Terraform Cloud recently added a new feature called Cost Estimation, which allows you to integrate cloud infrastructure spend estimates into your provisioning workflow and Sentinel policies.

Nomad is the first HashiCorp product outside of Vault to have a real audit log.

SSRF via Neo4j query on AWS EC2 by kmcquade3 that fits in a tweet!

To further HashiCorp product integrations with the Cloud Native Computing Foundation (CNCF) projects and to work more closely with the broad community of cloud engineers, HashiCorp joined the CNCF.

Amazon Detective is a fully managed service that empowers users to automate the heavy lifting involved in processing large quantities of AWS log data to determine the cause and impact of a security issue. Once enabled, Detective automatically begins distilling and organizing data from AWS Guard Duty, AWS CloudTrail, and Amazon Virtual Private Cloud Flow Logs into a graph model that summarizes the resource behaviors and interactions observed across your entire AWS environment.

Access Analyzer helps you quickly identify when resources in your organization can be accessed from outside of your AWS Organization.

The Secure Cloud Adoption: Data Classification whitepaper has been updated to get how-to steps for classifying data, see examples of data types relative to their classification levels and learn about global best practices.

TLS 1.2 to become the minimum for all AWS FIPS endpoints. This update will deprecate the ability to use TLS 1.0 and TLS 1.1 on all FIPS endpoints across all AWS Regions by March 31, 2021.

Service Directory is a new managed solution that helps publish, discover, and connect services in a consistent and reliable way, regardless of the environment and platform in which they are deployed.

How to collect Microsoft Teams data and monitor for suspicious activity.

Microsoft just published a new security docs site to make it easier to access resources + 55 new videos on Security Best Practices.