This post describes a limitation in the current AWS CloudTrail logging features that limit detection capabilities of possible abuse against AWS DynamoDB, in the event of the user's AWS IAM keys being compromised. In particular, CloudTrail doesn't currently record any scanning/reading of a DynamoDB table through awscli.

SkyWrapper is an open source project which analyzes behaviors of temporary tokens created in a given AWS account. It aims to find suspicious creation forms and uses of temporary tokens, so to detect malicious activity in the account.

Free course content, lab setup instructions, and documentation of a hands on training.

Unsecured AWS S3 buckets are a frequent source behind many of today's cloud security breach headlines. This blog post shows how to use Terraform and Sentinel to ensure that every S3 bucket that is provisioned is compliant with security best practices.

Lessons learned and best practices for engineers running workloads on EKS clusters.

A site dedicated to good practices and tooling around Kubernetes RBAC.

Very interesting account controller solution, which creates an AWS SSO application for federated users to create or delete ephemeral/sandbox accounts.

Guard is a Kubernetes Webhook Authentication server. Using guard, you can log into your Kubernetes cluster using various auth providers such as Azure, Google, etc.

Learn how you can implement LDAP authentication for Kubernetes.

Terraform sample for an out-of-the-box, AAD integrated AKS/Kubernetes cluster: create a Kubernetes cluster with Terraform, integrate it with Azure Active Directory, add an AAD group, and bind it to the cluster-admin role.

Interesting article on how to create exceptions lists for Conftest in Rego, so to offload your decision making from your code.

Kubernetes cluster networking can be more than a bit confusing. In this article you will follow the journey of an HTTP request to a service running on a basic Kubernetes cluster.

Want to restrict actions on your AWS resources to specific services? Here's how to define least-privileged permissions for actions called by AWS services.

How to use AWS Config, with its auto-remediation functionality, to ensure that all web ACLs have logging enabled. The AWS CloudFormation template included in this blog post will facilitate this solution, and will get you started being able to manage web ACL logging at scale.

AWS Storage Gateway now enables logging end-user operations on files and folders for SMB file shares when using File Gateway.

Already using Microsoft Active Directory? This step-by-step tutorial shows how to set up AWS Control Tower to delegate user authentication to a self-managed Microsoft Active Directory via AWS Managed Microsoft AD.

AWS Snowball now supports local AWS Identity and Access Management (IAM), allowing you to securely manage access to AWS services and resources running on your Snowball device by controlling what actions users can take, and what AWS resources on the device users can take those actions on.

Google announced the general availability of Google Cloud's OS patch management service to protect your running VMs against defects and vulnerabilities. With OS patch management, you can apply OS patches across a set of VMs, receive patch compliance data across your environments, and automate installation of OS patches across VMs—all from one centralized location.