This week's articles
Unauthenticated SNS subscription removal
Publicly exposing SNS Topics can introduce a whole range of issues. In this case, exposing the "subscriptionID" publicly will grant anyone (even without authentication) permissions to remove subscriptions from the topic. The countermeasure? Set the "AuthenticateOnUnsubscribe" flag.
Performing Image Scanning on Admission Controller with OPA
Sometimes the image you scan, is not the same you deploy in your Kubernetes cluster. This article explains to use image scanning on admission controllers to scan your container images on-demand, right before your workloads are scheduled in the cluster.
Kubernetes Pod Security Standards
The enforcement and policy-based definition of cluster requirements of security contexts has previously been achieved using Pod Security Policies. However, numerous means of policy enforcement have arisen that augment or replace the use of PodSecurityPolicy. The intent of these Standards is to detail recommended Pod security profiles, decoupled from any specific instantiation.
Open source continuous integration for Elastalert rules
Blog post introducing elastalert-ci
, a CircleCI-compatible convenience image that you can use to test your Elastalert rules. The CI configuration spins up an Elasticsearch container and an Elastalert container, uploads provided test data to the Elasticsearch container, and then runs the rules that are provided to it.
A Red Team Tale
Interesting thread on how a red team stole AWS credentials starting from physical access to a laptop via a retail store.