Nice primer on GCP audit logs, which covers their structure, best practices for using them to monitor GCP security, and how to export them from GCP.

Write-up which explains in detail how OS Login works and then outlines three methods of privilege escalation. The first two (via LXD and via Docker) are straightforward and use previously-known methods to abuse the OS Login implementation. The third (hijacking the metadata server) is brand new, a bit more complex, and probably the most interesting to read.

A spreadsheet which compares many different features of Kubernetes managed services such as Google Kubernetes Engine (GKE), Elastic Kubernetes Service (EKS) and Azure Kubernetes (AKS).

Chris Farris invaluable notes from his talk SEC339 at re:Invent 2019. The focus is on the Preparation & Identification aspects of the SANS Incident Response framework.

When Kubernetes is deployed in a managed environment, the controller manager is handled by the cloud provider but the request for asking volume creation is emitted from the internal cloud provider network. This can be exploited (CVE-2020–8555) to access the cloud provider's internal resources and to enable several other attacks, such as dumping internal credentials and performing privilege escalation.

And they also fit in a tweet.

Starboard integrates security tools into a Kubernetes environment, so that users can find and view the risks that relate to different resources in a Kubernetes-native way. Starboard provides custom security resources definitions and a Go module to work with a range of existing security tools, as well as a kubectl-compatible command-line tool and an Octant plug-in that make security reports available through familiar Kubernetes tools.

Kuberhealthy is a Kubernetes operator for running synthetic checks as pods.

A very educational use case blog on implementing an Automated Incident Response in a Multi-Account AWS Environment. This scenario incorporates GuardDuty alerts, Config findings, Systems Manager automation runbooks, SNS notifications and centralized reporting in SecurityHub.

Last accessed information for IAM got extended to include S3 management actions, and now reports the last time a user or role used an S3 action. This granular access information helps analyze access, identify unused S3 actions, and remove them confidently.

The master account from the organization can now designate one member account within the same organization as a delegated administrator. The delegated administrator can aggregate data from across multiple accounts and Regions, then search and filter this data in the AWS console or by using the AWS SDK or CLI.

An overview of how logging works in GKE, and how to configure, find, and interact effectively with the GKE logs stored in Cloud Logging.