Scott Piper compiled some thoughts on Denial of Wallet attacks on AWS (attacks where the goal is to increase the financial burden on the victim).

Kubernetes has a wide range of attack vectors, and many common attacks are on the Kubernetes attack matrix. The RhinoSecurity team explored the GKE Kubelet TLS Bootstrap privilege escalation attack, starting with compromised CGP credentials, then stole TLS Bootstrap credentials by listing Compute Engine instances, generated and submitted CSRs, acted as worker nodes, stole secrets and gained cluster admin access in a GKE cluster.

Interesting article from Cloudflare which walks through the reliability model of services running in more than 200 edge cities worldwide.

Fargate does not allow privileged pods. So, how can you monitor Fargate and other serverless services if you can’t install agents on them? You'll need to rely on an intermediary like AWS CloudWatch.

Someone did set up an Elasticsearch honeypot and watched it destroyed. Over three dozen attacks occurred before the database was even indexed by search engines like Shodan / BinaryEdge.

Two vulnerabilities that, if chained together, would have allowed an attacker to claim a dangling S3 bucket to offer malicious firmware updates to Linux desktops and servers running legacy versions of fwupd.

A vulnerability that might enable a man-in-the-middle attack on Kubernetes clusters, CVE-2020-10749, was disclosed a few days ago. The vulnerability allows for man-in-the-middle (MITM) attacks, where an attacker can intercept network traffic to a pod in a Kubernetes cluster and impersonate it to clients.

Octant plugin for Starboard, which provides visibility into vulnerability assessment reports for Kubernetes workloads stored as custom security resources.

A solution to selectively find and erase records from data lakes stored on Amazon S3. This solution can assist data lake operators to handle data erasure requests, for example, pursuant to the European General Data Protection Regulation (GDPR).

Want to study how k8s audit logs work? This repo provides a Vagrant box configuration that: sets up microk8s with audit logging configured, sets up Elasticsearch and Kibana, and sets up filebeat to watch the microk8s audit logs and ship them to Elastic.

Project that allows to easily spin up Active Directory labs in Azure with domain-joined workstations, Windows Event Forwarding, Kibana, and Sysmon using Terraform/Ansible.

Post presenting patterns for accessing an Amazon Managed Streaming for Apache Kafka cluster across an AWS account or VPC boundaries using AWS PrivateLink. In addition, the post discusses the pattern that Goldman Sachs (TxB) chose for their cross-account access, the reasons behind their decision, and how TxB satisfies its security requirements with Amazon MSK.

Amazon introduced AWS CodeArtifact, a secure, scalable, and cost-effective artifact management service for software development. Today, CodeArtifact can be used with popular build tools and package managers such as Maven and Gradle (for Java), npm and yarn (for Javascript), and pip and twine (for Python).

The AWS Shield Threat Landscape Report (TLR) provides a summary of threats detected by AWS Shield. This includes rules and mitigations for services like AWS Managed Rules for AWS WAF and AWS Shield Advanced.

AWS Shield Advanced now allows proactive engagement from the DDoS Response Team (DRT) when a DDoS event is detected. When you turn on proactive engagement, the DRT will directly contact you if an Amazon Route 53 health check associated with your protected resource becomes unhealthy during an event that's detected by Shield Advanced.

AWS has achieved its first PCI 3-D Secure (3DS) certification. Financial institutions and payment providers are implementing EMV 3-D Secure services to support application-based authentication, integration with digital wallets, and browser-based e-commerce transactions. Although AWS doesn’t perform 3DS functions directly, the AWS PCI 3DS attestation of compliance enables customers to attain their own PCI 3DS compliance for their services running on AWS.

Curious on how to integrate formal proofs into software development? An ICSE research paper from the AWS Automated Reasoning Group describes lessons learned from a code-level verification project.

Google announced an updated Compliance Resource Center . It provides on-demand access to helpful resources to support your compliance efforts, verify technical compliance and control requirements, and help you understand region- and industry-specific regulations.

Google added some new firewall features, like hierarchical firewall policies and firewall insights.

The new BigQuery table-level access controls (table ACLs) enable to control data and share it at an even finer granularity. Table ACLs also bring closer compatibility with other data warehouse systems where the base security primitives include tables—allowing migration of security policies more easily.

In short: turn on uniform bucket-level access, enable domain-restricted sharing, encrypt data with Cloud KMS, audit data with Cloud Audit Logging, and secure data with VPC Service Controls.