Some thoughts on some simple UI tweaks and UX updates that can help reduce the frequency of cloud security incidents stemming from misconfigurations.

Automated scanning platform that continuously discovers public web assets, performs port scanning, fingerprinting, and other useful reconnaissance, and launches light security scanning to identify potential risks — all built upon free open source tools and low-cost AWS services. I love this kind of ChatOps approach!

Interesting post which investigates what the absolute bare minimum "Kubernetes cluster" actually looks like. (It's going to be a lot more minimal than setting up Kubernetes the hard way.)

The general-purpose approach that the Open Policy Agent has taken, and the user experience that Conftest provides, enables near unlimited use cases for policy-based validation.

Post exploring how to monitor all aspects of your applications running in Kubernetes, including: ingesting and analysing logs, collecting performance and health metrics, monitoring application performance with Elastic APM.

By default, the Flux helm chart sets the RBAC (Role-Based Access Control) permissions to a cluster role with the ability to do anything. This post explores how to lock down flux permissions to "just enough" so to keep the cluster as secure as possible.

Part 1 in a series showing the basics of how to automate Terraform with Argo. Part 2 introduces Consul and Vault for security and Terraform templating.

Writeup of an XSS found on the AWS console via EC2 tagging.

The AWS Copilot CLI is a tool for developers to build, release and operate production ready containerized applications on Amazon ECS and AWS Fargate.

Syncs container images from one registry to another. This is useful in cases when you rely on images that exist in a public container registry, but need to pull from a private registry.

CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.

Action Hero is a sidecar style utility to assist with creating least privilege IAM Policies for AWS. Action Hero provides a means to capture all required permissions during the more permissive iterations to make it easier to create an IAM role with just the required permissions.

Simple AWS Lambda-powered Slack bot that reports your AWS Costs for the current month to a channel.

A Kubernetes node connectivity tool that preforms frequent tests (tcp, udp and dns), and exposes Prometheus metrics that are enriched with the node name, and the locality information (such as zone), enabling you to correlate issues between availability zones or nodes.

A collection of diagrams about Kubernetes and created for trainings, talks and articles. Written in PlantUML and can be adjusted easily.

"Identity Round Robin" is a collection of identity workshops covering a range of identity and access management topics. These topics cover identity in general, not just the AWS IAM service. Some of the services covered include AWS IAM, AWS CloudTrail, Amazon CloudWatch Events, Amazon S3, AWS Lambda, Amazon Macie, Amazon Inspector AWS Security Hub and Amazon GuardDuty.

AWS released the Payment Card Industry Data Security Standard (PCI DSS) 3.2.1 on AWS Compliance Guide. The guide is an overview of concepts and principles for building PCI DSS compliant applications. Each section is thoroughly referenced to source AWS documentation to meet PCI DSS reporting requirements.

The Spring 2020 PCI DSS attestation of compliance covers 124 services that can be used to securely architect Cardholder Data Environments (CDEs) in AWS. A full list of services can be found in the Services in Scope by Compliance Program page.

AWS released a security bulletin to notify customers of a security issue, recently disclosed by the Kubernetes community, affecting Linux container networking (CVE-2020-8558). This issue may allow containers running on the same host, or adjacent hosts (hosts running in the same LAN or layer 2 domain), to reach TCP and UDP services bound to localhost (127.0.0.1). Customer action is required, and the recommendation is to update to the latest AMI.

Post sharing concepts for building a cyber range in AWS. It covers the networking components of a cyber range, then how to control access to it.

How to set up G Suite as an external identity provider in AWS Single Sign-On (SSO), as well as how to configure permissions for your users, and how they can access different accounts.

The gcloud command-line tool cheat sheet is available as a one-page sheet, an online resource, and quite fittingly, a command itself, "gcloud cheat-sheet".

Azure Kubernetes Service (AKS) now supports confidential workloads through integration with DCsv2-series SKU node pools. Enclaves can now be used in containers to secure access to private data.

Microsoft released Azure policies to secure pods in AKS. You can deny requests based on pod capabilities and audit for runtime violations.

Microsoft introduced containerd support (as a preview) in AKS.