Lyft released Clutch, an open-source UI and API platform for infrastructure tooling. Clutch empowers engineering teams to build, run, and maintain user-friendly workflows that also incorporate domain-specific safety mechanisms and access controls. Clutch ships with several features for managing platforms such as AWS, Envoy, and Kubernetes with an emphasis on extensibility so it can host features for any component in the stack.

The most efficient and repeatable method for finding misconfigurations in IAM policies and roles is to automate the detection process using existing libraries. This blog explores how the Parliament library can be run to detect if a policy is malformed, identify unknown permissions that do not exist within the platform, and callout resource mismatches when resources and permissions do not apply to each other.

An attempt to try to help security professionals approach Kafka, by walking through the journey I undertook to get the basics first, and later to focus on the security aspects of it. (disclaimer: I did write this post)

Second post of a container breakout series. After the discussion on how to escape from a system with access only to the root directory, this part dives into privileged containers.

Let's say you got a reverse shell from a process running in a Kubernetes environment. This guide details the basic steps you can take to escalate your privileges within Kubernetes.

Blog looking at a Consul service mesh pattern for applications in ECS. This example is running on EC2 instances under an ECS managed cluster, but could be easily modified to run Fargate workloads as well.

This post explains how to connect a Kubernetes cluster running in Digital Ocean to your Azure Subscription by leveraging Azure Arc.

In last week's issue I linked to sinker in the Tools section. This week, the Plex team released a blog post explaining why they built it and how they leverage it in their pipelines.

How to leverage Falco to detect someone trying to exploit CVE-2020-8557, a recently discovered vulnerability affecting the kubelet.

HashiCorp announced the general availability of HashiCorp Vault 1.5. The feature that probably impacts the most users is around rate limiting and quotas (in the OSS version). For enterprise users, there is also a Splunk App so you can get better monitoring/logging out of the box.

Recon helps build a comprehensive inventory of the security-related metadata in an AWS account. The output is standard JSON, so it can be used in automation pipelines or feed into other tools for further analysis.

Repo keeping track of all primitive and predefined GCP IAM Roles and their permissions. Resyncs nightly to help track changes as they are made.

Get cost estimates from a Terraform project.

kube-forensics allows a cluster administrator to dump the current state of a running pod and all its containers so that security professionals can perform off-line forensic analysis.

Litmus is a toolset to do chaos engineering in a kubernetes native way. Litmus provides CRDs for developers and SREs to inject, orchestrate and monitor chaos to find weaknesses in Kubernetes deployments.

Service control policies (SCPs) in AWS Organizations offers central control over permissions for all accounts in an organization, which helps ensure that accounts stay within an organization's access control guidelines.

AWS announced a new Center for Internet Security (CIS) benchmark for Amazon Elastic Kubernetes Service (EKS). This new benchmark is optimized to help accurately assess the security configuration of Amazon EKS clusters, including security assessments for nodes to help meet security and compliance requirements.

How to, using Lambda@Edge and Amazon CloudFront, add response headers that are specifically targeted to improve the security and privacy of both viewers and content providers.

AWS Secrets Manager has been Information Security Registered Assessors Program (IRAP) assessed and accepted at the PROTECTED level. Now, you can use AWS Secrets Manager to store secrets that are required to meet the Information Security Manual (ISM) control objectives.

With Traffic Director support for proxyless gRPC services, it is now possible to bring proxyless gRPC applications to proxy-based service mesh or even have a fully proxyless service mesh.

Some techniques and mechanisms you can apply to improve your security posture.

The Azure Well-Architected Framework is a set of guiding tenets that can be used to improve the quality of a workload. The framework consists of five pillars of architecture excellence: Cost Optimization, Operational Excellence, Performance Efficiency, Reliability, and Security.

Overview providing a snapshot of five best practices for cloud security: identity and access control, security posture management, apps and data security, threat protection, and network security.

Before deploying cloud applications in production it is useful to have a checklist to assist in evaluating your application against a list of essential and recommended operational security actions for you to consider.