Very interesting article going into the problem of providing network connectivity between Kubernetes clusters and other internal tools (like deployment pipelines).

Post focusing on the differences an Istio service mesh makes in regard to certificate management on Kubernetes. The primary difference is the method of solving the ACME HTTP-01 challenge. Solving this challenge involves routing an HTTP request from the ACME server (the Certificate Authority) to the cert-manager challenge solver pod.

When evaluating your cloud security posture priorities, encryption should be at the bottom of your list. First, get your IAM house in order.

Nice post from the Dropbox team, talking about the old Nginx-based traffic infrastructure, its pain points, and the benefits they gained by migrating to Envoy. They also briefly touch on the migration process, its current state, and some of the problems encountered on the way.

Blog exploring suspicious file activity inside a container, as well as how to effectively implement a file integrity monitoring (FIM) workflow.

How to use Spotify's open source framework, Backstage, to create a GitOps plugin with a UI that can be offered through a developer portal.

Patterns for configuring and maintaining GitHub Actions self-hosted runners on Google Cloud.

The etcd team has successfully completed a 3rd party security audit, performed by Trail of Bits. No major issue was found in the core components of etcd.

Evaluation of a few different isolation techniques, with a focus on Firecracker.

HashiCorp announced the preview of a Windows Active Directory (AD) provider for Terraform. Windows administrators can now automate configuration of Active Directory and ease the management of enterprise systems.

Repo maintaining a list of all AWS resources that can be publicly exposed, and eventually, those that can be shared with untrusted accounts.

Azure Cloud Shell is a browser-based shell environment which enables Azure customers to manage and configure their Azure services. It provides a host of tools, including Azure CLI, Azure PowerShell, Ansible, Terraform, Chef, Puppet Bolt, kubectl, and many more.

Run interactive shell commands on AWS Lambda.

Mount kubernetes metadata storage as a filesystem.

Kip is a Virtual Kubelet provider that allows a Kubernetes cluster to transparently launch pods onto their own cloud instances. The kip pod is run on a cluster and will create a virtual Kubernetes node in the cluster.

CONVEX is a group of CTFs that are independently deployable into participant Azure environments.

DAST (Dynamic application security testing) is a Kubernetes operator that leverages OWASP ZAP to make automated basic web service security testing.

The anomaly and threat detection for S3 activities that was previously available in Macie has now been enhanced and reduced in cost by over 80% as part of GuardDuty. This new capability enables GuardDuty to continuously monitor and profile S3 data access events and S3 configurations to detect suspicious activities.

The Self-Service Security Assessment is a CloudFormation template that includes a dedicated VPC with two subnets, one NAT Gateway, one EC2 instance, and one S3 bucket. Once deployed, open source projects Prowler and ScoutSuite are downloaded and installed within the EC2 instance and begin locally scanning AWS accounts using AWS APIs to run more than 256 point-in-time checks.

This paper examines the topic of logical separation for customers using AWS, discussing a multi-pronged approach to build logical security mechanisms that meet and often exceed the security results of physical separation and other on-premises security approaches.

How to migrate your rules from AWS WAF Classic to the new AWS Web Application Firewall.

This post walks you through some of the principles of Amazon EMR (a managed Hadoop framework) security, including encryption, authentication, and network access.

To implement a defense in depth approach for Compute Engine there are a few things you should do, like isolate your production resources from the internet, disable the use of default service accounts, limit access to service account credentials, use OS Login to manage access to VMs, apply the principle of least-privilege, and collect logs and monitor your system.

Google announced Certificate Authority Service (CAS), a highly scalable and available service that simplifies and automates the management and deployment of private CAs.

Free e-book discussing how to manage compliance, privacy, and security when migrating Windows Server workloads to Azure.