How to leverage Cartography and Elasticsearch to continuously monitor all cloud assets in your estate and alert on any instance of drift. (Disclaimer: I did write this post).

When Shielded GKE Nodes is enabled, the GKE control plane cryptographically verifies that every node in the cluster is a virtual machine running in a managed instance group in Google's data center and that the kubelet is only getting the certificate for itself. But Shielded GKE Nodes addresses a much bigger problem.

Post discussing the risks of the AWS Instance Metadata service in AWS Elastic Kubernetes Service (EKS) clusters. In particular, it demonstrates that compromising a pod in the cluster can have disastrous consequences on resources in the AWS account if access to the Instance Metadata service is not explicitly blocked.

In-depth look at some of the intricacies present when using IAM Conditions, with examples and tips to keep in mind when scoping out IAM roles.

Article stepping through the problem and solution of using policy conditions to provide "just enough" access to services running in different accounts in an AWS organizational unit such as "dev", while encrypting data at rest.

GitHub Container Registry introduces easy sharing across organizations, fine-grained permissions, and free, anonymous downloads for public container images. Perfect timing, since many people started pondering alternatives for DockerHub cause of the recent limitations they just announced.

High level summary of how Threat Models are handled at GitHub.

High level post digging into what the term "software supply chain security" means, why it matters, and how you can help secure your project's supply chain.

Post breaking down how the Vault secrets engine works and how to use it to dynamically create credentials across multiple AWS accounts using the assume_role feature.

How to escalate to Domain Admin in Azure AD Domain Services (Microsoft's hosted Active Directory) leveraging Shay Ber's DNSAdmin trick. Interesting thing about this is customers are not supposed to have or be able to get Domain Admin rights.

Post discussing the Istio ingress gateway, and examining its feature set compared to typical API gateway features.

Interesting guide showing how to use Terraform to make budget compliance more automated.

Post diving into the mechanics of how this new feature works.

EndpointSlices are a new API that provides a scalable and extensible alternative to the Endpoints API. EndpointSlices track IP addresses, ports, readiness, and topology information for Pods backing a Service.

First stable release of Gatekeeper v3 is out!.

Rules for Elastic Security's detection engine. Interesting to see a section dedicated to AWS, and another dedicated to Azure.

helm-freeze helps you to declare the charts you want to use in a desired version and download them locally. This to freeze/lock them directly in your Git repository.

A collection of middleware for AWS lambda functions.

Minimal self-contained examples of standard Kubernetes features and patterns in YAML.

The GOV.UK repository for their Migration to AWS, open-sourcing their infrastructure and associated tooling.

AWS announced the General Availability of Bottlerocket, a new open source Linux-based Operating System (OS) purpose-built to run containers. Bottlerocket includes only the software needed to run containers and comes with a transactional update mechanism. AWS-provided Bottlerocket images are available for Amazon EKS (GA) and Amazon ECS (Preview).

How to use IAM roles to build trust policies that work at scale, providing guardrails to control access to resources in your organization.

Amazon CloudFront now supports real-time log delivery of CloudFront access logs via Kinesis Data Streams. The real-time logs contain detailed information about viewer requests that CloudFront receives.

A new whitepaper is available that summarizes the results of tests by Foregenix comparing Amazon GuardDuty with network intrusion detection systems (IDS) on threat detection of network layer attacks.

How you can use recent enhancements in AWS WAF to manage a multi-layer web application security enforcement policy. The post is in two parts. This first part describes AWS Managed Rules for AWS WAF and how it can be used to provide defense in depth. The second part shows how to apply AWS Managed Rules for WAF.