#aws, #explain

An interesting post investigating instance-identity security credentials, which can be generated using the metadata instance on every EC2 instance in AWS, even when no role is attached to the instance.

#aws, #iam, #defend

Have you ever looked at an IAM policy and wondered: Is it really necessary to grant access to this specific action? CloudTrail can help here, but there is something better: Record API calls with Client Side Monitoring.

#aws, #explain

First in a series exploring mapping trust in different cloud providers. This post looks at 11 different aws security scanning tools and talks about some pros and cons with each.

#k8s, #defend

Intezer and Microsoft reported this week that TeamTNT hackers are using Weave Scope to aid their intrusions. As Weave Scope is an administration tool, it has powerful capabilities making it important for any installation to be secured. This blog covers both how Scope is used and how you can prevent it being misused by securing it in any Kubernetes installation.

#k8s, #falco, #defend

Darkbit discovered a bypass for a Falco default rule, whereby cleverly named images running as privileged and/or mounting sensitive paths can avoid generating alerts. It is recommended to update your "falco_rules.yaml" to the latest version.

#k8s, #falco, #explain

CNCF post describing the top five new features released in Falco 0.25 (like rules improvements, gRPC for alerts, and more).

#aws, #develop

Is there a way to support a client certificate-based "device trust" feature natively in AWS? Turns out you can use X.509 client certificates to authenticate your Chrome browser to AWS using AWS IoT.

#hashicorp, #vault, #ci/cd, #develop

The Vault GitHub Action allows you to take advantage of secrets sourced from your HashiCorp Vault infrastructure for things like static and dynamic secrets and inject these secrets into your GitHub workflows.

#hashicorp, #terraform, #vault, #develop

How to generate dynamic Consul tokens with HashiCorp Vault and define access control lists (ACLs) as code using the Consul provider for Terraform.

#hashicorp, #terraform, #defend

Walkthrough of the integration between Terraform Cloud Audit Logging with Splunk.

#microsoft, #defend

The Microsoft 365 E5 suite is essentially a large amount of products Microsoft offers for the Enterprise environment, more focused towards the security and compliance areas. The purchasing of E5 licensing means an organization now has unlocked a lot of Microsoft products and the common question seen afterwards is, "where do I start?".

#microsoft, #defend

Approaches to onboard Office 365 and related services into Azure Sentinel and the benefit of built-in solutions that a Cloud based SIEM bring.

#ci/cd, #develop

The CNCF End User Community was asked to describe what their companies recommend for different solutions: Adopt, Trial, Assess or Hold. This table shows how the End User companies rated each technology.

A new Kritis tool, Kritis Signer, has been released. It is a command-line tool that simplifies attestation creation for a container image.

A CLI tool for building simple to complex IAM policies based on CloudFormation templates.

Record all AWS SDK calls in NodeJS based Lambda functions, and analyze the data in Athena.

kubectl-fuzzy uses fzf(1)-like fuzzy-finder to do partial or fuzzy search of Kubernetes resources. Instead of specifying full resource names to kubectl commands, you can choose them from an interactive list that you can filter by typing a few characters.

Whalescan is a vulnerability scanner for Windows containers, which performs several benchmark checks, as well as checking for CVEs/vulnerable packages on the container. It also checks the config and Docker files for misconfigurations.

CLI tool and library for generating a Software Bill of Materials from container images and filesystems.

Gatekeeper is emerging as the standard way to have preventative controls of what is allowed within Kubernetes clusters including Amazon EKS.

How to integrate Amazon Cognito with an external IdP by deploying a demo web application that integrates with an external IdP via SAML 2.0.

Amazon S3 now provides bucket owner condition, allowing you to validate the AWS Account ID of the owner of an S3 bucket. Bucket owner condition helps you to easily verify that the S3 buckets that you interact with are owned by expected AWS Accounts.

AWS Single Sign-On (SSO) adds new account assignment APIs and AWS CloudFormation support to automate access across AWS Organizations accounts.

It is now possible to attach tags to Organizational Units (OUs), the organization's root and policies, enabling you to identify, classify, or categorize resources in an Organization.

Post introducing a method for integrating open source tools that find potentially insecure patterns in your AWS CloudFormation templates with both AWS Security Hub and AWS CodeBuild reports.

A vulnerability was recently discovered in the Linux kernel, described in CVE-2020-14386, that may allow container escape to obtain root privileges on the host node. All GKE nodes are affected. Pods running in GKE Sandbox are not able to leverage this vulnerability.

Customers who require FedRAMP Moderate support will also be able to leverage Assured Workloads, which is now generally available (GA).

Tutorial showing how to use Cloud Logging, Pub/Sub, and Cloud Functions to auto-enable Packet Mirroring so that you can monitor and troubleshoot traffic flows in your Virtual Private Cloud (VPC) network.

Interesting flowchart to help you choose load balancing options for your workloads.