Cartography introduced "Resource Permission Relationships": using the graph to evaluate a principal's resulting accesses to critical assets within your environments.

SummitRoute describes the limitations of AWS related to tagging, and the steps AWS needs to take to improve this situation.

Blog covering many image scanning best practices and tips that can help adopting an effective container image scanning strategy.

For the Secrets resource, the "LIST" verb is a lie. When you "list" a secret, it goes out to the Kubernetes API, pulls down all the secrets including individual secret values themselves. This is a known and documented issue but many environments continue to rely on "LIST" to prevent access to secrets, compared to the "GET" verb.

How to nuke every resource group under every Microsoft Azure subscription, with examples on how to do it with Terraform's null_resource and local-exec provisioner.

The Docker TOS updates give us an opportunity to focus on the larger challenges with consuming public content. If you depend on public content, it is recommended to configure a workflow that imports the content, security scans the content based on your organization's scanning policies, runs functional and integration tests to assure this most recent version of the content meets all expectations, then promote the validated content to a location your team(s) can utilize.

Good overview on the "shape" of AWS Nitro Enclaves and how private material is protected. They even tried to access an ACM private key, but show how attestation prevents that.

Aqua announced a new Starboard Operator that automates the generation of security reports in your K8s cluster. Using Starboard Operator, you can rely on the tools you're already familiar with, like kubectl, to easily access security information about your running workloads.

Project Zero identified an interesting design flaw in Github Actions. Actions that print untrusted data to STDOUT are vulnerable to an injection attack that can be turned into code exec.

A few ideas for all those who are building a detection team, showing how to get more than code review out of the "detections-as-code" model, and really make use of the power of committed, automatically parseable detection rules.

A collection of tools to statically and dynamically identify public container images that are hosted on Docker Hub.

Scripts and Lambdas to help with automated deployment of AWS Shield Advanced and engagement of the DRT during a DDoS incident.

Security Scanner based on CIS benchmark 1.1 inspired by Scout2.

KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure the applications represented in them adhere to best practices.

Monzo's real-time incident response and reporting tool.

Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy. Flux version 2 ("v2") is built from the ground up to use Kubernetes' API extension system, and to integrate with Prometheus and other core components of the Kubernetes ecosystem.

Big news about Amazon ECR: within weeks there will be support for public images as well.

Amazon CloudWatch launches Metrics Explorer, a tag-based dashboard tool that enables customers to filter, aggregate, and visualize operational health and performance metrics by tags.

This Quick Start sets up a flexible, scalable environment on EKS, and launches HashiCorp Vault using HashiCorp Vault Helm chart into the configuration of your choice.

How to develop and run a serverless reverse proxy to customize the behavior of your registry, such as serving your images publicly on your custom domain name instead of gcr.io.