The CNCF Security SIG has just released a new Cloud Native Security Whitepaper to help educate the community about best practices for securing cloud native deployments. The whitepaper intends to provide organizations and their technical leadership with a clear understanding of cloud native security, its incorporation in lifecycle processes, and considerations for determining the most appropriate application thereof. You can also check the accompanying blog post om the K8s blog.

Post testing Amazon's reaction to a case of leaked access keys, with analysis of the recent "AWSCompromisedKeyQuarantine" policy used to contain them.

Really interesting run through of real life security breaches that have happened to the AWS environments of high profile companies.

Practical guidance on how you can get started rolling out IMDSv2 via Cloudformation.

It's been 2+ years since PSPs were planned for deprecation, and SIGs are currently coming up with options before the summer deadline.

CloudFlare released origin-ca-issuer, an extension to cert-manager integrating with Cloudflare Origin CA to easily create and renew certificates for your account's domains.

Capital One acquired Critical Stack in 2016 to scale and manage containerized applications with compliance in mind. This week, all elements of the platform have been made available to the open-source community.

Post expanding on a technique reported by Felix Wilhelm (@_fel1x) to escape a privileged container to execute arbitrary commands on the container host.

The newest release of BloodHound introduced AzureHound (a new data collector for Azure), 10 new node types, and 14 new edges that cover attack primitives against the new node types.

The Expel team released a mindmap on detection and response in AWS, breaking down what APIs attackers will leverage for different types of attacks.

Collection of automated remediation Cloud Functions that react to high risk events in real time. See also the related blog post.

illuminatio is a tool for automatically testing kubernetes network policies.

New on-demand digital course provides a deep dive into AWS IAM and best practices for using IAM policies.

AWS Shield Advanced now allows you to bundle resources into protection groups, giving you a self-service way to customize the scope of detection and mitigation for your application by treating multiple resources as a single unit.

The Fall 2020 SOC 2 Type I Privacy report (available through "Artifact" in the AWS Management Console) provides a third-party attestation of AWS systems.

AWS announced AWS Network Firewall, a high availability, managed network firewall service for your virtual private cloud (VPC). It enables you to easily deploy and manage stateful inspection, intrusion prevention and detection, and web filtering to protect your virtual networks on AWS.

How to integrate CloudEndure Disaster Recovery - an AWS DR solution that enables fast, reliable recovery of physical, virtual, and cloud-based servers on AWS - into the recovery section of your incident response plan.

The S3 team has built a new feature called Amazon S3 Storage Lens. This is the first cloud storage analytics solution with support for AWS Organizations to give you organization-wide visibility into object storage, with point-in-time metrics and trend lines as well as actionable recommendations. All these things combined will help you discover anomalies, identify cost efficiencies, and apply data protection best practices across accounts.

AWS Single Sign-On (SSO) now enables you to secure user access to AWS accounts and business applications using multi-factor authentication (MFA) with FIDO-enabled security keys, such as YubiKey, and built-in biometric authenticators, such as Touch ID on Apple MacBooks and facial recognition on PCs.

Google launched the Anthos Developer Sandbox, providing a way to learn how to develop on Anthos with Cloud Shell Editor, Cloud Code, and Cloud Build Local.

Voucher evaluates container images created by CI/CD pipelines and signs those images if they meet certain predefined security criteria. Binary Authorization then validates these signatures at deploy time, ensuring that only explicitly authorized code that meets your organizational policy and compliance requirements can be deployed to production.

The Kubernetes Resource Model (KRM) that powers containerized applications can manage non-Kubernetes resources including other infrastructure, platform, and application services. For example, you can use the Kubernetes Resource Model to deploy and manage cloud databases, storage buckets, networks, and much more.

Reference patterns are technical reference guides that offer step-by-step implementation and deployment instructions and sample code.

How to configure and maintain Azure Sentinel through Azure DevOps with IaC using the Sentinel API, AzSentinel and ARM templates.

Now you can get even more insights about the security of your AKS clusters with the new workbook for Azure Kubernetes Service (AKS) security in Sentinel. The workbook helps you to get a better visibility to your cluster from security perspective.