Another interesting walk through from the Expel team on a red team exercise they recently spotted in a customer's AWS cloud environment.

Kubernetes is deprecating Docker as a container runtime after v1.20. You do not need to panic. It’s not as dramatic as it sounds. For a more detailed explanation, I do recommend: "Wait, Docker is deprecated in Kubernetes now? What do I do?".

EKS Distro is a distribution of the same version of Kubernetes deployed by Amazon EKS, which you can use to manually create your own Kubernetes clusters anywhere you choose.

New step-by-step tutorials demonstrate the features introduced in Vault 1.6, like the Key Management Secrets Engine, and how to Tokenize Data with the Transform Secrets Engine.

Blog post going over Kubernetes audits: What are they exactly? How are they constructed? Where do they originate? How and to where do they go?.

To have a better understanding of the node proxier model, this post goes through design and implementation of a custom "kube-proxy".

Service Account Token Volume projection allows you to associate non-global, time-bound and audience bound service tokens to your Kubernetes workloads.

A couple of takeaways if your organization is planning to use Azure AKS. First up if your clusters are AAD enabled, be very careful with who has rights to use the "--admin" switch on the "get-credentials" command. Secondly, do not expose your clusters directly on the Internet to reduce the likely impact of this.

Read access to ConfigMaps by default allowed privilege escalation in Microsoft's Kubernetes AKS.

Nice catch from @raesene: whenever an admin leaves you need to rotate the cluster CA keys if you want to remove their access to the cluster.

What we would do differently if we built something new, from the ground up, with no regard for compatibility with Kubernetes?

Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files.

Opstrace deploys secure, horizontally-scalable open source observability in your own cloud account, combining open APIs with the simple user experience of a large service provider.

audit2rbac takes a Kubernetes audit log and username as input, and generates RBAC role and binding objects that cover all the API requests made by that user.

Connaisseur is an admission controller for Kubernetes that integrates Image Signature Verification into a cluster, as a means to ensure that only valid images are being deployed. Comes with a related blog post.

You can now package your functions as container images and use familiar container development tools to build Lambda applications.

ECR Public allows you to store, manage, share, and deploy container images for anyone to discover and download globally.

Amazon announced the launch of Cloud Audit Academy AWS-specific (CAA AWS-specific). This is a new, accelerated training program for auditing AWS Cloud implementations, and is designed for auditors, regulators, or anyone working within a control framework.

Google announced the general availability of Container Threat Detection (a built-in service in Security Command Center Premium tier) to help monitor and secure container deployments in GCP.

Google sharing details about steps they have taken to protect Google's network against vulnerabilities in the internet routing system, how they are moving forward, and the importance of collaborating with the wider community.