#ci/cd, #defend

A comparison of Terraform static analysis tools and tips for integration in CI/CD pipelines.

#aws, #attack

Scott Piper discusses lesser known attack techniques that he would use in attacking AWS accounts, alongside with a discussion on defenses.

#aws, #defend

Corey Quinn raising an issue by which it seems the Serverless Framework will in some cases copy your API credentials to their own systems and execute things on your behalf.

#aws, #azure, #monitor

How to derive significant cost efficiencies in SIEM platform consumption with smart log ingestion utilising pre-processing data pipelines and modern cloud services.

#azure, #monitor

Overview about data sources or signals that should be considered for monitoring based on identity-related activities, risk detections, alerts and events across the Microsoft ecosystem.

#azure, #monitor

Log Analytics, Sentinel, and ATP can produce a complete picture of your Azure authentication border defenses, virtual server happenings, and everything in between them.

#azure, #explain

A very open "postmortem" on a failed attempt at AZ-500, with some of the key things learned along the way.

#gcp, #defend, #explain

Blog post detailing the .actAs permission, a little ditty on the history of this vulnerability and how to remediate before Google does it for you.

#gcp, #defend

What does lateral movement look like internally in Google's own infra hosted in GCP? How do security decisions get made at a major cloud provider?

#aws, #build

You should always use function versioning. You should almost always use function aliases, which have a handful of benefits involving metrics in CloudWatch, IAM permissions, traffic-shifting, etc.

#alibaba, #explain

Post exploring Alibaba Cloud's approach to cross account trust and the security implications of their trust model.

#k8s, #defend

Netflix describes how Titus (their container orchestration system) agents leverage user namespaces to improve the overall security of the Titus agent fleet.

A tool which helps organizations quickly and easily review excessive permissions in their Azure AD environments, helps determine configuration weaknesses, and provides advice to mitigate risk.

Run the exact same image for websites in Lambda as you do in ECS, Kubernetes, etc.

PolicyHub is a CLI tool that makes Rego policies searchable.

Example recipes for Kubernetes Network Policies that you can just copy paste.

This module provides an opinionated approach for delivering the core platform capabilities of enterprise-scale landing zones using Terraform, based on the architecture published in the Cloud Adoption Framework enterprise-scale landing zone architecture.

New IAM condition keys to limit requests to: Buckets owned by specific AWS accounts, specific TLS versions used by clients.

AWS Lambda functions that are triggered from an Amazon Managed Streaming for Apache Kafka (Amazon MSK) topic can now access to usernames and passwords secured by AWS Secrets Manager using SASL/SCRAM.

How to use Amazon Athena to anonymize a dataset. You can then use AWS Lake Formation to provide the right access to the right personas.

The Cloud Asset API allows you to use a custom query language to search Identity and Access Management (IAM) policies within a project, folder, or organization.

If you are using a Google Cloud managed solution like Anthos or Kubernetes Engine (GKE), you can easily and effectively mitigate CVE-2020-8554, which lets users create objects that could act as a "Man in the Middle" and therefore potentially intercept sensitive data.

What you can do to better encrypt your security keys in Google Cloud.

Based on the Azure SDK for .NET and part of the Azure (Az) module, Microsoft announced the public preview release of the Az.SecurityInsights PowerShell module.

Learning path describing basic architecture, core capabilities, and primary use cases of Azure Sentinel, a cloud-native, security information and event management (SIEM) service.

How to configure your systems to protect your Microsoft 365 cloud environment from on-premises compromise.