Not properly a blog post, but an insightful thread about real-world continuous cloud deployments.

The talk per se is really good, but I think the added value here are the insights on their company-wide security culture.

Firekube is a new open source Kubernetes distribution that uses Weave Ignite to run Kubernetes on Firecracker. Interesting to see how Firekube may also be seen as an alternative to KIND using Ignite and GitOps.

CVE-2019-11253 is a YAML parsing vulnerability in the kube-apiserver, allowing users sending malicious YAML payloads to cause the kube-apiserver to consume excessive amounts of CPU and memory, potentially crashing and becoming unavailable. Probably worth upgrading your clusters...

We all know a good inventory is at the base of every security program, so Sqreen decided to share the journey that led them to the creation of their App Inventory and how they are bringing more security insights about micro-services/APIs/web apps in production.

Writing security-conscious IAM Policies by hand can be very tedious and inefficient. That's why Salesforce released policy_sentry, an IAM Least Privilege Policy Generator, auditor, and analysis database which aims to make it easier to write IAM Policies securely and abstract the complexity of writing least-privilege IAM policies.

Chamber is a tool for managing secrets in AWS, which uses SSM Parameter Store as a backend.

AWS updated their managed firewall service, which now finally allows to to define, manage, and audit organization-wide policies for the use of VPC Security Groups.

Turns out that AWS Cloudfront protects against HTTP Desync/Request Smuggling attacks, but ALB is still vulnerable. If your backend server sitting behind an AWS ALB does not have any defenses implemented, you're likely vulnerable.