Scott Piper's third annual release of his "AWS Security Maturity Roadmap" to give companies a series of actionable steps to improve the security of their AWS environments.

The PassRole permission requirement is ubiquitous. It extends to more than 300 actions in more than 90 services and, in some cases, is obscured by parameters that indirectly contain the role being passed. Comprehensively auditing it can be a handful but is absolutely worth it as not doing so means leaving relatively easy avenues for privilege escalation wide open.

Cloud security best practices, as well as most compliance programs, require that logging be enabled for all in-scope services. However, that simple requirement - enable logging - comes with many follow-up questions. Is CloudTrail enough? How do I turn on logging for all these services? Aren't logs collected by default? What. even. is. a. log?

Post laying out the different AWS security monitoring and logging sources, how to collect logs from them, and how to select the most appropriate collection technique.

Post listing all main AWS services logging sources with a summary table, format, example and a Grok regex to parse log and ingest into a tool like Elastic Stack (ELK).

NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through to data from the airline industry. In their intrusions they regularly abuse cloud services from Google and Microsoft to achieve their goals.

Kubernetes RBAC includes a special "impersonate" verb, that can be used to allow Subjects to acquire other Kubernetes User or Group identity.

Technical process for approaching and building an internal IaC security strategy, which meets goals without slowing your developers down.

HashiCorp announced the public beta for Vault running on the HashiCorp Cloud Platform (HCP). With this setup, HashiCorp will handle infrastructure, backups, upgrades, etc.

The cryptography and key management protecting HashiCorp Vault secrets is designed to stand up to concerted attacks from well-resourced, skilled adversaries. Here's how it works.

The fourth annual Sysdig container security and usage report looks at how global Sysdig customers of all sizes and industries are using and securing container environments.

AWS re:Invent ran for three weeks last year. It is more important than ever to help everyone by summarizing AWS' biggest security announcements.

With the release of Docker 20.10, the rootless containers feature has left experimental status. This post explores setup and usability of rootless Docker.

A collection of AWS Config Conformance Packs. A conformance pack is a collection of AWS Config rules and remediation actions that can be easily deployed as a single entity in an AWS account and a region.

Ubuntu base OS, install AZCLI, unpack terraform, gather auth tokens, run script, enjoy new domain.

Some key security controls that you can use to architect your Amazon WorkSpaces environment to provide external users access to your corporate applications and data in a way that satisfies your unique security and compliance objectives.

How to use AWS Key Management Service (KMS) to combine asymmetric digital signature and asymmetric encryption of the same data.

How to enable nearly continuous compliance with Cloud Custodian and AWS Lambda.

How to use EventBridge resource policies to publish events and create rules on event buses in another account.

Beyond the fundamentals, Cloud Storage offers several security features, such as uniform bucket-level access, service account HMAC keys, IAM conditions, Delegation tokens, and V4 signatures.

Addressing the delay challenge: understanding the impact of the ingestion delay and how to fix it.