PodSecurityPolicy (PSP) is being deprecated in Kubernetes 1.21, to be released later this week. PodSecurityPolicy will continue to be fully functional for several more releases before being removed completely. In the meantime, a replacement that covers key use cases more easily and sustainably is being developed.

Post about a research project James Forshaw (Google's Project Zero) conducted on Windows Server Containers that resulted in four privilege escalations which Microsoft fixed in March 2021. In the post, he describes what led to this research, his research process, and insights into what to look for if you're researching this area.

AWS accounts that are outside of the SES sandbox are valuable to criminals that are looking to perform mass spam campaigns or large-scale phishing attacks. When purchased, they will attempt to launch their campaign as soon as possible and get as much out there as they can, before Amazon catches on and bans the AWS account for malicious activity with SES.

Microsoft released the second version of the threat matrix for Kubernetes, which adds new techniques that were found by Microsoft researchers, as well as techniques that were suggested by the community.

What often happens in famous attacks to Cloud environments is a vulnerable application that is publicly available and can serve as an entry point. From there, attackers can try to move inside the cloud environment, trying to exfiltrate sensitive data or use the account for their own purpose, like crypto mining.

In a whole bunch of places you will be told not to install security updates when building your Docker image. Please, run dnf/apk/apt-get upgrade in your Dockerfile, you really do want to install security updates in your Docker image. And after that, make sure Docker caching doesn't break your updating.

Leveraging environment $PATH variables to keylog, hijack SSH sessions, and more. Useful for post-ex activities on shared *nix jumpboxes or developer workstations. This can be particularly useful in AWS environments where you have access as the ec2-user.

Post considering why traditional network security approaches aren't sufficient in the cloud native world, and see what advantages we can gain through network policies.

Series describing a Kubernetes penetration test methodology, which covers the security risks that can be created by misconfiguring Kubernetes RBAC and demonstrates the attack vectors of a remote attacker.

Atlantis is an Open Source Terraform Automation platform designed to be run as part of a version control provider's pull request (PR) workflow. It provides workflow customization on a per-team basis, centralized permissions and binaries, audit logs and guardrails such as PR approvals and mergeability.

Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments.

Validate all your Customer Policies against AWS Access Analyzer.

A GitHub Action for easily using conftest in your CI. It allows for pulling policies from another source and can surface the violations and warnings into the comments of the pull request.

A Kubernetes admission controller to verify images have been signed by cosign.

A distributed systems and infrastructure simulator for attacking and debugging Kubernetes: simulator creates a Kubernetes cluster for you in your AWS account; runs scenarios which misconfigure it and/or leave it vulnerable to compromise and trains you in mitigating against these vulnerabilities.

PMapper v1.1.0 has been released, now having support for all policy types (IAM, SCP, Session, Boundary, and Resource for a bunch of resource types).

BridgeCrew introduced Checkov 2.0, including an all-new graph-based framework, 250 new policies, and Dockerfile support.

A collection of resources and tools that can aid assessing Kubernetes clusters.

You can now use IAM Access Analyzer to generate fine-grained policies, based on your access activity in your AWS CloudTrail logs. When you request a policy, IAM Access Analyzer gets to work and identifies your activity from CloudTrail logs to generate a policy.

VPC flow logs now makes it easier to query VPC flow logs using Amazon Athena. With a few clicks, you can now automate the integration between Athena and your VPC flow logs delivered to S3.

How to use familiar security controls to build more secure machine learning (ML) workflows.

How to use Dex with Amazon EKS, a popular OIDC provider that provides connectors for a variety of different OAuth providers. Specifically, this blog describes how to configure Dex with GitHub as your primary IdP.

How to architect for disaster recovery (DR), which is the process of preparing for and recovering from a disaster.

This guide introduces some best practices when using Secret Manager.

This guide presents best practices for limiting the privileges of service accounts and mitigating major risks they might incur in.

Microsoft introduced Azure Monitor, Azure Defender, and Azure RBAC for Cluster API Provider Azure Kubernetes clusters via Azure Arc.

Azure AD customers can now easily design and issue verifiable credentials to represent proof of employment, education, or any other claim, so that the holder of such a credential can decide when, and with whom, to share their credentials. Each credential is signed using cryptographic keys associated with the DID that the user owns and controls.