The State of Kubernetes Security Report examines how companies are adopting Kubernetes, containers, and cloud-native technologies while meeting the challenges of securing their Kubernetes applications.

The assessment evaluated Istio's architecture as a whole for security related issues with focus on key components like istiod (Pilot), Ingress/Egress gateways, and Istio's overall Envoy usage as its data plane proxy. An important conclusion from the report is that the auditors found no "Critical" issues within the Istio project.

A bug in AWS ACM allows to import valid TLS certificates for domains you don't own. Combined with a new Cloudfront feature this allows to extract AWS Account IDs for websites hosted on CloudFront.

Post detailing both the research process and useful findings about Windows containers. It primarily focuses on the filesystem layers and does not cover containerised registry hives.

Post sharing experience, challenges, and a methodology on doing Cloud forensics in Azure AD.

A collection of playbooks covering several common scenarios faced by AWS customers. They outline steps based on the NIST Computer Security Incident Handling Guide, that can be used to gather evidence, contain and then eradicate the incident, recover from the incident, and conduct post-incident activities.

Crafty attackers are finding new ways to bypass multiple-factor authentication. Find out how the Expel SOC detected an attack and get some tips on how your org can prevent credentials phishing.

How to build scalable, role-based SSH access with SSH certificates and HashiCorp Vault.

Authorize who can modify an IaC resource straight from your CI/CD pipeline using auto-tagging with Yor and policy-as-code with Checkov.

The Security Stack Mappings for Azure research project was recently published, introducing a library of mappings that link built-in Azure security controls to the MITRE ATT&CK techniques they mitigate against.

The whole issue with file permissions in docker containers comes from the fact that the Docker host shares file permissions with containers (at least, in Linux).

A proof-of-concept project that aims to sign and verify container images using cosign and OPA (Open Policy Agent).

AWS Security Analytics Bootstrap enables customers to perform security investigations on AWS service logs by providing an Amazon Athena analysis environment that's quick to deploy, ready to use, and easy to maintain.

Use the 1Password Connect Terraform Provider to reference, create, or update items in your 1Password Vaults.

kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster.

Have you ever wondered what an application architecture would look like if you committed to using mostly all graduated or incubating projects from the Cloud Native Computing Foundation? This repo, the CNCF Projects App, attempts to answer that question with an example expense application that is made up almost exclusively of CNCF projects.

How to set up end-to-end encryption on Amazon EKS with AWS Certificate Manager Private Certificate Authority.

How to implement a lightweight proxy to an Amazon Cognito endpoint, which can be used with an application client secret to control access to unauthenticated API operations.

A security group rule ID is an unique identifier for a security group rule. When you add a rule to a security group, these identifiers are created and added to security group rules automatically.

How to create automated suppression rules for specific types of findings in AWS Security Hub, such as ones that are an accepted risk by design, or have a compensating control.

The Microsoft Azure Well-Architected Framework is a set of guiding tenets that can be used to improve the quality of a workload. The framework consists of five pillars of architecture excellence: Cost Optimization, Operational Excellence, Performance Efficiency, Reliability, and Security. Incorporating these pillars helps produce high-quality, stable, and efficient cloud architecture.

Azure Lighthouse makes it easier for service providers to automate their management of customer infrastructure. At the same time, it provides fine-grained access control that places the customer in charge of which resources are available to which service providers.

Post sharing insights into Microsoft's journey as they worked towards advancing their postmortem and resiliency threat modeling processes.

Azure Bastion is a fully managed jumpbox-as-a-service that provides secure RDP and SSH connectivity to VMs deployed in any local or peered Azure Virtual Networks. Remote connectivity is established directly from the Azure Portal, over a transport layer security (TLS) connection, to the public IP address of Azure Bastion. From there, Azure Bastion establishes RDP and SSH sessions to the private IP address of the target VMs in the local or peered Virtual Network.