How to use Netflix's ConsoleMe to provide secure access to databases via IAM roles.

How to monitor Kubernetes the Elastic way: collect logs using Filebeat, collect metrics using Metricbeat, ingest them directly to Elasticsearch, and monitor them using Kibana.

Post discussing the whole lifecycle of Kubernetes Network Policies covering topics such as creation, editing, governance, debugging and best practices.

First part of a series on AKS network isolation, elaborating how to protect AKS from a networking perspective. You can also reference the companion repository.

How to create a "jump pod" able to spawn a shell, which is inside a Kubernetes cluster and which is authorized to create other pods in the same namespace, but only there.

A collection of overviews of Kubernetes architecture and workload, networking, storage and RBAC objects.

A vulnerability has been discovered that allows http(s) proxy access to kube-apiserver localhost and linklocal (cloud metadata).

Vault 1.8 offers a new Vault Diagnose command, Key Management secrets engine AWS GA support, updates to Integrated Storage Autopilot, and more.

Cloud Guardrails allows you to rapidly cherry-pick cloud security guardrails by generating Terraform files that create Azure Policy Initiatives.

A tool to help prevent SSRF attacks on AWS EC2 via automated upgrades to the more secure Instance Metadata Service v2 (IMDSv2).

trust is an operator for distributing trust bundles across a Kubernetes cluster. It is designed to complement cert-manager by enabling services to trust X.509 certificates signed by Issuers, as well as external CAs which may not be known to cert-manager at all.

Dorothy is a tool to help security teams test their monitoring and detection capabilities for their Okta environment. You can also refer to the companion blog post.

A curated list of OPA related tools, frameworks and articles.

An authentication proxy for Google Cloud managed databases. Based on the ideas of cloudsql-proxy but intended to be run as a standalone network accessible service rather than a sidecar.

yubikey-agent is a seamless ssh-agent for YubiKeys.

On October 30, 2021 AWS will disable EC2-Classic in Regions for AWS accounts that have no active EC2-Classic resources in the Region. They will also stop selling 1-year and 3-year Reserved Instances for EC2-Classic.

AWS CloudTrail now supports logging of data events for Amazon EBS direct APIs that customers can use to identify when their Amazon EBS snapshots are accessed using the ListSnapshotBlocks, ListChangedBlocks, GetSnapshotBlock, or PutSnapshotBlock APIs by users in their AWS account.

Amazon S3 Access Points aliases allow any application that requires an S3 bucket name to easily use an access point.

Post providing guidance for selecting the right VPC endpoint type to access Amazon S3. A VPC endpoint enables workloads in an Amazon VPC to connect to supported public AWS services or third-party applications over the AWS network. This approach is used for workloads that should not communicate over public networks.

Post describing the AWS services that can be used to both detect and protect data stored in S3.

With new private pools, you can use Google Cloud's hosted Cloud Build CI/CD service on resources in your private network or in other clouds.

Google's proposed SLSA framework provides guidance on how to build a more secure software supply chain.

New GCP IAM recommender "lateral movement insight" which identifies roles that allow a service account in one project to impersonate a service account in another project.

You can set limits on the roles that a member can grant and revoke with IAM Conditions and the iam.googleapis.com/modifiedGrantsByRole API attribute. These limits let you create limited IAM admins who can manage their own team's IAM policies, but only within the boundaries that you have set.

How to access a private Google Kubernetes Engine (GKE) cluster using Cloud Build private pools. This access lets you use Cloud Build to deploy your application on a private GKE cluster.

Microsoft announced the public preview of incident sharing for Azure Defender and Azure Sentinel. Using this new capability, customers can use Azure Sentinel as their single pane of glass for incident triage, leverage Microsoft 365 Defender or Azure Defender for incident investigation and remediation, and stay seamlessly in-sync across all three products.

how to deploy and use a solution that allows for the automatic execution of Jupyter Notebooks to provide enrichment to incidents within Azure Sentinel.