Linkbase

14.03.2025

• The many ways to obtain credentials in AWS
• The dark cloud around GCP service accounts
• Build Go applications using Project IDX and the Gemini API
• Awesome List of Cybersecurity and AI
• Things we learned about LLMs in 2024
• Implementing Security Invariants in an AWS Management Account
• Confidential computing at 1Password
• Avoiding mistakes with AWS OIDC integration conditions
• Securing Grafana on Kubernetes with GCP IAP, Gateway API, and Terraform
• Passkeys: they’re not perfect but they’re getting better
• mise - dev tools, env vars, task runner
• How AI enhances static application security testing (SAST)
• How we built an AppSec AI that security researchers agree with 96% of the time
• A Commencement Into Real Kubernetes Security
• AWS EKS Access Management & Permissions
• Generative AI tool for evaluating Infrastructure as Code and architecture diagrams against AWS Well-Architected best practices.
• THE RISK YOU CAN’T AFFORD TO IGNORE: AWS SES AND EMAIL SPOOFING
• Advanced Nginx Hardening
• Connect your on-premises Kubernetes cluster to AWS APIs using IAM Roles Anywhere
• Four ways to grant cross-account access in AWS
• I Want You to Hack AWS: Cloud Penetration Testing for Traditional Hackers | Nick Frichette
• Ephemeral values in Terraform
• IssueOps: Automate CI/CD (and more!) with GitHub Issues and Actions
• Understanding RCPs and SCPs in AWS: Choosing the Right Policy for your Security Needs
• A hard look at GuardDuty shortcomings
• New Vulnerability in GitHub Copilot and Cursor: How Hackers Can Weaponize Code Agents
• MCP (Model Context Protocol): Simply explained in 5 minutes
• Effectively implementing resource control policies in a multi-account environment
• Master architecture decision records (ADRs): Best practices for effective decision-making
• Patterns and Techniques for Writing High-Performance Applications with Go
• A collection of MCP servers.
• curl-like access to AWS resources with AWS Signature Version 4 request signing
• GitHub’s official MCP Server
• What Do Hackers Know About Your AWS Account?
• How to use AWS Resource Control Policies
• Kube-Policies: Guardrails for Apps Running in Kubernetes
• How to Harden GitHub Actions: The Unofficial Guide

05.10.2024

• Trail of Bits Testing Handbook
• Enumeration/exploit/analysis/download/etc pentesting framework for GCP
• fwd:cloudsec 2024!
• The EKS Hacking Playbook: Lessons From 3 Years of Cloud Security Research
• Get into AWS security research as a n00bcake - Daniel Grzelak
• The Path to Zero-Touch Production - Rami McCarthy
• Taking a look at Kubernetes Profiling
• Stop worrying about ‘allowPrivilegeEscalation’
• The CloudSec Engineer
• CLI to prevent malicious Terraform Providers from being executed
• Single Sign-On Or Single Point of Failure?
• Understanding the Risks of Long-Lived Kubernetes Service Account Tokens
• AWS Organization Viewer - wut.dev
• Fast and reliable background jobs in Go
• An improved drop-in replacement for SQS
• Doggo - Command-line DNS Client for Humans. Written in Golang
• OpenStatus - The open-source synthetic monitoring platform
• How I Built a Cybersecurity Digital Forensics and Incident Response Lab in Amazon Web Services
• a better dotenv–from the creator of dotenv
• Simple plug-and-play Github Action to block unauthorized outbound traffic (egress) in your Github workflows
• BSidesSF 2024
• Security Engineering at Google: My Interview Study Notes
• A simple mitmproxy blueprint to intercept HTTPS traffic from app running on Kubernetes
• Moving AWS Accounts and OUs Within An Organization - Not So Simple!
• Top four ways to improve your Security Hub security score
• IAM so lost: A guide to identity in Google Cloud
• Run your own AI cluster at home with everyday devices
• Securing the Container World with Policies: acjs and ctrdac
• An opensource incident management platform integrating with Slack.
• Attack Paths Into VMs in the Cloud
• Getting Started with Exploit Development
• A Five Year Retrospective on Detection as Code
• Thwacking DDOS with AWS WAF
• Poor mans MFA for AWS Client VPN
• Using S3 as a container registry
• Govulncheck reports known vulnerabilities that affect Go code
• Secure Guardrails - Semgrep Academy
• Enabling Security Guardrails: Infra as Code with CDK for Terraform
• Building A Security Platform Engineering Team
• IAM so lost: A guide to identity in Google Cloud
• Moving AWS Accounts and OUs Within An Organization - Not So Simple!
• A hard look at GuardDuty shortcomings
• Red team Interview Questions
• Anyone can Access Deleted and Private Repository Data on GitHub
• A GitHub Action that adds opinionated comments to a PR from Terraform fmt/init/plan output
• An Opinionated Ramp Up Guide to AWS Pentesting
• Automate monitoring for your Amazon EKS cluster using CloudWatch Container Insights
• Kubernetes Security Fundamentals - Introduction
• Kubernetes security fundamentals: Authorization
• Why You Should Disable Your Unauthenticated Read-only Ports On GKE Kubelet Servers
• Announcing Karpenter 1.0
• Understanding AWS Networking: A Guide for Network Engineers
• Using AI for Offensive Security
• Kubernetes Testing Environment: An Open Source Resilience Platform for EKS, GKE and AKS
• GitHub Actions Attack Diagram
• 3.7 Million Fake GitHub Stars: A Growing Threat Linked to Scams and Malware
• Kubernetes is evolving, the CKA exam too!
• Achieving Zero Trust Security on Amazon EKS with Istio
• Using Go instead of bash for scripts
• How to 10X Your Cloud Security (Without the Series D)
• Beyond the AWS Security Maturity Roadmap
• ~6x faster, stricter, configurable, extensible, and beautiful drop-in replacement for golint
• Hacking Kia: Remotely Controlling Cars With Just a License Plate
• Cloud Logging Tips and Tricks
• Mitigating Attack Vectors in GitHub Workflows
• AWS: VPC Flow Logs, NAT Gateways, and Kubernetes Pods — a detailed overview
• How to build a secure recon network using Tailscale
• AWS and Kubecost Collaborate to Deliver Kubecost 2.0 for Amazon EKS Users
• Managing AWS EKS access entries with Terraform and OpenTofu
• Cloud native incident response in AWS - Part II
• Why Multi-Account in AWS?
• Template Go app repo with local test/lint/build/vulnerability check workflow, and on tag image test/build/release pipelines, with ko generative SBOM, cosign attestation, and SLSA build provenance
• Terraform Stacks - Part 1 - An Introduction
• A static analysis tool for GitHub Actions
• Your Quick Reference to Cloud Best Practices
• AWS Security Guardrails & Terraform
• Safer AWS SCP deployments via real-time monitoring
• How AWS enforcement code logic evaluates requests to allow or deny access
• Better AWS SSM Session manager CLI client
• Pinniped is the easy, secure way to log in to your Kubernetes clusters.
• The Dark Side of Domain-Specific Languages: Uncovering New Attack Techniques in OPA and Terraform
• AWS Application Load Balancer announces CloudFront integration with built-in WAF
• Updated whitepaper: Architecting for PCI DSS Segmentation and Scoping on AWS
• Amazon EKS now supports Amazon Application Recovery Controller (ARC)
• Terraform Ephemeral resource configuration reference
• Hands-On Security Tips For Centralize Root Access In AWS(AssumeRoot)
• AWS Application Load Balancer introduces header modification for enhanced traffic control and security
• Secure root user access for member accounts in AWS Organizations
• How to use AWS Resource Control Policies
• Securely share AWS resources across VPC and account boundaries with PrivateLink, VPC Lattice, EventBridge, and Step Functions
• Use your on-premises infrastructure in Amazon EKS clusters with Amazon EKS Hybrid Nodes
• Exploiting Public AWS Resources - CLI Attack Playbook
• AWS re:Invent 2024 Security Talks
• Announcing Amazon EKS Auto Mode
• Announcing Node Health Monitoring and Auto-Repair for Amazon EKS
• Kubernetes v1.32: Penelope

26.06.2024

• Docs as code is a broken promise
• Who Touched My GCP Project? Understanding the Principal Part in Cloud Audit Logs – Part 1
• IAM Is The Worst
• Leveraging Nuclei Templates to Identify Risks and Threats in Critical Cloud Applications
• Terraform 1.8 provider functions for AWS, Google Cloud, and Kubernetes
• Private, secure, and seamless connectivity to Cloud SQL using Private Service Connect
• Go performance from version 1.0 to 1.22
• Redis re-implemented with SQLite
• PostgreSQL Index Advisor
• State of DevSecOps
• The end of GitHub PATs: You can’t leak what you don’t have
• NSA Publishes Guidance for Strengthening AI System Security
• Microsoft Copilot for Security is a generative AI-powered security solution that helps increase the efficiency and capabilities of defenders to improve security outcomes at machine speed and scale, while remaining compliant to responsible AI principles
• Integrate Kubernetes policy-as-code solutions into Security Hub
• From Ground Zero to Production: Go’s Journey at Google
• The Kubenomicon was born of a desire to understand more about Kubernetes from an offensive perspective
• Our Journey Migrating to AWS IMDSv2
• AWS Monitoring with EventBridge
• Effortlessly deploy a status page and start monitoring endpoints in minutes
• A simple script which implements different Cognito attacks such as Account Oracle or Priviledge Escalation
• exploit.education provides a variety of resources that can be used to learn about vulnerability analysis, exploit development, software debugging, binary analysis, and general cyber security issues.
• aws-scps-for-sandbox-and-training-accounts
• Analyze Docker images size
• A GitHub App that acts like a Security Token Service (STS) for the Github API
• AWS CLOUDQUARRY: DIGGING FOR SECRETS IN PUBLIC AMIS
• Detecting Manual Actions in EKS Clusters with Terraform and SNS
• A utility to detect various technology for a given IP address.
• Static checker for GitHub Actions workflow files
• Open source Loom alternative. Effortless, instant screen sharing.
• Linux maintainers were infected for 2 years by SSH-dwelling backdoor with huge reach
• Building a GitOps CI/CD Pipeline with GitHub Actions (SOC 2)
• XZ Utils Made Me Paranoid
• OWASP Security Champions Guide
• Everything I Learned to Negotiate Your Salary
• Hello GPT-4o
• A step-by-step guide to securely upgrading your EKS clusters
• Monitoring your EKS clusters audit logs
• Container security fundamentals part 6: seccomp
• Assured Workloads provides Google Cloud users with the ability to apply controls to a folder in support of regulatory, regional, or sovereign requirements
• AWS ImdsPacketAnalyzer
• Independently deploy customized honeyservices in AWS to trigger alerts on unauthorized access.
• GCP - Automatically disabling leaked service account keys: What you need to know
• Governing and securing AWS PrivateLink service access at scale in multi-account environments
• HCP Waypoint actions is now in public beta
• Generic Concurrency in Go
• Reverse Tunnels in Go over HTTP/3 and QUIC
• The Best Way to Start with AWS Security Hub
• AWS Controllers for Kubernetes
• Kail - Kubernetes Log Viewer
• prel(iminary) is an application that temporarily assigns Google Cloud IAM Roles and includes an approval process.
• The CloudSec Engineer
• Practical resources for offensive CI/CD security research
• The Race to Make a Business of Secure Defaults
• AWS IAM Privilege Escalation Techniques
• Things you wish you didn’t need to know about S3
• Introducing BadDNS
• An AI-powered threat modeling tool that leverages OpenAI’s GPT models to generate threat models for a given application based on the STRIDE methodology.
• An Applied Introduction to eBPF with Go
• Announcing GoReleaser v2
• Securing Research Infrastructure for Advanced AI
• Pin GitHub Actions
• Amazon CloudWatch Logs announces Live Tail streaming CLI support
• On Fire Drills and Phishing Tests
• Glasskube - The next generation Package Manager for Kubernetes
• Kubernetes tool for scanning clusters for network policies and identifying unprotected workloads.
• Centrally manage member account root email addresses across your AWS Organization
• AWS adds passkey multi-factor authentication (MFA) for root and IAM users
• How to safeguard your SSH environment with Identity-Aware Proxy and Security Command Center
• Introducing GKE Compliance: Maintain clusters and workloads against industry standards
• Mastering Go: Challenging Quiz on Advanced Concepts for Go Programmers
• Common Anti-Patterns in Go Web Applications
• Open source data anonymization and synthetic data orchestration for developers. Create high fidelity synthetic data and sync it across your environments.
• Three Ways To Think About Channels
• A pragmatic guide to Go module updates
• Shameless green: TDD in Go
• Consistently Prepared: Year-round strategies for career growth
• 6 Questions to Ask When Interviewing for an AppSec Role
• The Path to Zero Touch Production
• Stop worrying about ‘allowPrivilegeEscalation’
• 1/6 | How We Hacked Multi-Billion Dollar Companies in 30 Minutes Using a Fake VSCode Extension
• Taking a look at Kubernetes Profiling
• Enumeration/exploit/analysis/download/etc pentesting framework for GCP; modeled like Pacu for AWS; a product of numerous hours via @WebbinRoot
• How to create a pipeline for hardening Amazon EKS nodes and automate updates
• Azure - Cloud security posture and contextualization across cloud boundaries from a single dashboard

13.05.2024

• Detecting Manual AWS Actions: An Update!
• Popular git config options
• Security Centralization for AWS Multi-account using Native Services
• How to develop an Amazon Security Lake POC
• How I keep myself Alive using Golang
• AUDITING AWS EKS POD PERMISSIONS
• GitHub enables push protection by default to stop secrets leak
• GopherCon 2023 - talks
• Arcjet JS SDKs. Next.js & Node.js library for rate limiting, bot protection, email verification & defense against common attacks.
• Hot Takes Episode 1: Protect your infrastructure from yourself
• Hash type identifier (CLI & lib)
• ServerlessHorrors
• From Lighthouse to Loran - Navigating GCP Security Auditing Tools
• Check out the shiny new Cloud Security Maturity Model 2.0!
• Ludus is a system to build easy-to-use cyber environments, or “ranges” for testing and development.
• Persistence – Visual Studio Code Extensions
• Banish OEM self-signed certs forever and roll your own private LetsEncrypt
• CISA and NSA Release Cybersecurity Information Sheets on Cloud Security Best Practices
• NSA Releases Top Ten Cloud Security Mitigation Strategies
• Kubernetes LAN Party
• The Missing Guide to AWS API Gateway Access Logs
• CloudGrappler is a purpose-built tool designed for effortless querying of high-fidelity and single-event detections related to well-known threat actors in popular cloud environments such as AWS and Azure.
• How we sped up AWS CloudFormation deployments with optimistic stabilization
• Introducing Security Command Center Enterprise: The first multicloud risk management solution fusing AI-powered SecOps with cloud security
• Now available: Free data transfer out to internet when leaving Azure
• Automatic Microsoft 365 Documentation to simplify the life of admins and consultants.
• More powerful Go execution traces
• Measuring your system’s performance using software (Go edition)
• For Loops and More in Go
• How to Write A 4000 Stars GitHub README for Your Project
• Using GitHub Actions to add Go binaries to a Release
• How I built my own Go package index - go.sazak.io
• retina - eBPF distributed networking observability tool for Kubernetes
• Keep Hackers Out of Your Cluster with These 5 Simple Tricks - Christophe Tafani-Dereeper & Frederic Baguelin, Datadog
• Introducing TrailDiscover: Simplifying Access to Security Insights about CloudTrail Events
• NamespaceHound: protecting multi-tenant K8s clusters
• enumerate binary capabilities, including malicious behaviors
• Fixing security vulnerabilities with AI
• OPA 1.0 is coming. Here’s what you need to know.
• WeAudit is an essential extension in the arsenal of any code auditor.
• A revamped page that collects writeups about DevOps, AppSec, ProdSec, Vulnerability Management, Risk / Compliance.
• Learning Go in 2024; From Beginner to Senior
• The Case Of A Leaky Goroutine
• Say goodbye to isolated Kafka projects, painful operations and complex security solutions.
• IAMGraph: Mapping Cross-Account Attack Paths in AWS Environments
• Using Tailscale for persistence
• A GitHub Action to suggest removal of non-organization members from CODEOWNERS files
• Louis Barrett - Small Language Models for Application Security - Beyond ChatGPT
• ULTIMATE GUIDE TO SECRETS IN LAMBDA
• Access, a centralized portal for employees to transparently discover, request, and manage their access for all internal systems needed to do their jobs
• Enumerate Microsoft Entra ID (Azure AD) fast
• A revamped page that collects writeups about documentation, security, infrastructure, development environments & CI, and software engineering.
• Building an interactive shell in Golang
• A basic guideline on implementing auth for the web
• Leveraging AWS SSO (aka Identity Center) with Google Workspaces
• Securing Kubernetes: A Comprehensive Guide to Runtime Security and System Hardening
• cloudfox - automating situational awareness for cloud penetration tests.
• Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.
• Terraform CI/CD and testing on AWS with the new Terraform Test Framework
• 15 must-attend security sessions at Next ‘24
• Awesome secure by default libraries to help you eliminate bug classes!
• Common Golang Packages for use by the Various Cloud Nuke Tools
• AWS Organization Migration Notes
• Incident Responder Interview Questions
• Open source on-call scheduling, automated escalations, and notifications so you never miss a critical alert

10.04.2024

• Ostorlab KEV: One-command to detect most remotely known exploitable vulnerabilities. Sourced from CISA KEV, Google’s Tsunami, Ostorlab’s Asteroid and Bug Bounty programs.
• A Recipe for Scaling Security
• Azure Attack Paths
• Kubernetes Scheduling And Secure Design
• Microsoft’s Dangerous Addiction To Security Revenue
• Salary negotiation in 30 seconds
• Leaked prompts of GPTs
• The curious case of DangerDev@protonmail.me
• Scanning Git for Secrets: The 2024 Comprehensive Guide
• Debug your GitHub Actions via SSH by using tmate to get access to the runner system itself
• Set up GitHub Actions to deploy to AWS
• Amazon EKS introduces upgrade insights
• Amazon EKS Pod Identity: a new way for applications on EKS to obtain IAM credentials
• Image Filesystem: Configuring Kubernetes to store containers on a separate filesystem
• Profile Guided optimisation (PGO) is a recent addition to Go which allows your code to run faster.
• Context Control in Go
• Do you know if all your repositories have up-to-date dependencies?
• Terraform module to deploy Atlantis on AWS Fargate
• A FAST Kubernetes manifests validator, with support for Custom Resources!
• Start With the Go Standard Library
• errcheck is a program for checking for unchecked errors in Go code.
• secator - the pentester’s swiss knife
• (Almost) Every infrastructure decision I endorse or regret after 4 years running infrastructure at a startup
• How to be IR Prepared in AWS
• How to be IR prepared in Azure
• Images as Code: The pursuit of declarative image builds
• Fargate Is Not Firecracker
• The Attackers Guide to Azure AD Conditional Access
• The Two-Headed SIEM Monster
• How to enforce creation of roles in a specific path: Use IAM role naming in hierarchy models
• Hidden GitHub Commits and How to Reveal Them
• This tool analyzes a given Github repository and searches for dangling or force-pushed commits containing potential secret or interesting information.
• Security Playbook for Compromised AWS Account Credentials
• Adaptive AWS Zero Trust Policy made easy: Auto-generate least-privilege policies based on user activity in real time! Accelerate the adoption of smart access control
• Docker Security – Step-by-Step Hardening (Docker Hardening)
• New EKS Access Management and Pod Identity features: a security analysis
• Engineering a SIEM part 1: Why did we need to build our own SIEM?
• AI monitoring employees for ‘thought crimes’ in apps like Slack and Zoom
• The useful exploit finder
• Offensive Lab Environments (Without the Suck)
• AI for Security: Eight Areas of Opportunity
• LLM Agents can Autonomously Hack Websites
• Detecting Manual AWS Actions: An Update!
• Detecting AWS Canaries without Detonating them
• Reads from existing public and private cloud providers (reverse Terraform) and generates your infrastructure as code on Terraform configuration
• Best practices for managing Terraform State files in AWS CI/CD Pipeline
• How to automate rule management for AWS Network Firewall
• Wrangle your alerts with open source Falco and the gcpaudit plugin
• Go microservice template for Kubernetes
• Go Enums Suck

31.01.2024

• An alternative to stack traces for your Go errors
• Gorse open source recommender system engine
• 2023 Global DevSecOps Report Series
• re:Invent 2023 recap
• Bolstering Security & Automating Management of Target Australia’s EKS clusters
• Deep dive into the new Amazon EKS Pod Identity feature
• IceKube: Finding complex attack paths in Kubernetes clusters
• Security Architect and Principal Security Engineer Interview Questions
• Awesome Roadmaps
• Nord Stream is a tool that allows you to extract secrets stored inside CI/CD environments by deploying malicious pipelines.
• CI/CD SECRETS EXTRACTION, TIPS AND TRICKS
• Avoid accidental exposure of authenticated Amazon API Gateway resources
• terraform-null-label: the why and how it should be used
• Kubernetes security fundamentals: API Security
• Zonal autoshift – Automatically shift your traffic away from Availability Zones when we detect potential issues
• Moving away from CDK
• Three new capabilities for Amazon Inspector broaden the realm of vulnerability scanning for workloads
• How to improve cross-account access for SaaS applications accessing customer accounts
• Optimize AWS administration with IAM paths
• Use IAM Roles Anywhere to help you improve security in on-premises container workloads
• Tools for Go projects
• Sign in with GitHub in Go
• Analyzes CloudTrail data of a given AWS account and generates a summary of recently active IAM principals, API calls they made and regions that were used.
• Considerations for Keeping Images Up to Date
• AWS Security Services Best Practices
• Introducing CloudSecGPT: Your Go-To AI for Cloud Security Insights
• Google Cloud - Migrate from service account keys
• Atuin replaces your existing shell history with a SQLite database, and records additional context for your commands.
• Flowpipe is a cloud scripting engine. Automation and workflow to connect your clouds to the people, systems and data that matters.
• Setting secure defaults on AWS and avoiding misconfigurations
• How to use Dockerfiles with wolfi-base images
• The Terraform Live Graph Extension for Visual Studio Code is a plugin that allows you to generate a live Terraform graph as you code.
• aws2tf - automates the importing of existing AWS resources into Terraform and outputs the Terraform HCL code.
• The Uber Go Style Guide.
• Kamal - Deploy web apps anywhere.
• AWS Account Security Onboarding Mind Map
• SSH-Snake is a self-propagating, self-replicating, file-less script that automates the post-exploitation task of SSH private key and host discovery.
• A Slack bot phishing framework for Red Teaming exercises
• Kubernetes Deep Health Checks
• How to Prevent Secret Leaks in Your Repositories
• Twitter vulnerable snippets
• A CLI for creating better commits following the conventional commits specification
• How to introduce Semgrep to your organization
• Collection of example Service Control Policies (SCPs) that are useful for sandbox and training AWS accounts
• The final answer: AWS account IDs are secrets
• A Recipe for Scaling Security
• Azure Attack Paths
• Mastering Kubernetes security: Safeguarding your container kingdom
• Kubernetes Scheduling And Secure Design
• A privacy-first, lightweight note-taking service

03.01.2023

• Fourteen Years of Go
• inshellisense- IDE style command line auto complete
• Arsenal is just a quick inventory and launcher for hacking programs
• Session Hijacking Visual Exploitation
• Key takeaways from the Wiz 2023 Kubernetes Security Report
• A Terraform module that makes it a snap to opt out of all AWS AI/ML data harvesting.
• A curated list of GPT agents for cybersecurity
• State of Cloud Security
• Bolstering Security & Automating Management of Target Australia’s EKS clusters
• Find your next security tool.
• Kubernetes Removals, Deprecations, and Major Changes in Kubernetes 1.29
• Kickstart and manage your AWS Organization via Terraform
• New – Multi-account search in AWS Resource Explorer
• 12 Personal Go Tricks That Transformed My Productivity
• OMGCICD - ATTACKING GITLAB CI/CD VIA SHARED RUNNERS
• Post-exploiting a compromised etcd – Full control over the cluster and its nodes
• Security best practices for authors of GitHub Actions
• Open source Terraform module registry with UI, optional Git integration and deep analysis
• Amazon S3 now supports enabling S3 Object Lock on existing buckets
• AWS IAM Identity Center now provides new APIs to automate access to applications
• How to use multiple instances of AWS IAM Identity Center
• Rapidly Scaling for Breaking News with Karpenter and KEDA - Mel Cone & Deepak Goel
• Ambient Mesh Architecture - Istio
• Istio: The Past, Present and Future of the Project and Community - Louis Ryan & John Howard
• Node Size Matters - Running K8s as Cheaply as Possible - Alex Meijer & Michael Dresser, Stackwatch
• flan - A pretty sweet vulnerability scanner
• Self-Hosted ephemeral macOS CI on Apple Silicon
• Lambda function that streamlines containment of an AWS account compromise
• AWS pre:Invent 2023
• How to create an AMI hardening pipeline and automate updates to your ECS instance fleet
• Preventing Accidental Internet-Exposure of AWS Resources (Part 1: VPC)
• Deep dive into the new Amazon EKS Pod Identity feature
• What Is GitOps And Why Is It (Almost) Useless? Part 1
• What Is GitOps And Why Is It (Almost) Useless? Part 2
• Convert cloudtrail data to MITRE ATT&CK Sightings
• Azure Chat Solution Accelerator powered by Azure Open AI Service
• IceKube is a tool to help find attack paths within a Kubernetes cluster from a low privileged point, to a preferred location, typically cluster-admin
• How to use the PassRole permission with IAM roles
• Introducing IAM Access Analyzer custom policy checks
• Self-study DevOps Projects
• Learn and Test DMARC
• Breaking DRM in Polish Trains
• Amazon EKS introduces upgrade insights
• Top announcements of AWS re:Invent 2023

13.11.2023

• Gosh - Writing Go at the Command Line - Nick Wells - September Gophers
• OpenAI ChatGPT, GPT-3, GPT-4, DALL·E, Whisper API wrapper for Go
• Following attackers’ (Cloud)trail in AWS: Methodology and findings in the wild
• Attacking AWS Cognito with Pacu (p1)
• former2 - Generate CloudFormation / Terraform / Troposphere templates from your existing AWS resources.
• waf-btk - WAF bypass PoC
• Coalfire AWS RAMP/pak Reference Architecture
• Find origin servers of websites behind CloudFlare by using Internet-wide scan data from Censys.
• endoflife.date - find EOL dates
• PCI DSS v4.0 on AWS Compliance Guide now available
• Delegating permission set management and account assignment in AWS IAM Identity Center
• Only one label to improve your Kubernetes security posture, with the Pod Security Admission (PSA) — just do it!
• Bootstrap an Air Gapped Cluster With Kubeadm
• SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
• SSH Session Monitoring Daemon
• Vulnerability Management: You should know about EPSS
• Harvest passwords automatically from OpenSSH server
• Marvin is a CLI tool that scans a k8s cluster by performing CEL expressions to report potential issues, misconfigurations and vulnerabilities.
• Terraform AWS Provider — Everything you need to know about Multi-Account Authentication and Configuration
• Amazon EC2 now supports setting AMIs to a disabled state
• viddy - a modern watch command. Time machine and pager etc.
• Oh-Auth - Abusing OAuth to take over millions of accounts
• Azure security best practices and patterns
• Nebula - AI-Powered Ethical Hacking Assistant
• Tabby - Self-hosted AI coding assistant
• CVE - Gather and update all available and newest CVEs with their PoC.
• Slack Attack: A phisher’s guide to initial access
• A short note on AWS KEY ID - decode to AWS Account Number
• A starter kit to build local-only AI apps that cost $0 to run – starting with document Q&A. Written in Javascript
• Use shared VPC subnets in Amazon EKS
• How to upgrade Amazon EKS worker nodes with Karpenter Drift
• Operating resilient workloads on Amazon EKS
• A Golang Tool to discover unused Kubernetes Resources
• InfoSecMap - Mapping out the best InfoSec events and groups!
• Gsec - Web Security Scanner
• RAVEN (Risk Analysis and Vulnerability Enumeration for CI/CD)
• Announcing the EKS Cluster Games
• Production-ready detection & response queries for osquery
• GOAD is a pentest active directory LAB project
• eBPF-based Security Observability and Runtime Enforcement
• Go, Containers, and the Linux Scheduler
• Goroutine leak detector
• tailspin - a log file highlighter
• Fast, collaborative live terminal sharing over the web
• Security considerations for running containers on Amazon ECS
• More in-depth answers for websec interview questions by tib3rius
• Golang weaponization for red teamers
• Terraform Security Best Practices
• A Comprehensive Guide to Testing in Terraform: Keep your tests, validations, checks, and policies in order
• Kubernetes audit logging, when you don’t control the control plane
• sso-sync-to-amazon-rds
• Multi Tool Kubernetes Pentest Image

02.10.2023

• Chrome extensions can steal plaintext passwords from websites
• DevOps AI Assistant CLI. Ask questions about your AWS services, cloudwatch metrics, and billing.
• Strategies for the Integration of Software Supply Chain Security in DevSecOps CI/CD Pipelines
• 7 Ways to Escape a Container
• Certified-Kubernetes-Security-Specialist
• Scripts and IaC to create a ransomware resilient AWS Backup System
• aws-list-resources
• Discover the benefits of AWS WAF advanced rate-based rules
• The Beginner’s Guide to Cybersecurity
• Profile-guided optimization in Go 1.21
• CloudSec 360 Series: AI & Cybersecurity with tl;dr sec Clint Gibler
• Static Taint Analysis for Go
• How to Protect Yourself From the New Kubernetes Attacks in 2023
• Container security fundamentals part 6: seccomp
• Introduction to Azure DevOps Workload identity federation (OIDC) with Terraform
• Introducing Infrastructure Manager: Provision Google Cloud resources with HashiCorp Terraform
• AWS - SCP evaluation
• Access accounts with AWS Management Console Private Access
• Policy management in Kubernetes is changing
• AWS Identity and Access Management provides action last accessed information for more than 140 services
• Amazon CloudWatch adds Amazon EKS control plane logs as Vended Logs
• AWS Community - Share and learn with our community of cloud enthusiasts
• Build your OCI images with ko while still using GoReleaser!
• Searches through git repositories for high entropy strings and secrets, digging deep into commit history
• CloudGoat is Rhino Security Labs’ “Vulnerable by Design” AWS deployment tool
• 38TB of data accidentally exposed by Microsoft AI researchers
• A Go-based Exploit Framework
• openrisk is a tool that generates a risk score based on the results of a Nuclei scan.
• Welcome to How To Rotate, an open-source collection of API Key Rotation tutorials
• Source Code Management Platform Configuration Best Practices
• When MFA isn’t actually MFA
• Generate an IAM policy from AWS, Azure, or Google Cloud (GCP) calls using client-side monitoring (CSM) or embedded proxy
• Container Image Linter for Security, Helping build the Best-Practice Docker Image, Easy to start
• This repository provides sample templates for security playbooks against various scenarios when using Amazon Web Services.
• Ripping out Python and Reducing Our Docker Image Size by ~87%
• Finding assets from certificates! Scan the web! Tool presented @DEFCON 31
• AWS Console Session Traceability: How Attackers Obfuscate Identity Through the AWS Console
• The Dark Side of Tech Culture
• Day-1 Skills That Cybersecurity Hiring Managers Are Looking For
• A Simple, Yet Effective Cost Optimization Framework
• Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
• Amazon VPC CNI now supports Kubernetes Network Policies
• On Amazon EKS and Kyverno
• Logging operator for Kubernetes
• My Preferred Go Stack
• Harden-Runner provides runtime security for GitHub-hosted and self-hosted environments
• Introducing pgroll: zero-downtime, reversible, schema migrations for Postgres
• Software Supply Chain Vendor Landscape
• KubeHound: Identifying attack paths in Kubernetes clusters
• 25 Hard-Hitting Lessons from 17 Years in Cybersecurity
• Overhauling AWS account access with Terraform, Granted, and GitOps
• Security Hub gives me imposter syndrome
• PCI v4 is coming. Are you ready?
• How to traceroute Kubernetes pod-to-pod traffic
• ZAP is Joining the Software Security Project
• Terraform 1.6 adds a test framework for enhanced code validation
• Nord Stream is a tool that allows you to extract secrets stored inside CI/CD environments by deploying malicious pipelines. It currently supports Azure DevOps, GitHub and GitLab
• Announcing updates to the AWS Well-Architected Framework guidance
• AI on the command line
• Easily add metrics to your code that actually help you spot and debug issues in production. Built on Prometheus and OpenTelemetry
• Glide - Automate permissions to your cloud and critical applications
• NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations
• New ‘HTTP/2 Rapid Reset’ zero-day attack breaks DDoS records

07.09.2023

• Amazon EKS makes it easier to configure and use Amazon EFS for persistent shared file storage
• AWS announces Public IP Insights, a new feature of VPC IP Address Manager
• Automating custom networking to solve IPv4 exhaustion in Amazon EKS
• How H2O.ai optimized and secured their AI/ML infrastructure with Karpenter and Bottlerocket
• Scaling Kubernetes with Karpenter: Advanced Scheduling with Pod Affinity and Volume Topology Awareness
• Kubernetes Audit Logs: The Unsung Hero of the Kube-verse
• ChatGPT for DevOps
• The missing UI for Helm - visualize your releases
• Awesome Kubernetes (K8s) Threat Detection
• Terraform textual UI for State
• Understanding & Automating Credential Stuffing Testing with Nuclei
• MITRE ATLAS - for AI & ML
• How to Build a Globally Distributed, Multi-Region Identity and Access Platform with Go
• A Language Server for Postgres
• Noir is an attack surface detector form source code
• navgix is a multi-threaded golang tool that will check for nginx alias traversal vulnerabilities
• AWS Security Monitoring in 2023: Untangle the chaos
• Application Architecture as Code
• VS Code’s Token Security: Keeping Your Secrets… Not So Secretly
• Mountpoint for Amazon S3 – Generally Available and Ready for Production Workloads
• AWS Observability Accelerator for Terraform
• Using SBOM to find vulnerable container images running on Amazon EKS clusters
• Hacking Github AWS integrations again
• What’s new for security in Kubernetes 1.28
• Ansible role to apply a security baseline. Systemd edition.
• Terraform best practices for reliability at any scale
• Network Load Balancers now support Security groups
• Measure cluster performance impact of Amazon GuardDuty EKS Agent
• How Chick-fil-A provides observability for 2,800+ K8s clusters
• EKS Node Autoscaling With Large Container Images and a Warm Pool
• An Introduction to Deploying your Database on Kubernetes
• Architecting Kubernetes clusters — choosing a worker node size
• Crossplane Troubleshooting Tool by Komodor
• Vulnerable app with examples showing how to not use secrets
• all shell backdoor in the world
• Google Workspace will require two admins to sign off on critical changes
• Shipping RDS IAM Authentication (with a bastion host & SSM)
• Basti - securely connect to RDS and other AWS resources in a VPC with no idle cost
• Kubernetes Validating Admission Policies: A Practical Example
• Pivoting Clouds in AWS Organizations – Part 2: Examining AWS Security Features and Tools for Enumeration
• Building Docker Images Smaller, Rootless and Non-Shell for Kubernetes
• Methods to Backdoor an AWS Account
• Container security fundamentals part 5: AppArmor and SELinux
• Kubernetes Security Ultimate Checklist: Cloud Native Security Basics Part VI
• Backward Compatibility, Go 1.21, and Go 2
• RIP AWS Go Lambda Runtime
• Avoiding Pitfalls in Go
• Advanced Go Concurrency
• How to develop a great CLI with Go
• Getting into AWS cloud security research as a n00bcake
• Web AppSec Interview Questions
• Early Retirement - Some Reflections Two Years In
• What I’m Doing and How It’s Going - How I went from a $350K FTE to $700K+ doing my own thing
• Authorizing cross-account KMS access with aliases
• Research on various techniques to bypass default falco ruleset (based on falco v0.28.1).
• Verifying images in a private Amazon ECR with Kyverno and IAM Roles for Service Accounts (IRSA)
• An offensive and defensive security toolset for Microsoft 365 Power Platform
• Improve your security investigations with Detective finding groups visualizations
• OpenAI-based Open Source tools for Kubernetes AIOps
• IAMbic is Version-Control for IAM. It centralizes and simplifies cloud access and permissions. It maintains an eventually consistent, human-readable, bi-directional representation of IAM in Git.
• Autostrada - The perfect start to your new Go project
• “CLI Mate” autogenerates CLIs from structs / functions (nested subcommands, global / local flags, help generation, typo suggestions, shell completion etc.- Go
• Logging in Go: A Comparison of the Top 8 Libraries
• Synchronize your DNS to multiple providers from a simple DSL
• KDash - A simple and fast dashboard for Kubernetes
• OpenTF Announces Fork of Terraform
• Connect your devices into a single secure private WireGuard®-based mesh network with SSO/MFA and simple access controls.
• WireGuard®-based VPN server and firewall
• Amazon VPC CNI now supports Kubernetes NetworkPolicy enforcement

03.08.2023

• Kubernetes logging best practices
• Securing CI/CD pipelines with 1Password Service Accounts
• The 1Password Connect Kubernetes Operator provides the ability to integrate Kubernetes Secrets with 1Password.
• Sharable Config Presets for Renovatebot, especially useful for DevOps folks
• The open-source policy-as-code software that provides analysis for Multi-Cloud and SaaS environments, you can get insight with natural language (powered by OpenAI).
• Amazon GuardDuty EKS Runtime Monitoring expands operating systems and processor support
• Finding Go bugs with fuzzing
• Coming Soon: Golang 1.21
• Preevy - quickly deploy preview environments to the cloud!
• A collection of Active Directory, phishing, mobile technology, system, service, web application, and wireless technology weaknesses that may be discovered during a penetration test.
• How I Got Hired On Google’s Red Team
• Ask Questions in natural language and get Answers backed by private sources. Connects to tools like Slack, GitHub, Confluence, etc.
• PCI/DSS Controls with Falco
• Enforcing Secure and Cost-Effective Infrastructure as Code with Terraform, OPA, and Infracost
• PodSecurityPolicy migration with Kyverno
• Refining IAM Permissions Like A Pro
• Consolidating controls in Security Hub: The new controls view and consolidated findings
• Coroutines for Go
• Govulncheck v1.0.0 is released!
• A beautiful program to read your RSS/Atom feeds right in the terminal!
• BadZure orchestrates the setup of Azure Active Directory tenants, populating them with diverse entities while also introducing common security misconfigurations to create vulnerable tenants with multiple attack paths.
• reverse shell using curl
• ABUSING AMAZON VPC CNI PLUGIN FOR KUBERNETES
• Kubernetes Security Basics Series: Part III - Container Deployment
• Cloudflare Pages with Zero Trust Authentication - Terraform
• Optimize AWS Config for AWS Security Hub to effectively manage your cloud security posture
• Go 1.22 inlining overhaul
• Go - A gentle introduction to Pointers
• Mailpit - an email and SMTP testing tool with API for developers
• Management of multiple Git SSH keys made easy
• Web Application Black-Box Testing
• Cloud Architecture Security Cheat Sheet
• No keys attached: Exploring GitHub-to-AWS keyless authentication flaws
• CONTAINER SECURITY WORKSHOP
• AWS NETWORKING CONCEPTS - mindmap
• Configure Keycloak on Amazon Elastic Kubernetes Service (Amazon EKS) using Terraform
• Secure Connectivity from Public to Private: Introducing EC2 Instance Connect Endpoint
• Securing Kubecost access with Amazon Cognito
• Continue - a VS Code extension that brings the power of ChatGPT to your IDE
• AI-powered Search & Chat for AWS Documentation
• CDK AWS Observability Accelerator
• Direction for v5 of Terraform EKS Blueprints
• New – AWS Public IPv4 Address Charge + Public IP Insights

06.07.2023

• A curated list of Awesome Security Challenges
• Introducing CloudFoxable: A Gamified Cloud Hacking Sandbox
• Collection of PoC and offensive techniques used by the BlackArrow Red Team
• Breaking down Reverse shell commands
• Kubernetes Grey Zone: Risks in Managed Cluster Middleware
• My AWS Pentest Methodology
• Executing Arbitrary Code & Executables in Read-Only FileSystems
• Terraform 1.5 brings config-driven import and checks
• Vault Secrets Operator for Kubernetes now GA
• Secure Connectivity from Public to Private: Introducing EC2 Instance Connect Endpoint
• AWS IAM Identity Center now supports automated user provisioning from Google Workspace
• Generally Available: Managed identity authentication in Azure Monitor container insights
• Millions of GitHub repos likely vulnerable to RepoJacking, researchers say
• Implement DevSecOps to Secure your CI/CD pipeline
• AWS CloudTrail cheat sheet
• Kubernetes Security Basics Series: Part II - Container Security
• Go 1.21 Release Candidate
• Dkron - Distributed, fault tolerant job scheduling system
• tailer is a CLI tool to insert lines when command output stops
• The most accurate natural language detection library for Go, suitable for long and short text alike
• Inspect a command’s effects before modifying your live system
• Secrets scanner that understands code
• jsluice - extract URLs, paths, secrets, and other interesting bits from JavaScript
• AWS - a threat modeling tool to help humans to reduce time-to-value when threat modeling
• A GPT-empowered penetration testing tool
• GPT-4 Outperforms Humans in Pitch Deck Effectiveness Among Investors and Business Owners
• Security interview questions with possible explanation for roles in AppSec, Pentesting, Cloud Security, DevSecOps, Network Security and so on
• Curated list of links, references, books videos, tutorials (Free or Paid), Exploit, CTFs, Hacking Practices etc. which are related to AWS Security
• NSA - Defending Continuous Integration/Continuous Delivery (CI/CD) Environments
• Leveraging AWS SSO (aka Identity Center) with Google Workspaces - version 2
• Shrink to Secure: Kubernetes and Secure Compact Containers
• How to add, use, and update .terraform.lock.hcl without pain
• 8 Terraform continuous validation use cases for AWS, Google Cloud, and Azure
• Terraform Fake Modules
• GitHub token permissions Monitor and Advisor actions
• GKE Security Posture dashboard now generally available with enhanced features
• Zed is a high-performance, multiplayer code editor from the creators of Atom and Tree-sitter.
• GitLab’s AI-assisted Code Suggestions
• KBOM - Kubernetes Bill of Materials
• New StackRot Linux kernel flaw allows privilege escalation

13.06.2023

• AWS IAM Actions
• Awesome Cloud Security Labs
• An operator to manage ephemeral Kubernetes resources
• Privilege escalation in AWS Elastic Kubernetes Service
• Building a Red Team Infrastructure in 2023
• The beginner’s guide to eBPF
• Visualize call graph of a Go program using Graphviz
• Move over, Dockerfiles! The new way to craft containers
• Starting today, you can create and use passkeys on your personal Google Account
• CLI tool to perform cost analysis on your Azure subscription
• AWS Verified Access is now generally available
• Get details on security finding changes with the new Finding History feature in Security Hub
• ATT&CK v13 Enters the Room: Pseudocode, Swifter Search, and Mobile Data Sources
• Cloud Security Jobs
• An AWS IAM Wishlist
• Manage multiple Terraform projects in monorepo
• Start Pods faster by prefetching images
• Connect your local process and your cloud environment, and run local code in cloud conditions
• KubeStellar - a flexible solution for challenges associated with multicluster configuration management for edge, multi-cloud, and hybrid cloud
• A K8s operator to reduce CO2 footprint of your clusters
• The global home for Platform Engineers
• Go Programming – Golang Course with Bonus Projects
• Tunnel via Cloudflare to any TCP Service
• CloudNativeSecurityCon 2023 - Seattle
• Cloud Native Security Talks
• All-in-one auditing toolkit for identifying common security issues in managed Kubernetes environments. Currently supports Amazon EKS
• Attacking and securing cloud identities in managed Kubernetes part 1: Amazon EKS
• Use different chatbots in one app, currently supporting ChatGPT, new Bing Chat, Google Bard, Claude, and 10+ open-source models including Alpaca, Vicuna, ChatGLM
• Tips and tricks for working with Large Language Models like OpenAI’s GPT-4
• The AI Attack Surface Map v1.0
• Building a Kubernetes purple teaming lab
• Fun with container images - Bypassing vulnerability scanners
• A simple HTTP proxy that fogs over naughty URLs
• Tools that checks for misconfigured access to Github OIDC from AWS roles and GCP service accounts
• A process for automating Docker container base image updates
• Best Practices for EKS Cluster Upgrades
• Automate Security and Monitoring with Amazon EKS Blueprints, Terraform, and Sysdig
• Let’s debug a kubernetes pod locally
• Automated Amazon EKS cluster upgrade
• Spin up dev environments in any infra. Dev-environments-as-code like Terraform but for dev environments
• How to start a Go project in 2023
• snips-sh - passwordless, anonymous SSH-powered pastebin with a human-friendly TUI and web UI
• Clean accounts over permissions in GCP infra at scale
• Container security fundamentals part 4: Cgroups
• Terraform check{} Block
• Terraform AWS provider 5.0 adds updates to default tags
• AWS CloudSaga - Simulate security events in AWS
• Finding The Best Go Project Structure - Part 1
• HardenEKS: Validating Best Practices For Amazon EKS Clusters Programmatically
• Securing Cloud Native Microservices with Role-Based Access Control using Keycloak
• How We Detect Anomalies In Our AWS Infrastructure (And Have Peaceful Nights)
• Exploring Firecracker MicroVMs for Multi-Tenant Dagger CI/CD Pipelines
• How We Detect Anomalies In Our AWS Infrastructure (And Have Peaceful Nights)
• Understanding networking in Kubernetes
• Amazon Security Lake is now generally available
• Updated whitepaper available: Architecting for PCI DSS Segmentation and Scoping on AWS
• Crash Course on Go Generics
• flox is a command line tool that helps you manage your environments
• SeaweedFS is a fast distributed storage system for blobs, objects, files, and data lake, for billions of files! Blob store has O(1) disk seek, cloud tiering.
• How I Use OpenAI’s GPT-4 To Stay In Touch With My Mum More Consistently
• EKS with IPv6 pods
• Optimizing container resources with KRR
• Kubernetes PreUpGrade (Checker)
• Reproducible infrastructure to showcase GitOps workflows and evaluate different GitOps Operators on Kubernetes
• All you need to know about moving to containerd on Amazon EKS
• AWS Fault Injection Simulator adds new actions for Amazon EKS and Amazon ECS
• Amazon ECR adds registry.k8s.io as a supported upstream for pull through cache repositories
• AWS introduces container image signing
• Big IAM Challenge
• Practical Dependency Management for Developers
• We reported a security issue in AWS CDK’s eks.Cluster component
• The Sensitive Data Protection on AWS solution allows enterprise customers to create data catalogs, discover, protect, and visualize sensitive data across multiple AWS accounts.
• Updated AWS Ramp-Up Guide available for security, identity, and compliance
• Announcing Container Image Signing with AWS Signer and Amazon EKS

19.05.2023

• Kubecon 2023 EU - playlist
• Kubecon 2023 EU - The Hacker’s Guide to Kubernetes
• Kubecon 2023 EU - Customizing Your Buildpacks Build
• Kubecon 2023 EU - Taming Tactical Cluster Federation at the Edge
• Kubecon 2023 EU - GitOps at Adobe
• Kubecon 2023 EU - Building a Successful Business in Cloud Native - L Rice, G Rauch, K Hightower, S Liang, T Manville
• Kubecon 2023 EU - Intro + Deep Dive: Kubernetes SIG Scalability
• Kubecon 2023 EU - Archetypes for Reliable Systems
• Kubecon 2023 EU - Node Resource Management: The Big Picture
• Kubecon 2023 EU - How to Blow up a Kubernetes Cluster
• Kubecon 2023 EU - Life Without Sidecars - Is eBPF’s Promise Too Good to Be True?
• network-mapper - map Kubernetes in-cluster traffic and export as text, intents, or an image
• Packet, where are you? – eBPF-based Linux kernel networking debugger
• Kubernetes Removals and Major Changes In v1.27
• DevOps threat matrix
• Spoofy is a program that checks if a list of domains can be spoofed based on SPF and DMARC records
• Automated Security Helper Pipeline Template
• This project creates a centralized API for creating/deleting EC2 CloudWatch alarms on EC2 Instance Metrics in a multi-account AWS Organizations implementation
• kube-iptables-tailer - a service for better network visibility for your Kubernetes clusters
• Privilege escalation in AWS Elastic Kubernetes Service
• Introducing AWS Lambda response streaming
• Announcing updates to the AWS Well-Architected Framework
• Investigate security events by using AWS CloudTrail Lake advanced queries
• Unlock any CLI using biometrics with 1Password Shell Plugins
• Intro to forensics in the cloud: A container was compromised. What’s next?
• Rule Writing for CodeQL and Semgrep
• Go’s Error Handling Is a Form of Storytelling
• The Tao of Go
• How Go fixed everything that was wrong with programming
• Exploiting and Securing Jenkins Instances at Scale with GroovyWaiter
• Container security fundamentals part 3: Capabilities
• Managing Kubernetes secrets like a Pro
• How to Yubikey: a configuration cheatsheet
• How to implement a centralized immutable backup solution with AWS Backup
• Cloud Red Teaming: AWS Initial Access & Privilege Escalation
• How to troubleshoot memory leaks in Go with Grafana Pyroscope
• Go integration testing with courage and coverage
• Chrome extension that generates CloudWatch Logs Insights queries from ChatGPT prompts
• Google Authenticator now backs up your 2FA codes to the cloud
• Using Nix with Dockerfiles
• Argo CD end user threat model: security considerations for hardening declarative GitOps CD on Kubernetes
• Trust Dexter to ensure that all your images are pinned by digest for better security
• AWS Announces Three New Amazon GuardDuty Capabilities to Help Customers Protect Container, Database, and Serverless Workloads
• Mitigating DDoS with data science using AWS Shield Advanced and AWS WAF
• Writing an OS in Go: The Bootloader
• Random testing in Go
• An open-source & self-hostable Heroku / Netlify alternative (and even more)
• Tool to validate assumptions about the Kubernetes network
• Use Amazon CodeWhisperer for Your AWS Security

24.04.2023

• The adapter pattern in Go
• Go execution trace frontend
• slog.Handler that writes tinted logs
• AWS KMS Threat Model
• Zero Trust Access to Private Webapps on AWS ECS with Cloudflare Tunnel
• The Old Faithful: Why SSM Parameter Store still reigns over Secrets Manager
• Vault Secrets Operator: A new method for Kubernetes integration
• GitHub App to watch for PRs merged without a reviewer approving
• How to use Amazon GuardDuty and AWS WAF v2 to automatically block suspicious hosts
• AWS Cost Anomaly Detection now automatically configured for all new Cost Explorer users
• AWS Resilience Hub adds support for Amazon EKS
• Managing etcd database size on Amazon EKS clusters
• Simplify Service-to-Service Connectivity, Security, and Monitoring with Amazon VPC Lattice – Now Generally Available
• Scaling Kubernetes to 7,500 nodes
• Scaling Kubernetes to 2,500 nodes
• Creates Helm chart from Kubernetes yaml
• You Broke Reddit: The Pi-Day Outage
• CLI tool for directly patching container images using reports from vulnerability scanners
• k8sgpt is a tool for scanning your kubernetes clusters, diagnosing and triaging issues in simple english. It has SRE experience codified into it’s analyzers and helps to pull out the most relevant information to enrich it with AI
• This project is a kubectl plugin to generate and apply Kubernetes manifests using OpenAI GPT.
• Announcing the GitHub Actions extension for VS Code
• Artificial Intelligence Infrastructure-as-Code Generator
• Automate IAM credential reports for large AWS Organizations
• Exploring Amazon VPC Lattice
• Welcome to the Jungle: Pentesting AWS
• We put GPT-4 in Semgrep to point out false positives & fix code
• 69 Ways to Fuck Up Your Deploy
• Intro to forensics in the cloud: A container was compromised. What’s next?
• A GitHub Action for authenticating to Google Cloud.
• Create a dry-run organization policy
• New – Self-Service Provisioning of Terraform Open-Source Configurations with AWS Service Catalog
• Announcing policies validations during synthesis time with AWS Cloud Development Kit (CDK)
• The Smallest Go Binary (5KB)
• A tool that provisions remote development environments via Terraform

31.03.2023

• Up your cloud game: 3 CTOs about Eureka moments in cloud development in 60 minutes
• KALI PURPLE - LEVELING THE PLAYING FIELD
• BlueHat 2023
• Collection and Roadmap for everyone who wants DevSecOps
• Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history
• Temporary policy exceptions in Kubernetes with Kyverno
• Security Certification Roadmap
• Create a Console Session from IAM Credentials
• Vault 1.13 adds Kubernetes Operator, MFA improvements, and more
• Help manage AWS systems manager with helpers
• Cloudlist is a tool for listing Assets from multiple Cloud Providers
• What are AWS managed policies?
• Modern data protection architecture on Amazon S3: Part 1
• A sensible approach to compensation for remote teams
• Disaster Recovery When Using Crossplane for Infrastructure Provisioning on AWS
• 73,000 Pods a Day, Lessons From Misadventures In Multi-Tenant - Shane Corbett & Wil Reed
• Using Prometheus to Avoid Disasters with Kubernetes CPU Limits
• Why and when do you need Argo CD?
• In-place Pod Vertical Scaling feature
• Terraform on AWS EKS Kubernetes IaC SRE- 50 Real-World Demos
• Ouch - painless compression and decompression for your terminal
• Devdocs - API Documentation Browser
• Crawlee—A web scraping and browser automation library for Node.js that helps you build reliable crawlers. Fast.
• A simple, high-throughput file client for mounting an Amazon S3 bucket as a local file system
• Automatically Generate Secure Terraform Code
• CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
• Cloudlist is a tool for listing Assets from multiple Cloud Providers
• How to use policies to restrict where EC2 instance credentials can be used from
• From Pod Security Policies to Pod Security Standards – a Migration Guide
• The one-and-only, must-have, eternal Go project layout
• ~6x faster, stricter, configurable, extensible, and beautiful drop-in replacement for golint
• Taskfile v3.22.0 - support for global tasks
• INTRO TO KUBERNETES – CONTAINERS AT SCALE - Illustration
• Building ClickHouse Cloud From Scratch in a Year
• Monitoring Kubernetes Clusters on GKE (Google Container Engine)
• Kubernetes - forensic container analysis
• This is a collection of threat detection rules / rules engines that I have come across
• Service meshes: an in-depth introduction
• Passwordless Authentication made easy with Cognito: a step-by-step guide
• Amazon Linux 2023, a Cloud-Optimized Linux Distribution with Long-Term Support
• A curated directory of Kubernetes tools and resources
• Kubernetes CPU Requests & Limits VS Autoscaling
• How to use Kubernetes events for effective alerting and monitoring
• ko - Build and deploy Go applications
• Container security fundamentals part 2: Isolation & namespaces
• 20 Terraform Best Practices to Improve your TF workflow
• What the ML is up with DevSecOps and AI?
• Synchronization Patterns in Go
• A Guide to Delegated Administrator in AWS Organizations and Multi-Account Management
• CLI tool to perform cost analysis on your AWS account with Slack integration
• AWS - Use backups to recover from security incidents
• This is a collection of threat detection rules / rules engines that I have come across
• Introducing Microsoft Security Copilot
• Woodpecker is a community fork of the Drone CI system

08.03.2023

• Privacy Guides - the guide to restoring your online privacy
• Hacking Google - series
• tbls is a CI-Friendly tool for document a database, written in Go
• Pull request merge queue (public beta) - GitHub
• OWASP Kubernetes Top 10
• A COMPLETE KUBERNETES CONFIG REVIEW METHODOLOGY
• Code security scanning tool (SAST) that discover, filter and prioritize security risks and vulnerabilities leading to sensitive data exposures (PII, PHI, PD)
• Burp Suite Certified Practitioner Exam Study
• Golang Quirks & Intermediate Tricks, Pt 1: Declarations, Control Flow, & Typesystem
• Rust vs Go in 2023
• Under-documented Kubernetes Security Tips
• Kubernetes Security Checklist
• AWS Break Glass Role
• Centralizing AWS CloudWatch log forwarding via EventBridge and Step Functions
• Setup a template to easily create and apply AWS Service Control Policies (SCPs) with Terraform
• Guidance for Baseline Security Assessment on AWS
• Agentless observability for serverless applications
• Tokei - count your code, quickly
• RTX - runtime executor (asdf rust clone)
• moon - a task runner and repo management tool for the web ecosystem, written in Rust
• Katana - a next-generation crawling and spidering framework
• Firefly - black box fuzzer for web applications
• GoReplay is an open-source tool for capturing and replaying live HTTP traffic into a test environment in order to continuously test your system with real data. It can be used to increase confidence in code deployments, configuration changes and infrastructure changes
• Earthly - Super simple CI/CD framework with repeatable builds that you write once and run anywhere – laptop, remote, or any CI
• How to Achieve Application & Cloud Security Resilience
• Cloud drift detection: How to resolve out-of-state changes
• To DIY or Not to DIY; Key Kubernetes Security Considerations
• Under-documented Kubernetes Security Tips
• Securing Kubernetes Secrets with HashiCorp Vault
• My CI/CD pipeline is my release captain
• Down the Cloudflare / Stripe / OWASP Rabbit Hole: A Tale of 6 Rabbits Deep
• Lateral movement risks in the cloud and how to prevent them – Part 3: from compromised cloud resource to Kubernetes cluster takeover
• Understanding and Cost Optimizing Amazon EKS Control Plane Logs
• Cloud IAM Google Cloud
• How Attackers Can Exploit GCP’s Multicloud Workload Solution
• AWS EC2 IMDS – What You Need to Know
• Introducing KWOK: Kubernetes WithOut Kubelet
• Temporary policy exceptions in Kubernetes with Kyverno
• Static Website CLI - AWS
• Considerations for the security operations center in the cloud: deployment using AWS security services
• Three ways to boost your email security and brand reputation with AWS
• Why you should migrate to network firewall policies from VPC Firewall rules
• Submarine Cable Map 2023 - view Internet cables around Earth
• Best Practices for Securing Your Home Network
• Migrate from PodSecurityPolicy to the Built-In PodSecurity Admission Controller
• Pod security policy (PSP) removal FAQ
• Using Azure Active Directory to authenticate to Amazon EKS
• TWO WAYS TO ACCESS EKS: KUBERNETES RBAC AND AWS IAM
• Lesson learned while scaling Kubernetes cluster to 1000 pods in AWS EKS
• Kubernetes Infrastructure At Medium
• Flux Subsystem for Argo

16.02.2023

• 2023: Navigating the Cloud Development Complexity Ahead | TSH.io
• Securing Lambda Function URLs using Amazon Cognito, Amazon CloudFront and AWS WAF
• Haekka - cybersecurity awarness training on Slack!
• Improve GitHub Actions OIDC security posture with custom issuer - Enterprise Only
• Hunting for Amazon Cognito Security misconfigurations
• Hardware Selection and Logistics (Passwordless Authentication Series, #1)
• Leaking Secrets From GitHub Actions: Reading Files And Environment Variables, Intercepting Network/Process Communication, Dumping Memory
• Terraform Modules for Google Cloud by Google
• Setting up a secure CI/CD pipeline in a private Amazon Virtual Private Cloud with no public internet access
• How to revoke federated users’ active AWS sessions
• Monokle streamlines the process of creating, analyzing, and deploying Kubernetes configurations by providing a unified visual tool for authoring YAML manifests, validating policies, and managing live clusters
• Top 15 Kubectl plugins for security engineers
• Breach detection honeypot tokens - including CC
• Visually simulate Git operations in your own repos with a single terminal command
• A lightweight web security auditing toolkit - alternative to Burp/ZAP
• Security Drone: Scaling Continuous Security at Revolut
• AWS Service Control Policies
• Google Cloud - take automated actions against threats and vulnerabilities
• containerdbg is an all-in-one command-line tool to help debug Kubernetes containers with common issues that arouse when moving to containers as part of legacy application modernization
• Runtime security plug to protect user containers
• Slack bot which promotes Defense in Depth/Zero Trust security practicesAA
• AI imagined images. Pythonic generation of stable diffusion images
• 10 Things I Hate About Go
• Enhancing Kubernetes security with user namespaces
• A Guide to Running Sigstore Locally
• Provisioning Kubernetes clusters on GCP with Terraform and GKE
• ddbsh is a simple CLI for DynamoDB modeled on isql, and the MySQL CLIs
• Accessing Cloud SQL using Private Service Connect
• Recommendations to mitigate OWASP API Security Top 10 threats using API Azure Management
• ASH; The Automated Security Helper
• A built-to-be-vulnerable API application based on the OWASP top 10 API vulnerabilities
• Instant K8s service dependency map, right to your Grafana
• Kubernetes and Cloud Security Associate (KCSA)
• How Adversaries Can Persist with AWS User Federation
• CloudGPT - Use ChatGPT to analyze AWS policies for vulnerabilities
• GitHub Self-Hosted Runner Enumeration and Attack Tool
• Gorrion Production Readiness Checklist
• OpenSource, frictionless and secure way to share and manage app secrets across teams
• Kubestroyer aims to exploit Kubernetes clusters misconfigurations and be the swiss army knife of your Kubernetes pentests
• OFFENSIVE SECURITY & REVERSE ENGINEERING (OSRE) Course
• Path to a free self-taught education in Computer Science!
• Go - Profile-guided optimization preview
• New – Visualize Your VPC Resources from Amazon VPC Creation Experience
• GitHub Actions – Updating the default GITHUB_TOKEN permissions to read-only
• Kubernetes hands on introduction (2023) | Amazon EKS Workshop
• How to rapidly scale your application with ALB on EKS (without losing traffic)
• Amazon Detective adds Amazon VPC Flow Logs visualizations for Amazon EKS workloads
• Introducing the Amazon EKS Workshop
• Optimizing your Kubernetes compute costs with Karpenter consolidation
• Scale from 100 to 10,000 pods on Amazon EKS
• On Amazon EKS and Security
• EKS Security Best Practices - Practical Enforcement Guide
• werf CI/CD tool becomes a CNCF project!
• The efficient way to publish multi-arch containers from GitHub Actions
• Manage Multi-Cloud Resources With Crossplane - Rise Above The Clouds

19.01.2023

• Cloud Native Landscape
• Harden EKS
• Log File Navigator
• Learning by auditing Kubernetes manifests
• Cloud penetration testing: Not your typical internal penetration test
• Kubernetes 1.26: Introducing Validating Admission Policies
• Kubernetes v1.26: GA Support for Kubelet Credential Providers
• Confidant is a open source secret management service that provides user-friendly storage and access to secrets in a secure way, from the developers at Lyft
• An admission controller service and kubectl plugin to handle container drift in K8s clusters
• Architecting your security model in AWS for legacy application migrations
• AWS CIRT announces the release of five publicly available workshops
• Kubernetes v1.26: Advancements in Kubernetes Traffic Engineering
• Kamaji - Build and operate Kubernetes at scale with a fraction of operational burden
• PostgreSQL metrics monitor/dashboard
• State of Azure IAM 2022
• Exploiting Distroless Images
• An admission controller service and kubectl plugin to handle container drift in K8s clusters
• Awesome ChatGPT Prompts
• Scott Piper on the challenges of rolling out YubiKeys in practice
• AWS Phishing: Four Ways
• SES-pionage
• Detecting Anomalous AWS Sessions From Temporary Credentials - 1 of 2
• Cedar: A new policy language from AWS
• Improve GitHub Actions OIDC security posture with custom issuer
• Responding to an attack in AWS
• Cloud Native and Kubernetes Security Predictions 2023
• How to Connect to Kubernetes Clusters Using HashiCorp Boundary
• Azure Security Survival Kit
• Amazon RDS announces integration with AWS Secrets Manager
• Updated whitepaper available: AWS Security Incident Response Guide
• Eliminate Kubernetes node scaling lag with pod priority and over-provisioning
• Authenticate to Amazon EKS using Google Workspace
• On Amazon EKS and Cost Optimisation
• A ChatGPT bot for Kubernetes issues

20.12.2022

• Hishtory - sync history between computers
• Awesome Cybersecurity Conferences - link and videos
• Legitify - detect and remediate misconfigurations and security risks across all your GitHub assets
• Terraform AWS Clickops Notifier - get notified on manual actions in AWS console
• A Visual Guide to SSH Tunnels: Local and Remote Port Forwarding
• All the best things about Visual Studio Code that nobody ever bothered to tell you
• Multi-cluster management for Kubernetes with Cluster API and Argo CD
• Amazon Simple Email Service announces Virtual Deliverability Manager to help enhance email delivery success rate
• Develop microservices locally while being connected to your Kubernetes environment
• Windows alt-tab on macOS
• How We Use Terraform At Slack
• A GitHub Action for accessing secrets from Google Secret Manager and making them available as outputs
• Kubediff: a tool for Kubernetes to show differences between running state and version controlled configuration
• Implementing Pod Security Standards in Amazon EKS
• Crossplane on Kubernetes Explained
• Write code without the keyboard with GitHub Copilot
• Grafana Faro includes a highly configurable web SDK for real user monitoring (RUM)
• A Dive Into Web Application Authentication
• AWS security assessment: what scanners are missing and how threat modeling may help you?
• Distribute your long running tasks dynamically across thousands of serverless functions and get the results within seconds
• All-in-one Kubernetes access manager. User-level credentials, RBAC, SSO, audit logs
• Trivy Now Supports NSA Kubernetes Compliance
• Paralus - All-in-one Kubernetes access manager. User-level credentials, RBAC, SSO, audit logs
• Everything you need to know about monorepos, and the tools to build them
• Hacking Your Offensive Security Career
• A case for Go code generation: testify
• A dead simple Go library for sending notifications to various messaging services
• Substrate is a suite of command-line tools for managing secure, reliable, and compliant cloud infrastructure in lots of AWS accounts, all working together in harmony
• An AWS account just for getting into other AWS accounts
• Get Certified for GitOps with Argo
• AWS Network Firewall Workshop
• AWS SSO Reporter
• High availability implementation of AWS NAT instances
• Introducing AWS Resource Explorer – Quickly Find Resources in Your AWS Account
• kcp is a Kubernetes-like control plane for workloads on many clusters
• Running resilient workloads in EKS using Spot instances
• Blazing fast CI with MicroVMs
• Tool and policy library for reviewing Google Kubernetes Engine clusters against best practices
• OctoDNS - tools for managing DNS across multiple providers
• DevEnv - Fast, Declarative, Reproducible, and Composable Developer Environments
• Vim-mode for VS Code using embedded Neovim
• Public Chainguard Images - secure/distroless images
• The Finch CLI an open source client for container development
• Run kubectl commands in all/some contexts in parallel (similar to GNU xargs+parallel)
• The GitHub Actions Importer helps you plan and automate the migration of Azure DevOps, CircleCI, GitLab, Jenkins, and Travis CI pipelines to GitHub Actions
• Three recurring Security Hub usage patterns and how to deploy them
• Metrist - monitor the reliability of popular cloud products with detailed metrics and real-time outage alerts so you can resolve incidents quickly
• Nx is a next generation build system with first class monorepo support and powerful integrations
• the unified package manager (brew2)
• Infisical is an open-source, end-to-end encrypted tool to sync environment variables across your team and infrastructure
• registry.k8s.io: faster, cheaper and Generally Available (GA)
• Attacker persistence in Kubernetes using the TokenRequest API: Overview, detection, and prevention
• A Collection of Plugins for kubectl Integration (exec as any user, context switching, etc)
• Announcing delegated administrator for AWS Organizations
• kubecolor - colorizes kubectl output
• Black Hat USA 2022
• AWS re:Invent 2022 - Security Track
• Sigstore The Easy Way
• Ian Mckay’s Top 10 Favorite / Most Impactful reInvent Announcements
• Introducing VPC Lattice – Simplify Networking for Service-to-Service Communication (Preview)
• New in Go 1.20: wrapping multiple errors
• Visualizing Multi Cloud IAM Concepts
• Pike is a tool for determining the permissions or policy required for IAC code
• How to detect security issues in Amazon EKS clusters using Amazon GuardDuty – Part 1
• Kubie - A more powerful alternative to kubectx and kubens
• Managing Pod Security on Amazon EKS with Kyverno
• WTF - The personal information dashboard for your terminal
• Google Cloud infrastructure reliability guide
• Malware scanner for cloud-native, as part of CI/CD and at Runtime
• A Roadmap to Zero Trust Architecture
• GCPGoat : A Damn Vulnerable GCP Infrastructure

27.10.2022

• Istio - Introducing Ambient Mesh
• The Complete Guide to AWS KMS
• Matano - the open-source security lake platform for AWS
• AWS Self-Service Security Assessment tool
• Plumber - A swiss army knife CLI tool for interacting with Kafka, RabbitMQ and other messaging systems
• Understanding basic networking in GKE - Networking basics
• Transitioning to multiple AWS accounts
• Scaling cross-account AWS KMS–encrypted Amazon S3 bucket access using ABAC
• JQP - a TUI playground to experiment with jq
• OpenTelemetry in various environments
• Automate All the Boring Kubernetes Operations with Python
• On Amazon EKS and FIS (Chaos Engineering)
• K8s Troubleshooting — Namespace Stuck in Terminating State
• VSCode Draw.io Integration
• Wails v2 Released - rich frontends for Go programs
• Test scripts in Go
• AWS Ramp-Up Guide: Security
• Eraser - cleaning up images from Kubernetes nodes
• AWS Security Hub launches a new security best practice control
• requests-ip-rotator - a Python library to utilize AWS API Gateway’s large IP pool as a proxy to generate pseudo-infinite IPs
• MerLoc is a live AWS Lambda function development and debugging tool
• Pentesting Cloud
• A Guide to Improving Security Through Infrastructure-as-Code
• Terraform 1.3 Improves Extensibility and Maintainability of Terraform Modules
• Dexter is a Kubernetes OIDC helper with as much automation as possible
• Supply Chain Security on Amazon Elastic Kubernetes Service (Amazon EKS) using AWS Key Management Service (AWS KMS), Kyverno, and Cosign
• Use AWS Network Firewall to filter outbound HTTPS traffic from applications hosted on Amazon EKS and collect hostnames provided by SNI
• Integrating Kubecost with Amazon Managed Service for Prometheus
• Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulnerabilities
• Bare minimum AWS Security Alerting
• The many ways to manage access to an EC2 Instance
• Serverless Ad Blocking with Cloudflare Gateway
• Tool Release – Project Kubescout: Adding Kubernetes Support to Scout Suite
• Byy ex-googlers, for ex-googlers - a lookup table of similar tech & services
• How Kubefirst Builds Kubernetes Platforms in 8 Steps
• Test your email server, website, connection easily
• Maigret - collect a dossier on a person by username from thousands of sites
• 26 AWS Security Best Practices to Adopt in Production
• Our Application Security Journey (Part 1)
• Kubernetes - Multi-tenancy
• Run a Tailscale VPN relay on ECS/Fargate
• Chainguard Images is a collection of container images designed for minimalism and security
• Pod Security Standards
• La Terminal - iOS Terminal
• CasaOS - your Home Cloud OS
• Eraser - Diagrams as Code
• Encryption in AWS and Multi-Account Access
• Unofficial list of free resources to learn AWS for absolute beginners
• Diving Deeply into IAM Policy Evaluation – Highlights from AWS re:Inforce IAM433
• State of AWS Security - A Look Into Real-World AWS Environments
• Cyber Security Career Pathways
• AWS Secrets Manager GitHub Action
• AWS announces updated Support Plans Console with new IAM controls
• Kubernetes YAML to Terraform HCL converter
• Konf is a lightweight kubeconfig manager. With konf you can use different kubeconfigs at the same time
• Kubernetes Guide: Graceful Shutdown with Lifecycle preStop Hook
• Do not use ‘git checkout’ anymore
• Introducing Wolfi – the first Linux (Un)distro designed for securing the software supply chain
• LIMA - Linux virtual machines, typically on macOS, for running containerd

28.09.2022

• Cloud DNS Security – How to protect DNS in the Cloud
• Exploring Kubernetes Operator Pattern
• Why You Should Avoid Sealed Secrets in Your GitOps Deployment
• Terralist - a private Terraform registry
• Cloud Audit Academy
• How To Hack Web Applications in 2022: Part 1
• Error handling with Go tooling
• GitOps: A Simple Approach to using AWS Secrets Manager with Kubernetes
• Kubernetes Removals and Major Changes In 1.25
• Write Your Kubernetes Infrastructure as Go Code — Extend “cdk8s” With Custom Constructs
• Tips for saving AWS EKS Cost
• Intro to eBPF
• GitOps: A Simple Approach to using AWS Secrets Manager with Kubernetes
• Scaling Kubernetes to Thousands of CRDs
• Build Multi-Cluster GitOps system using Amazon EKS, Flux CD, and Crossplane
• AWSGoat : A Damn Vulnerable AWS Infrastructure
• Monkey365 - Office/AD/Azure Security Review
• Codify your best practices using service control policies: Part 2
• A Lightweight Approach To Implement Secure Software Development LifeCycle (Secure SDLC)
• Hacking APIs: Workshop
• Why Leaving Pods in CrashLoopBackOff Can Have a Bigger Impact Than You Might Think
• Kubernetes Security Compliance Frameworks
• Use TouchID to Authenticate sudo on macOS
• DevBox - instant, easy, predictable shells and containers
• AWS and Kubecost collaborate to deliver cost monitoring for EKS customers
• Go functions as a service with Kubernetes and OpenFaaS
• Amazon EKS Best Practices Guide for Networking
• AWS Support launches support for managing cases in Slack
• Botkube - an app that helps you monitor your Kubernetes cluster, debug critical deployments & gives recommendations for standard practices
• AWS IAM Interview Questions
• Incident Response in AWS
• Learn Istio – How to Manage, Monitor, and Secure Microservices
• AWS Controllers for Kubernetes (ACK) for Amazon RDS, AWS Lambda, AWS Step Functions, Amazon Managed Service for Prometheus, and AWS KMS now generally available
• Understanding and Cost Optimizing Amazon EKS Control Plane Logs
• How to Apply GitOps to Everything Using Amazon Elastic Kubernetes Service (Amazon EKS), Crossplane, and Flux
• k8s-pod-restart-info-collector - automated troubleshooting of Kubernetes Pods issues. Collect K8s pod restart reasons, logs, and events automatically

25.08.2022

• Using CDK to perform continuous deployments in multi-region Kubernetes environments
• Amazon Detective Supports Kubernetes Workloads on Amazon EKS for Security Investigations
• Export Kubernetes events to multiple destinations with routing and filtering
• Best Practices for AWS Organizations Service Control Policies in a Multi-Account Environment
• Kubernetes Network Policies: An Actionable Guide & Tutorial
• What is eBPF, anyway, and why should Kubernetes admins care?
• Pixie - Instant Kubernetes-Native Application Observability
• CDK for Terraform Is Now Generally Available
• A Guide to the Go Garbage Collector
• What’s new in Go 1.19?
• Kubernetes cluster upgrade: the blue-green deployment strategy
• Scaling Kubernetes with Karpenter: Advanced Scheduling with Pod Affinity & Volume Topology Awareness
• The Art of Mac Malware
• How To Reverse Mac Malware Without Getting Infected
• Brev - cloud coding workspaces
• KubeFire - creates and manages Kubernetes Clusters using Firecracker microVMs
• AWS Auto Cleanup - programmatically delete AWS resources based on an allowlist and time to live (TTL) settings
• VSCode GitOps Extension
• MITRE ATT&CK Matrix for Kubernetes: Tactics & Techniques Part 1
• Awesome Cloud Native Trainings
• Exploiting Authentication in AWS IAM Authenticator for Kubernetes
• How attackers use exposed Prometheus server to exploit Kubernetes clusters
• Cloud Design Patterns
• Vantage - save on cloud costs
• API Security Checklist
• How to Build Multi-Arch Docker Images
• Attesting Image Scans With Kyverno
• The Kubernetes Networking Guide
• User and workload identities in Kubernetes
• Minimal Container Images: Towards a More Secure Future
• fwd:cloudsec
• Kubernetes Removals and Major Changes In 1.25
• Go 1.19 Release Notes

09.08.2022

• Btop - monitor of resources
• Data-Diff - Efficiently diff rows across two different databases
• Whist - the first cloud-hybrid browser
• EKS Anywhere on Bare Metal
• Awesome Go - over 2400 resources!
• Custom GitHub Action with Go
• Debugging ContainerD
• 1Password for VSCode
• Kubernetes security scanning with Trivy CLI and Trivy Operator
• Code-server, Caddy, Tailscale, and Hugo = My ultimate dev environment
• Remote Development at Slack
• Best Linux Commands For Advanced Hardware and System Info
• Ripgrep-all Command in Linux: One grep to Rule Them All
• Terratag - maintain tags across all Terraform resources
• Viddy - a modern watch command
• Things You Should Know About Databases
• Advanced Features of Kubernetes’ Horizontal Pod Autoscaler
• Managing Kubernetes without losing your cool
• TryHackMe - Kubernetes
• Paralus - all-in-one Kubernetes access manager
• Understanding data transfer costs for AWS container services
• Run an active-active multi-region Kubernetes application with AppMesh and EKS
• 10 Awesome Kubernetes Projects for Beginners
• Infrastructure Self-Service with Crossplane
• Extend AWS IAM roles to workloads outside of AWS with IAM Roles Anywhere
• What GKE users need to know about Kubernetes’ new service account tokens

28.06.2022

• New for AWS DataSync – Move Data Between AWS and Other Public Locations
• Devtron - tool integration platform for Kubernetes
• HashiCorp Vault 1.11 Adds Kubernetes Secrets Engine, PKI Updates, and More
• Terraform Cloud Adds Drift Detection for Infrastructure Management
• How to manage Kubernetes secrets with GitOps?
• Get Started with Sigstore (Free Course!)
• Introducing Tailscale SSH
• Golang - making code faster
• Talos Linux is a modern Linux distribution built for Kubernetes
• Resoto creates an inventory of your cloud, provides deep visibility, and reacts to changes in your infrastructure
• AWS-Cost-Saver - a tiny CLI tool to help save costs in development environments when you’re asleep and don’t need them
• HTTPLoot - an automated tool which can simultaneously crawl, fill forms, trigger error/debug pages and “loot” secrets out of the client-facing code of sites
• SOCless - serverless security orchestration, automation and response
• Mirrord - by mirroring traffic to and from your machine, mirrord surrounds your local service with a mirror image of its cloud environment
• Learning operating system development using Linux kernel and Raspberry Pi
• Furiko - cloud-native, enterprise-level cron job platform for Kubernetes
• Robusta - open source Kubernetes troubleshooting and automation platform
• Dashy - A self-hostable personal dashboard built for you
• Debugging Kubernetes Pods: Deep Dive
• AWS Controllers for Kubernetes (ACK)
• A quick path to Amazon EKS single sign-on using AWS SSO
• Harden Amazon EKS in minutes with Styra DAS Free and OPA
• CDK constructs for self-hosted GitHub Actions runners
• The CloudSec Engineer Book - coming soon
• Awesome iOS Security
• Sake is a task runner for local and remote hosts
• UTM - virtual machines for iOS and macOS for free, works on M1
• AWS SCP - get more out of service control policies in a multi-account environment
• kubectl-tree - kubectl plugin to browse Kubernetes object hierarchies as a tree
• ggshield - detect secrets in source code, scan git repos, and use pre commit hooks to prevent API key leaks
• Enumeration and lateral movement in GCP environments
• Awesome Azure Penetration Testing
• Enabling AWS IAM Group Access to an EKS Cluster Using RBAC
• Useful utilities and toys over DNS
• Litmus helps SREs and developers practice chaos engineering in a Cloud-native way
• Opencost - cross-cloud cost allocation models for Kubernetes workloads
• Amazon EKS Blueprints for Terraform
• Complete Practical Study Plan to become a successful cybersecurity engineer
• ifto - a simple debugging module for AWS Lambda (λ) timeout
• Trunk Check - code quality checking
• MONITORING AND ALERTING BREAK-GLASS ACCESS IN AN AWS ORGANIZATION
• Securing Cloud Services against Squatting Attacks
• Dockerfile best practices
• The Hitchhiker’s Guide to Pod Security - Lachlan Evenson, Microsoft
• Terraform as part of the software supply chain, Part 1 - Modules and Providers
• Batnoter- an open source, markdown-based, self-hosted note taking webapp
• How to Store an SSH Key on a Yubikey
• ugit - helps undo git commands, your damage control git buddy
• Malcolm - is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs
• Tailscale tricks for security testers
• SSH No Ports - provides ssh to a remote Linux device with out that device having any ports open
• Dragonfly - a modern replacement for Redis and Memcached

31.05.2022

• Tailscale Authentication for NGINX
• Kubent - easily check your clusters for use of deprecated APIs
• How to control access to AWS resources based on AWS account, OU, or organization
• Using AWS Load Balancer Controller for blue/green deployment, canary deployment and A/B testing
• Experience Report: 6 months of Go
• Introducing SWIFT on Google Cloud
• Disabling Security Hub controls in a multi-account environment
• AWS Well-Architected Labs > Security
• ChopChop - is a CLI to help developers scanning endpoints and identifying exposition of sensitive services/files/folders
• RFC 9116 - A File Format to Aid in Security Vulnerability Disclosure - security.txt
• The Bug Hunter’s Methodology: Application Hacking v1
• PORO - scan publicly accessible assets on your AWS cloud environment
• Tools That Use AWS Logs to Help with Least Privilege
• Bidirectionally integrate AWS Security Hub with Jira software
• Get Good At Git
• Progressive Delivery with Argo Rollouts : Blue-Green Deployment
• Security reference architecture for a serverless application
• AWS Security Maturity Model
• Securing AWS Lambda function URLs
• Software Supply-Chain Security Reading List
• Aztfy - a tool to bring existing Azure resources under Terraform’s management
• Korb - move Kubernetes PVCs between Storage Classes and Namespaces
• Administer AWS Single Sign-On from a delegated member account in your organization
• How to use new Amazon GuardDuty EKS Protection findings
• Level up Security Management with HashiCorp Vault and Flux
• Building a Data Perimeter on AWS
• Ratchet - a tool for securing CI/CD workflows with version pinning
• Kubectl-ICE - view running kubernetes information about multi-container pods and sidecars
• Announcing policy guardrails for Terraform on Google Cloud CLI preview
• Demystifying the Kubernetes Iceberg: Part 1
• Flux from End-to-End
• Forgit - a utility tool powered by fzf for using git interactively
• Grype - a vulnerability scanner for container images and filesystems
• Cloud Native Security Whitepaper
• Cloud Native Maturity Model 2.0
• Tetragon - eBPF-based Security Observability and Runtime Enforcement
• Track costs with detailed billing reports for Amazon EKS on AWS Fargate
• Automate All the Boring Kubernetes Operations with Python
• Getting started with ko: A fast container image builder for your Go applications
• The differences between Docker, containerd, CRI-O and runc
• Announcing the HCL Extension for Visual Studio Code 0.1
• Terraform Best Practices for Better Infrastructure Management
• Secure Your Docker Images With Cosign (and OPA Gatekeeper)

07.05.2022

• GitHub CLI extension to display a dashboard of PRs and issues - configurable with a beautiful UI
• GitOps Article Series from Giant Swarm
• The secret gems behind building container images, Enter: BuildKit & Docker Buildx
• Dagger - A portable devkit for CI/CD pipelines
• Automated Dependency Updates for Flux using Renovate
• Terraform: Up & Running, 3rd edition Early Release is now available! How Terraform changed with 1.1?
• Visualize Flux with ArgoCD
• Announcing AWS Lambda Function URLs: Built-in HTTPS Endpoints for Single-Function Microservices
• Cado Discovers Denonia: The First Malware Specifically Targeting Lambda
• Incident report: From CLI to console, chasing an attacker in AWS
• Slides and code samples for training, tutorials, and workshops about Docker, containers, and Kubernetes
• Secure, cross-platform Git credential storage with authentication to GitHub, Azure Repos, and other popular Git hosting services
• A deliberately vulnerable CI/CD environment. Learn CI/CD security through multiple challenges
• Introducing AWS Blueprints for Crossplane
• Migrating from Cluster Autoscaler To Karpenter
• ArgoCD Best Practices You Should Know
• Getting Started With Kyverno
• Security List - Curated lists of tools, tips and resources for protecting digital security and privacy
• Android App Hacking Workshop From Google
• Docker Slim - generate smaller images
• Parca - Continuous profiling for analysis of CPU and memory usage, down to the line number and throughout time
• How to get started with OrgFormation - managing AWS Organization
• Go - when to use generic
• A Deep Dive into Golang for OpenFaaS Functions
• Testing your Infrastructure as Code using Terratest
• Security Overview of AWS Fargate
• Where’s my stuff on GCP?
• Implementing Cloud Governance as a Code using Cloud Custodian
• Warpgate - Smart SSH bastion that works with any SSH client
• Bootstrapping clusters with EKS Blueprints
• Go, Generics, and Concurrency
• The Go Programming Language and Environment
• Certified Kubernetes Security Specialist (CKS) 2022 Exam Guide

12.04.2022

• Digital Forensics & Incident Response on Kubernetes
• What to look for when reviewing a company’s infrastructure
• Diff that understands syntax
• Compose with Markdown in Google Docs on web - after 16 years
• Managing Pod Scheduling Constraints and Groupless Node Upgrades with Karpenter in Amazon EKS
• Kubectl plugin for detecting Dockershim usage which is being removed
• Kubernetes Infrastructure the GitOps Way
• Charm - we build tools to make the command line glamorous
• Kaar - Kubernetes Application Archive
• SA-Hunter - correlates serviceaccounts, pods and nodes to the permissions granted to them via rolebindings and clusterrolesbindings
• A curated checklist of 300+ tips for protecting digital security and privacy in 2022
• The StackRox Kubernetes Security Platform performs a risk analysis of the container environment, delivers visibility and runtime alerts
• TruffleHog v3 - improved secrets detection
• Find and fight image theft
• PacketStreamer - distributed tcpdump for cloud native environments
• Kubernetes native testing with TestKube

06.04.2022

• Extendable version manager with support for Ruby, Node.js, Elixir, Erlang & more
• Learn anything with Mind-Maps
• Lazygit
• Hacking The Cloud - CICD/GitLab/AWS/CTF
• How To Burp Good
• Network Infrastructure Security Guidance by NSA
• Magic Eraser - remove unwanted things from images in seconds
• AWS - Automated Incident Response and Forensics Framework
• BotKube - messaging bot for monitoring and debugging Kubernetes clusters
• AWS Controllers for Kubernetes (ACK) lets you define and use AWS service resources directly from Kubernetes
• Kubernetes Security through GitOps Best Practices: ArgoCD and Starboard
• Your pocket-sized cloud with a Raspberry Pi
• 10 Must-Have Kubernetes Tools
• Why We Selected Thanos for Long Term Metrics Storage
• How We Discovered Vulnerabilities in CI/CD Pipelines of Popular Open-Source Projects
• Fantastic AWS Hacks and Where to Find Them
• Access Undenied - Access Undenied parses AWS AccessDenied CloudTrail events, explains the reasons for them, and offers actionable remediation steps

22.03.2022

• 10 real stories, how CI/CD was hacked
• Threat matrix for CI/CD, how can they attack you on each stage
• Notify on AWS manual actions taken by monitoring CloudTrail
• Monitoring Kubernetes x509 certificates with Prometheus
• How to integrate AWS IAM and Google Workspace
• Starboard - Kubernetes-native Security Toolkit
• Operator to provision Wireguard VPN in a Kubernetes Cluster
• Container Security Checklist
• Identify privilege escalation paths within and across different clouds
• Awesome collection of awesome security hardening guides, tools and other resources

17.02.2022

Free Labs To Learn Cloud Pentesting:

• Flaws
• Flaws2
• Serverless Goat
• AWS S3 CTF Challenge
• AWS Vulnerable Lambda
• Lambhack
• IAM Vulnerable
• CloudGoat
• Attacking CloudGoat 2
• Damn Vulnerable Cloud Application
• Damn Vulnerable Serverless Application
• Sadcloud
• Breaking and Pwning Apps and Servers on AWS and Azure - Free Training Courseware and Labs

Others:

• Manage many Git repositories with sanity
• A GitOps Terraform controller for Kubernetes
• An implementation of infrastructure-as-code scanning using dynamic tooling. However, by deploying IaC (Terraform HCL in this case) against an instance of LocalStack, then pointing the tools at LocalStack, we can still perform scanning/testing to identify risks before they make it to production infrastructure
• Terraform + GitHub + AWS + OIDC
• Access Kubernetes via OIDC e.g. Keycloak
• OpsGenie in Grafana
• Validate GihubAction YAMLs
• AWS ECR Docker Credentials Helper
• A command-line pager for JSON data. User friendly JQ
• k9 for Docker
• Kubernetes Security Training Platform
• ValidKube combines the best open-source tools to help ensure Kubernetes YAML best practices, hygiene & security
• Hello World GitOps
• Incident Analysis 101
• The Delivery Hero Reliability Manifesto
• Startup Guide To Incident Management

31.01.2022

• IaaC security scanning, why, flaws, etc.
• Free workshops for AWS security services
• EKS + Crossplane + Flux on AWS
• Watchexec - simple, standalone tool that watches a path and runs a command whenever it detects modifications
• Swimm - Documentation as a Code
• Focalboard is an open source, self-hosted alternative to Trello, Notion, and Asana
• Self-hosted infrastructure, fully automated from empty disk to operating services
• The definitive guide to Secure Shell (SSH) tunneling, port redirection, and bending traffic like a boss
• DevOps The Hard Way - AWS
• IAM on EKS done right
• Comparing two methods for integrating Vault with Kubernetes

30.12.2021

• This page lists security mistakes by cloud service providers (AWS, GCP, and Azure)
• Kubernetes autoscaler, that aims to scale using machine learning
• DevOps Guru for RDS
• AWS re:Invent summary on one page
• Awesome Kubernetes Security
• Falco on Kubernetes - basics
• Zero Trust Architecture (Envoy, SPIRE, OPA)
• How To Make IAM Right
• GCP & Terraform - short-lived credentials
• Honest AWS Dashboard
• Improve your security posture on Windows/MacOS using prepared scripts
• SNARE, a Netflix automated security solution
• CloudQuery policies gives you a powerful way to automate, customize, codify, and run your cloud security & compliance continuously with HCL and SQL
• Argo vs Flux
• What happens after Kubernetes upgrade to 1.24 (Dockershim removal)
• Istio + OIDC
• Go, lessons learned
• Thoughts on how to structure Go code
• The Busy Developer’s Guide to Go Profiling, Tracing and Observability
• Rundown on Netflix SRE practices
• Upcoming trends in DevOps and SRE
• The API traffic viewer for Kubernetes, think TCPDump for Kubernetes
• Pleco - automatically removes Cloud managed services and Kubernetes resources based on tags with TTL
• Chezmoi - dotfile manager