This week's articles
AWS Well-Architected Security Labs
If you are looking for learning resources in AWS, look no more. This repository contains documentation and code in the format of hands-on labs to help you learn, measure, and build using architectural best practices. The labs are categorised into levels, where 100 is introductory, 200/300 is intermediate and 400 is advanced.
Applying Policy Throughout The Application Lifecycle with Open Policy Agent
This talk introduces OPA
, and then looks at applying Open Policy Agent tools throughout the application lifecycle. Practical examples include writing unit tests for Kubernetes configuration, defining a CI pipeline in code and testing that using OPA, gating deployments to the cluster using Gatekeeper, and auditing the cluster for security best practices.
Binary Authorization in Kubernetes
Video from Aysylu
's talk on Binary Authorization in Kubernetes with Liron Levin at KubeCon San Diego 2019. The talk starts with an introduction to the concept of binary authorization and Kritis, an open-source solution for enforcing deploy-time security policies that ensures only trusted container images are deployed on Kubernetes. Then, it continues with a live demo of Kritis and Grafeas. Slides
are also available.
kube-scan: A free risk assessment tool for Kubernetes Workloads
is a security risk assessment tool that instantly tells you the security posture of your Kubernetes clusters. It runs as a pod inside your cluster, and it scans all your manifest files, analyses security settings and gives you a security score for your workloads through a Web UI. For each workload, it produces an explanation of the risk factors, what settings remediate or aggravate risks, and what the potential consequences are.
Time for announcements! fwd:cloudsec is a new, not-for-profit, traveling conference on cloud security. At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security features, the pros and cons of different security strategies, and generally the types of things cloud practitioners want to know, but that don't fit neatly into a vendor conference schedule. We're looking for talks from any practitioner who is responsible for securing a cloud service.
From the cloud providers
A Ramp-Up Learning Guide is now available for AWS Cloud Security, Governance, and Compliance
AWS recently released the AWS Ramp-Up Learning Guide for AWS Cloud Security, Governance, and Compliance
. The guide starts with AWS Cloud fundamentals and progresses all the way through the AWS Certified Security Specialty certification. You can use the guide to find answers to questions such as, What resources are available? How do I earn AWS credentials? What order should I consume learning resources and training? Where do I find information on AWS events, blogs, and user groups to enhance learning?
How to get started with security response automation on AWS
Exploring container security: Day one Kubernetes decisions
This post covers common patterns and implementation considerations to keep in mind while implementing automated security response processes within your AWS environments.
Amazon CloudTrail Insights: Identify and Respond to Unusual API Activity
CloudTrail Insights automatically analyses write management events from CloudTrail trails and alerts you to unusual activity.
Use AWS Fargate and Prowler to send security configuration findings about AWS services to Security Hub
This blog post explains how to integrate Prowler, an open-source security tool which provides dozens of security configuration checks, with AWS Security Hub. Integrating Prowler with Security Hub will provide posture information about resources not currently covered by existing Security Hub integrations or compliance standards. You can use Prowler checks to supplement the existing CIS AWS Foundations compliance standard Security Hub already provides, as well as other compliance-related findings you may be ingesting from partner solutions.
This is an entry-level, introductory post that provides some security questions to ask yourself when first starting with Google Kubernetes Engine (GKE). It goes from structuring your environment, to setting up permissions, and ends by covering how to architect a tightly controlled continuous delivery pipeline.