Digest #130: Terraform State Security, GCP to AWS Credentials, Kubernetes Hardening, and More!
Terraform State Breach Prevention, GCP-AWS Credential Strategies, Kubernetes Fortification, and Beyond.
Welcome to this week’s edition of the DevOps Bulletin!
Ever wondered about the vulnerabilities lurking in your Terraform state? Find out how attackers could potentially take over your CI/CD pipeline with just a few edits.
Curious about enhancing security between GCP and AWS? Learn the ins and outs of using short-lived credentials to safeguard your cloud resources.
And if you're venturing into Kubernetes Hardening, we've got you covered with a step-by-step guide on deploying a hardened Kubernetes cluster in AWS using kOps.
But that's just the tip of the iceberg! We'll also explore topics like centralizing security for AWS multi-account setups, migrating from Serverless Framework to AWS CDK, and much more ❤️
Tutorials of the week
Hacking Terraform state for privilege escalation: What can an attacker do if they can edit Terraform state? The answer should be 'nothing' but is actually 'take over your CI/CD pipeline'.
GCP to AWS short-lived credentials: The usage of AssumeRoleWithWebIdentity and WI Federation between AWS and GCP to avoid having hardcoded credentials shared amongst each resource.
Kubernetes Hardening: How to use kOps to deploy a hardened Kubernetes cluster in AWS.
Are you looking into centralizing compliance, logging, monitoring, and user & access management for your AWS multi-account setup? Check out this guide.
Migrating from the Serverless Framework to AWS CDK: A complete step by step guide into how to migrate to AWS CDK.
Cross-Account event delivery: Learn how to set up cross-account event delivery using AWS EventBridge and CodeCommit.
OpenAPI CI/CD automation: Discover strategies for automating OpenAPI CI/CD workflows to streamline your development process.
Lambda-less App Sync for SaaS: How you can access DynamoDB data from an AppSync API without the need for a Lambda function.
How to migrate to Amazon OpenSearch Serverless: How to use Amazon OpenSearch Ingestion to migrate to OpenSearch Serverless.
DynamoDB Streams vs. SQS/SNS to Lambda: The advantages and scenarios where one might be preferred over the other.
API Gateway vs. Lambda Function URLs: How to lift and shift an existing application into Lambda without rewriting it.
Understanding Count and For_Each loops: When and how to use Terraform count and for_each loops.
Multi-Thread PostgreSQL restores on RDS: Minimizing the RTO and RPO by restoring a single database.
Automate DNS records creation with ExternalDNS: This article will help automate the process of creating and configuring DNS records in Route 53 using ExternalDNS and Ingress on EKS.
Kubernetes deployments demystified: A complete guide into the rolling update deployment strategy.
Projects of the week
Highlighting cool DevOps projects to keep an eye on:
Flyde is an open-source visual programming language built to integrate with your existing codebase.
OpenGFW is a flexible, easy-to-use, open-source implementation of GFW (Great Firewall of China) on Linux.
Symphony is a framework and set of patterns and best practices for developing, testing, and deploying infrastructure on Azure using Infrastructure as Code.
DBTop Monitoring is a lightweight application to perform real-time monitoring for AWS Database Resources.
Dockerc allows you to compile Docker images to standalone portable binaries. No more docker run, no more pip install, no more npm i, just give your users executables they can run!
Collection of example Service Control Policies (SCPs) that are useful for sandbox and training AWS accounts.
Newsworthy Stories
Stay informed with the latest news impacting the DevOps and SRE world:
How Grover saves costs with 80% Spot in production using Karpenter with Amazon EKS.
Microsoft confirms Russian hackers stole source code, some customer secrets.
How DoorDash ensures velocity and reliability through Policy Automation
$104k bill for a simple static site 😱
