Before you can help DevOps teams solve security problems and improve their security programs, you need to understand how they think, how they work, and the tools that they use.
In the final part of the Cloud Security Flight Simulator series, SEC540 lead author and instructor Eric Johnson teaches how to enable workload identity for AWS Elastic Kubernetes Service (EKS) and Azure Kubernetes Service (AKS).
Rather than issuing long-lived credentials to individual pods or inheriting excessive permissions from the node, Kubernetes service accounts can use an internal OpenID Connect (OIDC) provider to obtain a signed identity token (JWT). Then, cloud administrators can configure their identity services (IAM, Entra ID) to trust the Kubernetes cluster's OpenID Connect provider and grant the service account to obtain temporary, least privilege credentials.
Explore the rest of the Cloud Flight Simulator Series:
Part 1: GitLab CI, Workflows, and Secrets
www.sans.org/webcasts/cloud-f...
Part 2: Protecting Kubernetes Clusters with Admission
www.sans.org/webcasts/cloud-f...
Part 3: Safeguarding the Software Supply Chain
www.sans.org/webcasts/cloud-f...
Learn more about SANS SEC540: Cloud and DevSecOps Automation course at www.sans.org/cyber-security-c...
About the Speaker: Eric Johnson
Eric is a Co-founder and Principal Security Engineer at Puma Security and a Senior Instructor with the SANS Institute. His experience includes cloud security assessments, cloud infrastructure automation, static source code analysis, web and mobile application penetration testing, secure development lifecycle consulting, and secure code review assessments. Eric is the lead author and an instructor for SEC540: Cloud Security and DevSecOps Automation and a co-author and instructor for both SEC549: Enterprise Cloud Security Architecture, and SEC510: Public Cloud Security: AWS, Azure, and GCP. Additionally, Eric is a SANS Security Awareness Developer Training Advisory Board Member and SANS Analyst for Application Security and DevSecOps Surveys. Read more about Eric at www.sans.org/profiles/eric-jo...
SANS Cloud Security focuses the deep resources of SANS on the growing threats to The Cloud by providing training, GIAC certification, research, and community initiatives to help security professionals build, deploy and manage secure cloud infrastructure, platforms, and applications.
SANS Cloud Security Curriculum: www.sans.org/cloud-security
GIAC Cloud Security Certifications: www.giac.org/focus-areas/clou...
LinkedIn: / sanscloudsec
Discord: www.sansurl.com/cloud-discord
Twitter: @SANSCloudSec