Safeguard
Topic

Cloud Security

In-depth guides and analysis on cloud security from the Safeguard engineering team.

237 articles

Cloud Security

AWS IAM: common vulnerabilities and fixes

Rhino Security Labs catalogs 21+ IAM privilege-escalation paths to full admin — most start with one over-scoped policy nobody remembers writing.

Jul 16, 20266 min read
Cloud Security

Insecure defaults in Azure ARM templates: a pre-deployment scanning guide

Azure Resource Manager templates don't enforce TLS 1.2 or block public blob access by default — here's how to catch it before terraform apply's Azure cousin ever runs.

Jul 16, 20267 min read
Cloud Security

Catching Terraform Misconfigurations Before They Ever Reach Apply

Trivy replaced tfsec in 2023 and Checkov ships thousands of policies — here's how to wire open-source Terraform scanners into CI/CD before terraform apply runs.

Jul 16, 20266 min read
Cloud Security

Designing tamper-evident CloudTrail logging across an AWS organization

AWS CloudTrail's default event history holds only 90 days. A centralized, hash-validated org trail is what actually survives an incident or an audit.

Jul 15, 20267 min read
Cloud Security

The AWS migration security checklist: IAM, encryption, and network segmentation

A misconfigured WAF and an over-permissioned IAM role exposed 106 million records in 2019 — here's the checklist that prevents a repeat during your AWS migration.

Jul 15, 20266 min read
Cloud Security

Azure Bicep IaC security fundamentals: secrets, module trust, and policy gates

A @secure() Bicep parameter still leaks in plaintext the moment it's written to an output — a well-documented gap most teams discover only after a deployment history review.

Jul 15, 20267 min read
Cloud Security

Security metrics and KPIs that actually indicate cloud program maturity

IBM's 2024 breach data puts the average breach lifecycle at 258 days — most cloud security dashboards can't even tell you your own exposure window.

Jul 15, 20267 min read
Cloud Security

Common AWS IAM privilege-escalation paths and how to design least privilege

Rhino Security Labs cataloged 21 distinct AWS IAM privilege-escalation methods in 2018 — most still work today, and most are invisible to a manifest scan.

Jul 14, 20266 min read
Cloud Security

The AWS misconfiguration cheat sheet: public S3, open IAM, and open security groups

Three misconfigurations — public S3 buckets, over-permissioned IAM roles, and 0.0.0.0/0 security groups — keep causing breaches. Here's the CLI to find and fix each one.

Jul 14, 20266 min read
Cloud Security

Cloud storage misconfiguration: why the same leak keeps happening

A single public S3 bucket exposed 198 million voter records in 2017. A decade later, the same misconfiguration still causes the biggest cloud data leaks.

Jul 14, 20267 min read
Cloud Security

Scanning Terraform and CloudFormation before you ever run apply

tfsec merged into Trivy in 2024 and OPA hit CNCF graduated status in 2021 — here's how to scan Terraform and CloudFormation before deploy, with a working Conftest policy.

Jul 14, 20266 min read
Cloud Security

The S3 bucket security hardening checklist

AWS blocked public access by default in April 2023, yet misconfigured buckets still leak data — here's a concrete checklist and Terraform to close the gaps.

Jul 14, 20267 min read
Cloud Security — Supply Chain Security Blog | Safeguard