Safeguard
Topic

Cloud Security

In-depth guides and analysis on cloud security from the Safeguard engineering team.

237 articles

Cloud Security

AWS Signer with Notation: Designing a Trust Policy That Survives Contact

AWS Signer integrates with Notation for OCI image signing. The hard part is not signing — it is the trust policy that decides what gets to run. We walk through one that holds up.

Jan 28, 20267 min read
Cloud Security

Azure DevOps Supply Chain Hardening Guide

A senior engineer's 2026 playbook for hardening Azure DevOps against the supply chain attacks that actually happen: extensions, service connections, and template injection.

Jan 27, 20267 min read
Cloud Security

What is Just-in-Time Access

Just-in-time access grants time-bound, task-scoped permissions instead of standing privileges -- here's how it works, its benefits, and how to implement it.

Jan 26, 20267 min read
Cloud Security

AWS CodeBuild/CodePipeline Hardening in 2026

CodeBuild and CodePipeline still carry the biggest AWS supply chain blast radius per dollar. Here is how to harden them in 2026 without rewriting to a different CI.

Jan 22, 20267 min read
Cloud Security

OpenShift Pipelines with Sigstore: A Production Integration Guide

OpenShift Pipelines (Tekton) plus Sigstore gives you keyless signing inside a regulated cluster. The integration patterns are subtle. We map the ones that survive audit.

Jan 21, 20267 min read
Cloud Security

Best practices for implementing least-privilege IAM polic...

A practical guide to designing least-privilege IAM policies in AWS: permission boundaries, policy patterns, and habits that keep access tight as teams scale.

Jan 21, 20267 min read
Cloud Security

Cloudflare Code Orange Fail Small: What the Resilience Plan Actually Changes

After November and December 2025 outages, Cloudflare declared Code Orange and shipped a Health Mediated Deployment system, break-glass dependency audits, and graceful-degradation rewrites.

Jan 20, 20267 min read
Cloud Security

Automating secret rotation with AWS Secrets Manager

A step-by-step guide to configuring AWS Secrets Manager rotation for RDS credentials, deploying the rotation Lambda function, and verifying it actually works.

Jan 20, 20268 min read
Cloud Security

Using AWS IAM Access Analyzer to find unused and external...

How AWS IAM Access Analyzer surfaces unused permissions and external access risk across your AWS accounts, and where native findings need extra context to prioritize.

Jan 19, 20266 min read
Cloud Security

How AWS STS temporary credentials reduce long-lived key risk

Long-lived AWS keys sit in code and CI logs for years. AWS STS temporary credentials expire automatically, shrinking the window attackers have to exploit a leak.

Jan 19, 20268 min read
Cloud Security

Configuring automatic key rotation in AWS KMS

A practical, step-by-step guide to configuring AWS KMS key rotation for customer managed keys, including custom rotation periods, multi-Region keys, and monitoring.

Jan 18, 20268 min read
Cloud Security

Setting up OIDC federation between GitHub Actions and AWS...

A step-by-step guide to setting up AWS OIDC GitHub Actions federation, from IAM provider setup to scoped trust policies, so CI/CD pipelines never need long-lived AWS keys.

Jan 17, 20267 min read
Cloud Security (Page 13) — Supply Chain Security Blog | Safeguard