Cloud Security
In-depth guides and analysis on cloud security from the Safeguard engineering team.
237 articles
AWS Signer with Notation: Designing a Trust Policy That Survives Contact
AWS Signer integrates with Notation for OCI image signing. The hard part is not signing — it is the trust policy that decides what gets to run. We walk through one that holds up.
Azure DevOps Supply Chain Hardening Guide
A senior engineer's 2026 playbook for hardening Azure DevOps against the supply chain attacks that actually happen: extensions, service connections, and template injection.
What is Just-in-Time Access
Just-in-time access grants time-bound, task-scoped permissions instead of standing privileges -- here's how it works, its benefits, and how to implement it.
AWS CodeBuild/CodePipeline Hardening in 2026
CodeBuild and CodePipeline still carry the biggest AWS supply chain blast radius per dollar. Here is how to harden them in 2026 without rewriting to a different CI.
OpenShift Pipelines with Sigstore: A Production Integration Guide
OpenShift Pipelines (Tekton) plus Sigstore gives you keyless signing inside a regulated cluster. The integration patterns are subtle. We map the ones that survive audit.
Best practices for implementing least-privilege IAM polic...
A practical guide to designing least-privilege IAM policies in AWS: permission boundaries, policy patterns, and habits that keep access tight as teams scale.
Cloudflare Code Orange Fail Small: What the Resilience Plan Actually Changes
After November and December 2025 outages, Cloudflare declared Code Orange and shipped a Health Mediated Deployment system, break-glass dependency audits, and graceful-degradation rewrites.
Automating secret rotation with AWS Secrets Manager
A step-by-step guide to configuring AWS Secrets Manager rotation for RDS credentials, deploying the rotation Lambda function, and verifying it actually works.
Using AWS IAM Access Analyzer to find unused and external...
How AWS IAM Access Analyzer surfaces unused permissions and external access risk across your AWS accounts, and where native findings need extra context to prioritize.
How AWS STS temporary credentials reduce long-lived key risk
Long-lived AWS keys sit in code and CI logs for years. AWS STS temporary credentials expire automatically, shrinking the window attackers have to exploit a leak.
Configuring automatic key rotation in AWS KMS
A practical, step-by-step guide to configuring AWS KMS key rotation for customer managed keys, including custom rotation periods, multi-Region keys, and monitoring.
Setting up OIDC federation between GitHub Actions and AWS...
A step-by-step guide to setting up AWS OIDC GitHub Actions federation, from IAM provider setup to scoped trust policies, so CI/CD pipelines never need long-lived AWS keys.