Cloud Security
In-depth guides and analysis on cloud security from the Safeguard engineering team.
237 articles
Common AWS IAM misconfigurations that lead to breaches
Capital One and Code Spaces both fell to AWS IAM misconfigurations, not novel exploits. Here's how overly permissive policies and privilege escalation paths cause real breaches.
Best practices for rotating secrets stored in Azure Key V...
A practical, step-by-step guide to Azure Key Vault secret rotation best practices, covering rotation policies, automation, and expiration alerts.
Using Azure AD Workload Identity Federation to remove sec...
How Azure Workload Identity Federation lets AKS and CI workloads swap Azure AD access tokens without ever storing a client secret—and how to migrate safely.
Designing least-privilege custom roles with Azure RBAC
A practical guide to designing least-privilege custom roles in Azure RBAC, covering over-permissioning pitfalls, scoping, and audit strategies.
GCP Artifact Registry Vulnerability Scanning: Integrating the Findings
Artifact Analysis on Artifact Registry produces a steady stream of findings. The discipline is in what you do with them. We map the workflows that actually reduce risk.
Choosing between Key Vault access policies and RBAC permi...
Access policies or RBAC? A concrete breakdown of Azure Key Vault's two permission models, when each still makes sense, and how to migrate safely.
Best practices for using Azure Managed Identity instead o...
A step-by-step guide to Azure Managed Identity best practices: system vs user assigned identities, least-privilege roles, and secretless authentication.
Configuring soft delete and purge protection for Azure Ke...
A step-by-step guide to enabling Key Vault soft delete and purge protection, recovering deleted secrets, and applying backup practices to prevent permanent data loss.
Using Privileged Identity Management for just-in-time Azu...
A practical guide to using Azure conditional access PIM for just-in-time role activation, reducing standing privileges and strengthening least-privilege access.
Preventing and detecting Azure service principal credenti...
How Azure service principal secrets leak through repos, pipelines, and IaC state files — and the detection, scoping, and rotation practices that stop a leak from becoming a breach.
Automating secret rotation in Google Cloud Secret Manager
A practical guide to automating GCP Secret Manager rotation—covering versioning, Cloud Functions, Cloud Scheduler, and rotating database credentials safely.
Applying least-privilege principles to GCP IAM roles
Predefined roles, custom roles, IAM Recommender, and service account hygiene: a practical guide to applying GCP IAM least privilege without breaking production.