Cloud Security
In-depth guides and analysis on cloud security from the Safeguard engineering team.
237 articles
Policy-as-code for Terraform: testing before you ever run apply
Checkov, OPA, and tflint each catch different Terraform mistakes — chained into CI before apply, they turn a review comment into a hard gate.
Cloud-Native Application Security: Securing the Full Stack in 2026
Cloud-native apps spread risk across code, containers, and infrastructure-as-code. This guide maps the full attack surface and a layered strategy to secure all of it.
Cloud-Native Supply Chain Security: From Source to Runtime
A stage-by-stage guide to securing the cloud-native software supply chain — source, dependencies, build, artifacts, and deploy — using SBOMs, SLSA provenance, signing, and admission policy.
Automating Security Controls on Google Cloud
Binary Authorization can block every unsigned container from reaching GKE or Cloud Run — but only if your pipeline is wired to sign images the moment they pass scanning.
A guide to AWS IAM permissions boundaries for delegated administration
AWS IAM lets any principal with iam:CreateRole and iam:AttachRolePolicy hand themselves admin — permissions boundaries are the one native control built to stop it.
AWS secure REST API vs. S3: where shared responsibility actually splits
S3 buckets are private by default — every public leak is a customer misconfiguration. Capital One's 2019 breach of 106 million records proves the boundary.
The AWS Shared Responsibility Model, Explained With Real Examples
AWS secures the cloud; you secure what's in it. Most breaches — like the thousands of exposed public S3 buckets found every year — happen entirely on the customer's side of that line.
Common Configuration Scoring System (CCSS) explained
NIST published CCSS in December 2010 to score misconfigurations the way CVSS scores bugs — most cloud teams have never applied it.
High-profile AWS breaches: lessons learned
Capital One's 2019 breach exposed 106 million records through a single SSRF call to the EC2 metadata service — here's the exact control that would have stopped it.
Shifting Infrastructure-as-Code security left across the SDLC
Terrascan went archived in November 2025 and tfsec folded into Trivy in 2024 — IaC scanning is consolidating fast, and where you run it matters as much as which tool you pick.
The S3 bucket security checklist every AWS team needs
AWS made Block Public Access the default for new S3 buckets in April 2023 — but the Capital One breach exposed 106 million records through IAM, not a bucket setting.
The most common infrastructure-as-code security risks, with Terraform examples
AWS S3 buckets are private by default, yet public-bucket findings still top every cloud posture scan — because Terraform's own access-block resource defaults to open.