Safeguard
Topic

Cloud Security

In-depth guides and analysis on cloud security from the Safeguard engineering team.

237 articles

Cloud Security

Policy-as-code for Terraform: testing before you ever run apply

Checkov, OPA, and tflint each catch different Terraform mistakes — chained into CI before apply, they turn a review comment into a hard gate.

Jul 11, 20266 min read
Cloud Security

Cloud-Native Application Security: Securing the Full Stack in 2026

Cloud-native apps spread risk across code, containers, and infrastructure-as-code. This guide maps the full attack surface and a layered strategy to secure all of it.

Jul 8, 20266 min read
Cloud Security

Cloud-Native Supply Chain Security: From Source to Runtime

A stage-by-stage guide to securing the cloud-native software supply chain — source, dependencies, build, artifacts, and deploy — using SBOMs, SLSA provenance, signing, and admission policy.

Jul 8, 20265 min read
Cloud Security

Automating Security Controls on Google Cloud

Binary Authorization can block every unsigned container from reaching GKE or Cloud Run — but only if your pipeline is wired to sign images the moment they pass scanning.

Jul 8, 20267 min read
Cloud Security

A guide to AWS IAM permissions boundaries for delegated administration

AWS IAM lets any principal with iam:CreateRole and iam:AttachRolePolicy hand themselves admin — permissions boundaries are the one native control built to stop it.

Jul 8, 20265 min read
Cloud Security

AWS secure REST API vs. S3: where shared responsibility actually splits

S3 buckets are private by default — every public leak is a customer misconfiguration. Capital One's 2019 breach of 106 million records proves the boundary.

Jul 8, 20267 min read
Cloud Security

The AWS Shared Responsibility Model, Explained With Real Examples

AWS secures the cloud; you secure what's in it. Most breaches — like the thousands of exposed public S3 buckets found every year — happen entirely on the customer's side of that line.

Jul 8, 20266 min read
Cloud Security

Common Configuration Scoring System (CCSS) explained

NIST published CCSS in December 2010 to score misconfigurations the way CVSS scores bugs — most cloud teams have never applied it.

Jul 8, 20266 min read
Cloud Security

High-profile AWS breaches: lessons learned

Capital One's 2019 breach exposed 106 million records through a single SSRF call to the EC2 metadata service — here's the exact control that would have stopped it.

Jul 8, 20266 min read
Cloud Security

Shifting Infrastructure-as-Code security left across the SDLC

Terrascan went archived in November 2025 and tfsec folded into Trivy in 2024 — IaC scanning is consolidating fast, and where you run it matters as much as which tool you pick.

Jul 8, 20266 min read
Cloud Security

The S3 bucket security checklist every AWS team needs

AWS made Block Public Access the default for new S3 buckets in April 2023 — but the Capital One breach exposed 106 million records through IAM, not a bucket setting.

Jul 8, 20267 min read
Cloud Security

The most common infrastructure-as-code security risks, with Terraform examples

AWS S3 buckets are private by default, yet public-bucket findings still top every cloud posture scan — because Terraform's own access-block resource defaults to open.

Jul 8, 20266 min read
Cloud Security (Page 3) — Supply Chain Security Blog | Safeguard