Infrastructure Security
In-depth guides and analysis on infrastructure security from the Safeguard engineering team.
52 articles
What is AWS CloudFormation Security
What is CloudFormation security? A practical breakdown of IAM least privilege, drift detection, secret scanning, and template misconfigurations that cause breaches.
What is Policy as Code
Policy as code turns security and compliance rules into version-controlled, testable code enforced automatically in CI/CD, admission control, and runtime.
What is Configuration Drift
Configuration drift silently pulls live systems away from their secure baseline — and it's behind some of the largest cloud data exposures on record.
What is GitOps Security
GitOps turns your Git repo into the source of truth for production, so one bad commit or stolen credential can mean a full cluster takeover.
Public key infrastructure (PKI)
What is PKI? A precise breakdown of public key infrastructure, the PKI certificate chain, root and intermediate CAs, and how trust hierarchies can break.
How to harden a Linux server
A step-by-step guide to harden Linux server security: SSH hardening, firewalls, patching, CIS benchmark alignment, and verification for production systems.
How to scan Terraform for misconfigurations with Checkov
A hands-on guide to running Checkov against Terraform, triaging findings, writing custom policies, and blocking IaC misconfigurations before they merge.
How to encrypt a Terraform state file
A step-by-step guide to encrypting a Terraform state file using an S3 backend, KMS keys, and IAM controls to keep infrastructure secrets safe.
Message Queue Security: Hardening Kafka, RabbitMQ, and Event Brokers
Message queues are the nervous system of modern architectures. A compromised broker can intercept, modify, or inject messages across your entire system. Here is how to lock them down.
Envoy Proxy Security Hardening for Production Deployments
Envoy powers service meshes and API gateways across the industry. Its default configuration prioritizes connectivity over security. Here is how to fix that.
Software Updates in Air-Gapped Environments: Security Without Connectivity
Air-gapped environments protect critical infrastructure by eliminating network connectivity. But software still needs updates. Bridging this gap without introducing the risks you isolated against is the challenge.
Puppet Forge Supply Chain Security: Trusting Your Configuration Management
Puppet modules from the Forge run with root-level access on your servers. The supply chain security of these modules deserves the same scrutiny as any dependency.