aws
Safeguard articles tagged "aws" — guides, analysis, and best practices for software supply chain and application security.
67 articles
AWS-2025-021: The IMDS Impersonation Bulletin Few Teams Read Carefully
AWS published Security Bulletin AWS-2025-021 warning that EC2 instances may interact with unexpected AWS accounts through the Instance Metadata Service. Here is the technical impact and the IMDSv2 enforcement plan.
AWS Service-Linked Role Abuse Techniques, 2025
Service-linked roles are the soft underbelly of AWS IAM. We catalogue the 2024-2025 abuse primitives and the detection queries that catch them.
AWS IAM Roles Anywhere and the Supply Chain
IAM Roles Anywhere lets workloads outside AWS assume IAM roles using X.509 certificates. It is also becoming the authentication layer for supply chain tools. Here is what the threat model looks like.
AWS SSM Parameter Store Security
Parameter Store is everywhere in AWS workloads, which means it accumulates secrets, configuration, and bad IAM over time. Here is the security review I run on every Parameter Store deployment.
AWS CDK Construct Library Security
CDK constructs are code that provisions infrastructure. Most teams audit the infrastructure but not the constructs. Here is how to think about construct library security and what to check.
AWS Step Functions Workflow Security
Step Functions workflows orchestrate everything from data pipelines to security automations. The workflow IAM role is almost always the most powerful thing in the stack. Here is how to lock it down.
AWS ECR Image Signing in Production
Image signing in ECR has moved from nice-to-have to table stakes. Here is what it actually takes to run cosign and AWS Signer in production without breaking every deploy.
AWS Secrets Manager vs Parameter Store
Two AWS services, overlapping features, and a pricing difference that adds up to real money. The decision framework for Secrets Manager vs Parameter Store, based on what actually goes wrong in production.
AWS CodePipeline Hardening Patterns
CodePipeline is the glue between your source, build, and deploy. It is also the thing that gets the widest IAM role in most AWS accounts. Here is how to harden it without rewriting your pipelines.
AWS CodeBuild Supply Chain Hardening Guide
CodeBuild projects are where most AWS supply chain compromises end up executing. Here is a practical hardening guide built from years of incident response, with specific buildspec controls and IAM patterns.
AWS AppConfig Dynamic Config Security
AppConfig ships configuration changes to running applications in seconds. That makes it a powerful tool and a compelling target. Here is how to run AppConfig safely.
AWS Lambda Supply Chain Risks You Are Probably Ignoring
Serverless does not mean secure. Here are the supply chain risks hiding in your Lambda functions and how to address them.