Safeguard
Tag

aws

Safeguard articles tagged "aws" — guides, analysis, and best practices for software supply chain and application security.

67 articles

Cloud Security

AWS-2025-021: The IMDS Impersonation Bulletin Few Teams Read Carefully

AWS published Security Bulletin AWS-2025-021 warning that EC2 instances may interact with unexpected AWS accounts through the Instance Metadata Service. Here is the technical impact and the IMDSv2 enforcement plan.

Sep 22, 20256 min read
Vulnerability Management

AWS Service-Linked Role Abuse Techniques, 2025

Service-linked roles are the soft underbelly of AWS IAM. We catalogue the 2024-2025 abuse primitives and the detection queries that catch them.

Apr 28, 20255 min read
Best Practices

AWS IAM Roles Anywhere and the Supply Chain

IAM Roles Anywhere lets workloads outside AWS assume IAM roles using X.509 certificates. It is also becoming the authentication layer for supply chain tools. Here is what the threat model looks like.

Nov 5, 20248 min read
Best Practices

AWS SSM Parameter Store Security

Parameter Store is everywhere in AWS workloads, which means it accumulates secrets, configuration, and bad IAM over time. Here is the security review I run on every Parameter Store deployment.

Oct 18, 20247 min read
DevSecOps

AWS CDK Construct Library Security

CDK constructs are code that provisions infrastructure. Most teams audit the infrastructure but not the constructs. Here is how to think about construct library security and what to check.

Sep 25, 20247 min read
Best Practices

AWS Step Functions Workflow Security

Step Functions workflows orchestrate everything from data pipelines to security automations. The workflow IAM role is almost always the most powerful thing in the stack. Here is how to lock it down.

Aug 10, 20247 min read
Container Security

AWS ECR Image Signing in Production

Image signing in ECR has moved from nice-to-have to table stakes. Here is what it actually takes to run cosign and AWS Signer in production without breaking every deploy.

Jul 22, 20247 min read
Best Practices

AWS Secrets Manager vs Parameter Store

Two AWS services, overlapping features, and a pricing difference that adds up to real money. The decision framework for Secrets Manager vs Parameter Store, based on what actually goes wrong in production.

Jun 28, 20246 min read
DevSecOps

AWS CodePipeline Hardening Patterns

CodePipeline is the glue between your source, build, and deploy. It is also the thing that gets the widest IAM role in most AWS accounts. Here is how to harden it without rewriting your pipelines.

Jun 15, 20247 min read
DevSecOps

AWS CodeBuild Supply Chain Hardening Guide

CodeBuild projects are where most AWS supply chain compromises end up executing. Here is a practical hardening guide built from years of incident response, with specific buildspec controls and IAM patterns.

May 10, 20247 min read
Best Practices

AWS AppConfig Dynamic Config Security

AppConfig ships configuration changes to running applications in seconds. That makes it a powerful tool and a compelling target. Here is how to run AppConfig safely.

Apr 30, 20247 min read
Cloud Security

AWS Lambda Supply Chain Risks You Are Probably Ignoring

Serverless does not mean secure. Here are the supply chain risks hiding in your Lambda functions and how to address them.

Apr 15, 20247 min read
aws (Page 5) — Safeguard Blog