cloud-security
Safeguard articles tagged "cloud-security" — guides, analysis, and best practices for software supply chain and application security.
290 articles
AWS IAM: common vulnerabilities and fixes
Rhino Security Labs catalogs 21+ IAM privilege-escalation paths to full admin — most start with one over-scoped policy nobody remembers writing.
Insecure defaults in Azure ARM templates: a pre-deployment scanning guide
Azure Resource Manager templates don't enforce TLS 1.2 or block public blob access by default — here's how to catch it before terraform apply's Azure cousin ever runs.
Catching Terraform Misconfigurations Before They Ever Reach Apply
Trivy replaced tfsec in 2023 and Checkov ships thousands of policies — here's how to wire open-source Terraform scanners into CI/CD before terraform apply runs.
Designing tamper-evident CloudTrail logging across an AWS organization
AWS CloudTrail's default event history holds only 90 days. A centralized, hash-validated org trail is what actually survives an incident or an audit.
The AWS migration security checklist: IAM, encryption, and network segmentation
A misconfigured WAF and an over-permissioned IAM role exposed 106 million records in 2019 — here's the checklist that prevents a repeat during your AWS migration.
Azure Bicep IaC security fundamentals: secrets, module trust, and policy gates
A @secure() Bicep parameter still leaks in plaintext the moment it's written to an output — a well-documented gap most teams discover only after a deployment history review.
Security metrics and KPIs that actually indicate cloud program maturity
IBM's 2024 breach data puts the average breach lifecycle at 258 days — most cloud security dashboards can't even tell you your own exposure window.
Common AWS IAM privilege-escalation paths and how to design least privilege
Rhino Security Labs cataloged 21 distinct AWS IAM privilege-escalation methods in 2018 — most still work today, and most are invisible to a manifest scan.
The AWS misconfiguration cheat sheet: public S3, open IAM, and open security groups
Three misconfigurations — public S3 buckets, over-permissioned IAM roles, and 0.0.0.0/0 security groups — keep causing breaches. Here's the CLI to find and fix each one.
Cloud storage misconfiguration: why the same leak keeps happening
A single public S3 bucket exposed 198 million voter records in 2017. A decade later, the same misconfiguration still causes the biggest cloud data leaks.
Scanning Terraform and CloudFormation before you ever run apply
tfsec merged into Trivy in 2024 and OPA hit CNCF graduated status in 2021 — here's how to scan Terraform and CloudFormation before deploy, with a working Conftest policy.
The S3 bucket security hardening checklist
AWS blocked public access by default in April 2023, yet misconfigured buckets still leak data — here's a concrete checklist and Terraform to close the gaps.