Cloud Security
AWS EKS Pod Identity vs. IRSA for Supply Chain
Pod Identity and IRSA both give EKS workloads AWS identities. The supply chain implications diverge once you look past the docs.
Feb 24, 20268 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Pod Identity and IRSA both give EKS workloads AWS identities. The supply chain implications diverge once you look past the docs.
Running supply chain controls across AWS, Azure, and GCP means picking the right abstractions. Here is which ones hold up and which ones you will regret.
Each major cloud provider approaches supply chain security differently. Here's a practical comparison and what it means for multi-cloud organizations.
The parts of container supply chain that break differently on AWS Fargate and ECS compared to Kubernetes, and what to do about each one in production.
ECR now supports Notation-based image signing and trust policy enforcement. Here is how to design signing policies that survive scale and auditors.
CodeBuild and CodePipeline still carry the biggest AWS supply chain blast radius per dollar. Here is how to harden them in 2026 without rewriting to a different CI.
Service-linked roles are the soft underbelly of AWS IAM. We catalogue the 2024-2025 abuse primitives and the detection queries that catch them.
IAM Roles Anywhere lets workloads outside AWS assume IAM roles using X.509 certificates. It is also becoming the authentication layer for supply chain tools. Here is what the threat model looks like.
Parameter Store is everywhere in AWS workloads, which means it accumulates secrets, configuration, and bad IAM over time. Here is the security review I run on every Parameter Store deployment.
Weekly insights on software supply chain security, delivered to your inbox.