When you’re running AWS at any meaningful scale — say, more than 50 accounts — the default per-region, per-account configuration of GuardDuty and Security Hub stops being workable. Findings end up scattered across consoles, nobody owns triage, and the operational cost of just knowing what your security posture looks like becomes prohibitive. This post covers … Read more
S3 and RDS are the two AWS data services that turn up in almost every workload, and they’re also the two where misconfiguration causes the most public pain. Most of the well-publicised cloud breaches over the last few years involve one or both. The good news is that the controls needed to lock them down … Read more
Seven years on from when I first wrote about cloud security architecture on this site, the fundamentals haven’t changed — but almost everything around them has. The cloud providers have matured, the threats have evolved, and the regulatory landscape has tightened considerably. If I were starting a security architecture engagement at a financial services organisation … Read more
I wrote about ACM Private CA back in 2019, and the recommendation then was simple: stop running your own PKI in AWS, use the managed service, and integrate it with KMS for key protection. Seven years on, that recommendation still holds — but the supporting facts have moved on, the service itself has matured, and … Read more