There are some security practices which kinda don't fit into traditional hardening guides, don't get reported as CVEs, and just exist in the minds of expensive consultants.

AmazonEC2RoleforSSM, a deprecated version of the now recommended AmazonSSMManagedInstaceCore. This post breaks down why AWS likely deprecated the original policy and how organizations leave themselves vulnerable by continuing to use these deprecated policies.

How to architect AWS applications to securely enable user uploaded content, using pre-signed post URLs.

An introduction to AWS API protocols and how they impact the structure of an AWS API request.

A baseline checklist for ensuring security in Kubernetes clusters.

Microsoft's Azure Active Directory B2C service contained a cryptographic flaw which allowed an attacker to craft an OAuth refresh token with the contents for any user account. An attacker could redeem this refresh token for a session token, thereby gaining access to a victim account as if the attacker had logged in through a legitimate login flow.

If you've ever been doing an Internal Penetration test where you've reached Domain Admin status and you have a cloud presence, your entire Azure cloud can still be compromised.

Canarytokens.org introduced the Azure Login Certificate Token (aka the Azure Token). You can sprinkle Azure tokens throughout your environment and receive high fidelity notifications whenever they're used.

The keys to a successful IaC to IaaS drift detection strategy are: understanding when drift becomes a risk, implementing drift detection automation relevant to your stack, and classifying and route their response to the right individual or team.

A Software as a Service (SaaS) log collection framework.

Create a break glass role for emergency use in order to limit production console access.

Centralizing AWS CloudWatch log forwarding via EventBridge and Step Functions.

Setup a template to easily create and apply AWS Service Control Policies (SCPs) with Terraform.

PESD (Proxy Enriched Sequence Diagrams) Exporter converts Burp Suite's proxy traffic into interactive diagrams. You can also refer to the companion blog post.

How to create a QuickSight dashboard to visualize the policy validation findings from IAM Access Analyzer.

This Guidance helps customers assess their foundational security setup in their AWS account. Use the provided AWS CloudFormation template to automate the assessment of your AWS accounts for security vulnerabilities and deliver an assessment report that includes steps on how to resolve the issues.

An example of a customized Automation runbook, a capability of AWS Systems Manager, that automatically remediates non-compliant resources evaluated by the AWS Config rule "required-tags".

Google Cloud Storage Transfer Service (STS) enables you to move or backup your data to a Cloud Storage bucket or POSIX file system.

After you deploy a security blueprint, you can enable an instance of the Secured Landing Zone service on that deployment to protect and enforce the security posture defined in the original blueprint.

Post focusing on variant hunting as part of Microsoft's larger overall security program.