Posts tagged AWS.https://cloudsecop.net/https://cloudsecop.net/en/blog/migration-aws-to-cloudflare-en/https://cloudsecop.net/en/blog/migration-aws-to-cloudflare-en/Playbook for migrating a production app from AWS (Lambda, DynamoDB, RDS, S3, SQS, ElastiCache) to Cloudflare: per-primitive mapping, 3 strategies, cutover, rollback, 10 pitfalls.Sun, 28 Dec 2025 00:00:00 GMTCloudflareCloudflare DeveloperMigrationAWSServerlessKhaVanhttps://cloudsecop.net/en/blog/cost-model-production-en/https://cloudsecop.net/en/blog/cost-model-production-en/Per-primitive Cloudflare pricing (Workers, D1, KV, R2, Queues, DOs, Vectorize, Workers AI), tier breakpoints, AWS comparison, and 3 scale scenarios from blog to 100M req/month.Sun, 21 Dec 2025 00:00:00 GMTCloudflareCloudflare DeveloperCostAWSPricingKhaVanhttps://cloudsecop.net/en/blog/aws-security-maturity-model-v2-en/https://cloudsecop.net/en/blog/aws-security-maturity-model-v2-en/Practical walk-through of AWS Security Maturity Model v2: 74 controls across four phases (Quick Wins, Foundational, Efficient, Optimized), real ordering, traps, and Org mapping.Wed, 23 Jul 2025 00:00:00 GMTAWSCloud SecuritySecurity MaturityGovernanceZero TrustKhaVanhttps://cloudsecop.net/en/blog/aws-security-maturity-model-assessment-tool-en/https://cloudsecop.net/en/blog/aws-security-maturity-model-assessment-tool-en/Field notes from the AWS Security Maturity Model Assessment Tool across four phases (Quick Wins, Foundational, Efficient, Optimized): architecture, workflow, JSON/Excel export.Wed, 16 Jul 2025 00:00:00 GMTAWSCloud SecuritySecurity MaturityAssessmentGovernanceKhaVanhttps://cloudsecop.net/en/blog/kms-key-policies-deep-dive-en/https://cloudsecop.net/en/blog/kms-key-policies-deep-dive-en/How KMS key-policy evaluation works: cross-account access, condition keys, grants, key rotation, production patterns. With JSON policy examples and a production checklist.Fri, 18 Apr 2025 00:00:00 GMTAWSCloud SecurityKMSEncryptionIAMKhaVanhttps://cloudsecop.net/en/blog/guardduty-auto-remediation-en/https://cloudsecop.net/en/blog/guardduty-auto-remediation-en/An auto-remediation pipeline for GuardDuty using EventBridge and Lambda: isolate instances, snapshot for forensics, revoke credentials, and scale it across an Organization.Mon, 14 Apr 2025 00:00:00 GMTAWSCloud SecurityGuardDutySecurity AutomationEventBridgeKhaVanhttps://cloudsecop.net/en/blog/iam-key-auto-rotation/https://cloudsecop.net/en/blog/iam-key-auto-rotation/An AWS-native solution for rotating, disabling, and deleting IAM access keys on policy — the multi-account architecture, trade-offs, and what operating it actually takes.Sun, 19 Jan 2025 00:00:00 GMTAWSIAMSecurity AutomationSecrets ManagerLambdaKhaVanhttps://cloudsecop.net/en/blog/cross-cloud-workload-identity-federation/https://cloudsecop.net/en/blog/cross-cloud-workload-identity-federation/Workload Identity Federation deep dive: why Service Account Keys are anti-pattern, AWS STS → Google STS exchange, attribute mapping, impersonation, threat model, Terraform.Wed, 08 Jan 2025 00:00:00 GMTCloud SecurityAWSGCPIdentity FederationMulti-CloudZero TrustKhaVanhttps://cloudsecop.net/en/blog/cspm-multiple-aws-landing-zones/https://cloudsecop.net/en/blog/cspm-multiple-aws-landing-zones/How I built an in-house CSPM engine scanning many AWS Landing Zones in parallel with Prowler, storing findings in D1 and artifacts in R2, into one Security Operations dashboard.Tue, 24 Dec 2024 00:00:00 GMTCloud SecurityAWSCSPMProwlerCloudflareKhaVan