Cloud Security — Things Worth SharingPosts tagged Cloud Security.https://cloudsecop.net/AWS Security Maturity Model v2: 4 phases in practicehttps://cloudsecop.net/en/blog/aws-security-maturity-model-v2-en/https://cloudsecop.net/en/blog/aws-security-maturity-model-v2-en/Practical walk-through of AWS Security Maturity Model v2: 74 controls across four phases (Quick Wins, Foundational, Efficient, Optimized), real ordering, traps, and Org mapping.Wed, 23 Jul 2025 00:00:00 GMTAWSCloud SecuritySecurity MaturityGovernanceZero TrustKhaVanAWS SMM Assessment Tool: scoring posture in an afternoonhttps://cloudsecop.net/en/blog/aws-security-maturity-model-assessment-tool-en/https://cloudsecop.net/en/blog/aws-security-maturity-model-assessment-tool-en/Field notes from the AWS Security Maturity Model Assessment Tool across four phases (Quick Wins, Foundational, Efficient, Optimized): architecture, workflow, JSON/Excel export.Wed, 16 Jul 2025 00:00:00 GMTAWSCloud SecuritySecurity MaturityAssessmentGovernanceKhaVanAWS KMS Key Policies: get this right or lose your datahttps://cloudsecop.net/en/blog/kms-key-policies-deep-dive-en/https://cloudsecop.net/en/blog/kms-key-policies-deep-dive-en/How KMS key-policy evaluation works: cross-account access, condition keys, grants, key rotation, production patterns. With JSON policy examples and a production checklist.Fri, 18 Apr 2025 00:00:00 GMTAWSCloud SecurityKMSEncryptionIAMKhaVanGuardDuty auto-remediation: isolate EC2 and revoke IAMhttps://cloudsecop.net/en/blog/guardduty-auto-remediation-en/https://cloudsecop.net/en/blog/guardduty-auto-remediation-en/An auto-remediation pipeline for GuardDuty using EventBridge and Lambda: isolate instances, snapshot for forensics, revoke credentials, and scale it across an Organization.Mon, 14 Apr 2025 00:00:00 GMTAWSCloud SecurityGuardDutySecurity AutomationEventBridgeKhaVanWorkload Identity Federation AWS to GCP: keyless authhttps://cloudsecop.net/en/blog/cross-cloud-workload-identity-federation/https://cloudsecop.net/en/blog/cross-cloud-workload-identity-federation/Workload Identity Federation deep dive: why Service Account Keys are anti-pattern, AWS STS → Google STS exchange, attribute mapping, impersonation, threat model, Terraform.Wed, 08 Jan 2025 00:00:00 GMTCloud SecurityAWSGCPIdentity FederationMulti-CloudZero TrustKhaVanRunning CSPM across a dozen AWS Landing Zoneshttps://cloudsecop.net/en/blog/cspm-multiple-aws-landing-zones/https://cloudsecop.net/en/blog/cspm-multiple-aws-landing-zones/How I built an in-house CSPM engine scanning many AWS Landing Zones in parallel with Prowler, storing findings in D1 and artifacts in R2, into one Security Operations dashboard.Tue, 24 Dec 2024 00:00:00 GMTCloud SecurityAWSCSPMProwlerCloudflareKhaVan