Bài viết gắn tag Cloud Security.https://cloudsecop.net/https://cloudsecop.net/blog/aws-remote-swe-agents-strands/https://cloudsecop.net/blog/aws-remote-swe-agents-strands/AWS Strands Agents + Bedrock AgentCore cho autonomous SWE agent. GitHub issue → PR. Threat model, IAM blast radius, audit. So sánh Copilot Workspace và Devin.Mon, 12 Jan 2026 00:00:00 GMTAWSBedrockAI AgentsDevOpsCloud SecurityKhaVanhttps://cloudsecop.net/blog/aws-well-architected-custom-lens/https://cloudsecop.net/blog/aws-well-architected-custom-lens/Custom lens AWS Well-Architected: thêm pillar riêng cho org, JSON schema, deploy CloudFormation, attach workload. Use case Vietnam compliance Circular 09, Decree 53.Mon, 08 Sep 2025 00:00:00 GMTAWSCloud SecurityGovernanceWell-ArchitectedArchitectureKhaVanhttps://cloudsecop.net/blog/aws-security-services-best-practices/https://cloudsecop.net/blog/aws-security-services-best-practices/AWS vừa publish best-practices guide cho 10 dịch vụ bảo mật (GuardDuty, Security Hub, Macie, Inspector, WAF, Network Firewall). Cấu trúc guide và lộ trình triển khai thực tế.Thu, 31 Jul 2025 00:00:00 GMTAWSCloud SecurityGuardDutySecurity HubBest PracticesKhaVanhttps://cloudsecop.net/blog/aws-security-maturity-model-v2/https://cloudsecop.net/blog/aws-security-maturity-model-v2/AWS Security Maturity Model v2: 74 kiểm soát chia 4 giai đoạn (Quick Wins, Foundational, Efficient, Optimized), thứ tự nên làm, bẫy thường gặp, ánh xạ vào Organization.Sun, 27 Jul 2025 00:00:00 GMTAWSCloud SecuritySecurity MaturityGovernanceZero TrustKhaVanhttps://cloudsecop.net/blog/bedrock-workers-oidc-case-study/https://cloudsecop.net/blog/bedrock-workers-oidc-case-study/Worker mint RS256 JWT → STS AssumeRoleWithWebIdentity → Bedrock Claude Opus. Số liệu thực: token 5ms, STS 200ms, Bedrock 2-3s, cached 50ms.Tue, 22 Jul 2025 00:00:00 GMTCloudflareWorkersAWSBedrockOIDCCloud SecurityKhaVanhttps://cloudsecop.net/blog/aws-security-maturity-model-assessment-tool/https://cloudsecop.net/blog/aws-security-maturity-model-assessment-tool/Ghi chú dùng AWS Security Maturity Model Assessment Tool đánh giá posture theo 4 giai đoạn (Quick Wins, Foundational, Efficient, Optimized): kiến trúc, quy trình, JSON/Excel.Sun, 20 Jul 2025 00:00:00 GMTAWSCloud SecuritySecurity MaturityAssessmentGovernanceKhaVanhttps://cloudsecop.net/blog/hardeneks-eks-security/https://cloudsecop.net/blog/hardeneks-eks-security/hardeneks là Python CLI chạy 100+ EKS best-practice check. Lý do tôi chạy ở PR thay vì weekly cron, so sánh kube-bench/kube-hunter, finding thực tế.Wed, 04 Jun 2025 00:00:00 GMTAWSEKSKubernetesCloud SecurityComplianceKhaVanhttps://cloudsecop.net/blog/kms-key-policies-deep-dive/https://cloudsecop.net/blog/kms-key-policies-deep-dive/Cơ chế evaluation của KMS key policy, cross-account access, condition keys, grants, key rotation, production patterns. Kèm JSON policy examples và checklist cho production.Fri, 18 Apr 2025 00:00:00 GMTAWSCloud SecurityKMSEncryptionIAMKhaVanhttps://cloudsecop.net/blog/guardduty-auto-remediation/https://cloudsecop.net/blog/guardduty-auto-remediation/Pipeline tự động phản ứng sự cố bảo mật với GuardDuty, EventBridge và Lambda: cô lập instance, snapshot forensic, thu hồi credentials, mở rộng multi-account với Organizations.Mon, 14 Apr 2025 00:00:00 GMTAWSCloud SecurityGuardDutySecurity AutomationEventBridgeKhaVanhttps://cloudsecop.net/blog/flan-vulnerability-scanner/https://cloudsecop.net/blog/flan-vulnerability-scanner/Flan wrap nmap NSE + Vulners API trong Docker, xuất HTML/JSON. Vì sao Cloudflare tự host thay vì mua Tenable/Qualys, và cách integrate vào CI gate CVE.Wed, 12 Mar 2025 00:00:00 GMTCloudflareSecurityVulnerability ManagementCloud SecurityDevSecOpsKhaVanhttps://cloudsecop.net/blog/roadmap-sh-cyber-security-goc-nhin/https://cloudsecop.net/blog/roadmap-sh-cyber-security-goc-nhin/roadmap.sh chia con đường cyber security thành 6 khối kỹ năng. Đọc lại đối chiếu với cloud security và Zero Trust, chỗ đúng, chỗ đã cũ, và thứ tự học nếu bắt đầu lại hôm nay.Wed, 19 Feb 2025 00:00:00 GMTSecurityRoadmapLearning PathCloud SecurityCareerKhaVanhttps://cloudsecop.net/blog/workload-identity-federation-aws-gcp/https://cloudsecop.net/blog/workload-identity-federation-aws-gcp/Workload Identity Federation deep dive: vì sao Service Account Key là anti-pattern, luồng token AWS STS → Google STS, attribute mapping, impersonation, threat model, Terraform.Mon, 27 Jan 2025 00:00:00 GMTCloud SecurityAWSGCPIdentity FederationMulti-CloudZero TrustKhaVanhttps://cloudsecop.net/blog/cspm-across-multiple-landing-zones/https://cloudsecop.net/blog/cspm-across-multiple-landing-zones/Cách mình thiết kế CSPM engine nội bộ quét song song nhiều AWS Landing Zone bằng Prowler, lưu finding vào D1, artifact vào R2, dashboard duy nhất cho Security Operations.Fri, 20 Dec 2024 00:00:00 GMTCloud SecurityAWSCSPMProwlerCloudflareKhaVanhttps://cloudsecop.net/blog/cfssl-pki-toolkit-production/https://cloudsecop.net/blog/cfssl-pki-toolkit-production/Tự host internal CA bằng CFSSL: cfssl init, intermediate CA, OCSP responder, multirootca, CI short-lived certs. So sánh AWS Private CA $400/tháng.Fri, 15 Nov 2024 00:00:00 GMTCloudflareCloud SecurityPKITLSCertificatesKhaVan