editor Short version: Prefer SSM Session Manager for human access. If you must use SSH, use per-user keys, a bastion or tight source CIDRs, and a hardened sshd_config. No shared logins. No password auth. 1) Choose the access pattern Pattern When to use Notes SSM Session Manager Default for most estates No SSH ports open; IAM-controlled; … Read more
Short version: Stand up networking, identity, logging, and a few platform services with explicit defaults and basic alarms. The minimal stack Service Use it for Baseline settings Alerting IAM & Identity Center Human access SSO groups → permission sets; no IAM users; MFA on; short admin sessions Alarm on root usage; failed console auth bursts … Read more
Short version: Use Identity Center (SSO) for humans, IAM roles for workloads, and a handful of organization guardrails. Keep permission sets simple (ReadOnly, PowerUser-no-IAM, Admin), enforce MFA and sensible session lengths, and monitor root usage rather than trying to block it. 1) The shape that works Accounts: management, log-archive, security, and one per environment (dev/test/prod). … Read more
Baseline assumption: You already have CloudTrail, basic CloudWatch alarms, and Config turned on. These add-ons layer threat detection and hygiene checks without turning your inbox into a landfill. Enable first (org-wide) GuardDuty — managed threat detection from CloudTrail, DNS, and VPC telemetry. Turn on in all regions; centralise findings. Inspector — automated EC2 and ECR … Read more
Problem: You need to reach a service on a host behind NAT. A reverse tunnel lets the hidden host dial out to a bastion, exposing its local port only on that bastion. 1) One approved pattern On the hidden host (client), create a reverse tunnel to the bastion. This exposes client’s local SSH on bastion … Read more
Short version: For quick exchange, a passworded ZIP is fine; for stronger protection and hiding filenames, use tar piped into gpg –symmetric. Option A — Quick ZIP (password prompt) # Single file zip -e backup.zip important.txt # Whole directory (recursively) zip -er project.zip ./project/ Note: Traditional ZIP encryption is weaker and may reveal filenames/metadata to … Read more
Purpose: Present one reliable pattern for bind-mounting a directory elsewhere, then make it read-only, persist it in /etc/fstab, and roll back cleanly. 1) Basic bind mount # Example: expose /srv/app/upload at /var/www/app/upload sudo mkdir -p /var/www/app/upload sudo mount –bind /srv/app/upload /var/www/app/upload 2) Make it read-only Bind mounts ignore -o ro on first mount; you must … Read more
AWS Security Groups vs NACLs (2025): how traffic actually flows Last updated: 20 Aug 2025 Short version: Use Security Groups (SGs) for almost everything. They’re stateful, attach to ENIs/instances, and scale cleanly. Keep NACLs simple or neutral; use them for coarse subnet-level controls or as a quick kill-switch. What each thing does Property Security Groups … Read more
Last updated: 20 Aug 2025 Short version: set log retention explicitly, wire 3 alarms that actually matter, and keep severity mapping simple. Don’t create 40 “informational” alerts and call it monitoring. 1) Set log retention on day one Pick a default (e.g., 30 or 90 days) for all CloudWatch log groups. “Never expire” is not … Read more
Short version: CloudTrail is your audit log of API activity, CloudWatch is telemetry + alerting (metrics/logs/events), and Config is resource inventory + compliance. You probably need all three, wired together sensibly. Who does what Goal CloudTrail CloudWatch Config Audit every API call (who/what/when/where) ✔️ — — Real-time alerts (errors, patterns, thresholds) via Logs → Metric … Read more
TL;DR: Run the server on one end (iperf3 -s), the client on the other (iperf3 -c host). Test both directions, try single stream then a few parallel streams, and use UDP to quantify loss/jitter. When to use iperf3 Throughput is low and you don’t know if it’s the app, the host, or the network. You … Read more
TL;DR: Back up to dated snapshots using –link-dest so each day looks full but uses hard links. Keep an exclude file, don’t recurse into /proc, /sys, etc., and avoid infinite loops by excluding the backup path itself. After every run, prove you can restore one file and one directory. Rotate snapshots (e.g., keep 30 dailies, … Read more
Last updated: 19 Aug 2025 This is a practical hardening baseline for small/medium sites running WordPress on Apache. Focus: reduce attack surface, keep patching predictable, and prove restores. Adjust to your stack. 1) Accounts & Authentication Remove or rename the default admin user; unique admin usernames only. Enforce 2FA for all admins/editors (TOTP). No SMS. … Read more
TL;DR Patch now: Linux kernel (CVE-2025-38236), OpenSSH client bugs (CVE-2025-26465/26466), and current VMware advisories; N-able N-central flaws added to CISA KEV. Watchlist: further kernel backports landing in distro trackers; VMware rollups; Microsoft August patches with multiple critical items. Action for Linux/Cloud ops: roll kernel updates with reboots, update OpenSSH clients fleet-wide (laptops, jump hosts, CI), … Read more
AI is beginning to make itself felt in security marketing. Vendors promise self-defending networks and fully automated SOCs. However, the reality is more nuanced. The Hype “AI replaces analysts.” “AI tools detect 100% of threats.” “AI is plug-and-play.” These claims attract attention – but they’re misleading. The Reality AI tools are only as good as … Read more
For many IT teams, “security” still means keeping up with patches. While patching is essential, it’s far from enough. Attackers increasingly exploit default settings and weak configurations rather than waiting for an unpatched CVE. What Hardening Really Means System hardening is about stripping away unnecessary risk: Secure SSH and key management. Enforcing password and account … Read more
Despite billions invested in security tools, the leading cause of cloud breaches is still misconfiguration. It’s rarely a zero-day exploit – it’s someone leaving an S3 bucket open, mis-scoping IAM permissions, or forgetting to disable test environments. The Most Common Mistakes Publicly accessible storage buckets. “Allow all” firewall and security group rules. Over-privileged IAM … Read more
Ransomware has evolved from one-off attacks into a full-blown industry. The latest model, Ransomware-as-a-Service (RaaS), allows criminals to rent out ready-made ransomware kits, complete with payment portals and “customer support.” This industrialisation of cybercrime has lowered the barrier to entry – meaning even attackers with little skill can launch devastating campaigns. Why SMEs Are Now … Read more
Why Containers Expand the Attack Surface Microservices speed delivery but multiply risk. Misconfigured Kubernetes clusters are a known goldmine for cryptojacking and data exfiltration. Core Hardening Steps Least privilege images – no root user. Signed images only – verify integrity. Secrets management – never hardcode creds in YAML. Network policies – enforce pod-to-pod traffic rules. … Read more
Why DR is Business Survival, Not IT Overhead Ransomware, hardware failure, or cloud outages all kill availability. Without tested backups and recovery, firms collapse. Practical Strategy 3-2-1 Rule: 3 copies, 2 media types, 1 offsite. Encryption at rest + transit. Automated verification: test restores weekly. Documented RTO/RPO targets aligned to business needs. Applied Example Small … Read more
