SC-Cleared Linux & Cloud Security Contract Consultant
In many cloud security reviews, Identity and Access Management (IAM) often turns out to be the weakest area. AWS provides powerful tools to control access, but its defaults are permissive and administrators often grant overly broad rights. The result is predictable: accounts with far more privilege than needed, with API keys that never expire, and … Read more
Short version: Prefer SSM Session Manager for human access. If you must use SSH, use per-user keys, a bastion or tight source CIDRs, and a hardened sshd_config. No shared logins. No password auth. 1) Choose the access pattern Pattern When to use Notes SSM Session Manager Default for most estates No SSH ports open; IAM-controlled; … Read more
Short version: Stand up networking, identity, logging, and a few platform services with explicit defaults and basic alarms. The minimal stack Service Use it for Baseline settings Alerting IAM & Identity Center Human access SSO groups → permission sets; no IAM users; MFA on; short admin sessions Alarm on root usage; failed console auth bursts … Read more
Short version: Use Identity Center (SSO) for humans, IAM roles for workloads, and a handful of organization guardrails. Keep permission sets simple (ReadOnly, PowerUser-no-IAM, Admin), enforce MFA and sensible session lengths, and monitor root usage rather than trying to block it. 1) The shape that works Accounts: management, log-archive, security, and one per environment (dev/test/prod). … Read more
Baseline assumption: You already have CloudTrail, basic CloudWatch alarms, and Config turned on. These add-ons layer threat detection and hygiene checks without turning your inbox into a landfill. Enable first (org-wide) GuardDuty — managed threat detection from CloudTrail, DNS, and VPC telemetry. Turn on in all regions; centralise findings. Inspector — automated EC2 and ECR … Read more
AWS Security Groups vs NACLs (2025): how traffic actually flows Last updated: 20 Aug 2025 Short version: Use Security Groups (SGs) for almost everything. They’re stateful, attach to ENIs/instances, and scale cleanly. Keep NACLs simple or neutral; use them for coarse subnet-level controls or as a quick kill-switch. What each thing does Property Security Groups … Read more
Short version: CloudTrail is your audit log of API activity, CloudWatch is telemetry + alerting (metrics/logs/events), and Config is resource inventory + compliance. You probably need all three, wired together sensibly. Who does what Goal CloudTrail CloudWatch Config Audit every API call (who/what/when/where) ✔️ — — Real-time alerts (errors, patterns, thresholds) via Logs → Metric … Read more