Cloud Security is a main theme of #NoDrama DevOps and here is a curated set of posts that will help you learn about it.

We built k9 Security to help Cloud engineers understand and improve their AWS Security policies quickly and continuously. Check out how k9 can help you Go Fast, Safely.

Preparing for a Cloud Migration

If you are trying to discover the Security topics and resources needed to prepare for a Cloud Migration, see:

• Which career path to the Cloud?
• Building Security Skills for a Cloud Migration
• On the Deceitful Complexity of Cloud Security (takeway: you can do it!)

Critical AWS Security Architecture Topics

First a bit about the problem of managing access in AWS:

• Why is IAM so hard?
• Zed, authorizing application access via network controls is (nearly) dead

AWS accounts and the structure of your AWS organization are a critical aspect of AWS Security Architecture. The AWS account is the primary, and strongest partition between identities and protecting resources in the Cloud. See these posts for a detailed discussion:

• How many AWS accounts do I need?
• How should I organize my AWS Accounts?

Patterns that solve common problems:

• Secure Inbox using S3 and KMS

Governance, Risk, Compliance

Establishing Enterprise-wide guardrails for activities in AWS:

• Improving Enterprise Security and Compliance with AWS Organizations
• Starting Carefully with Service Control Policy

Governance of quickly changing Cloud deployments is an immature but improving practice. Ground yourself by understanding:

• The context people and tools need to work with your Cloud
• Research: Problems Engineers have Securing Cloud Deployments and ‘Shift Left’
• Research: Problems with top free security assessment tools (2020q1)

This will prepare you to push own Cloud deployments to best-in-industry by modeling Security and Risks so that you can analyze risk quantitatively:

• Assessing and Managing Information Security Risks
• Modeling Security in Cloud Deployments
• Modeling Risk in Cloud Deployments
• Computing a Risk Estimate using Netflix’s riskquant

Improving Security

As your deployments grow and you try to improve security policies, you’ll be left wondering why X can’t access Y, here’s How to debug ‘AccessDenied’ errors in AWS.

You’ll also need to understand the The First Secret Problem, how applications establish their identity, and how to deliver secrets such as passwords and api keys to them. I researched and published a report on the State of Application Secret Delivery and Audit Practices (2019q3). You can learn start by learning the fundamental problems and solutions

• The First Secret Problem
• Let Me Tell You a Secret
• Delivering Secrets to Applications, Securely

Guidance

If you would like some private, personalized guidance on these topics, consider a Guidance Engagement.