
Cloud Security is a main theme of #NoDrama DevOps and here is a curated set of posts that will help you learn about it.
We built k9 Security to help Cloud engineers understand and improve their AWS Security policies quickly and continuously. Check out how k9 can help you Go Fast, Safely.
Preparing for a Cloud Migration
If you are trying to discover the Security topics and resources needed to prepare for a Cloud Migration, see:
- Which career path to the Cloud?
- Building Security Skills for a Cloud Migration
- On the Deceitful Complexity of Cloud Security (takeway: you can do it!)
Critical AWS Security Architecture Topics
First a bit about the problem of managing access in AWS:
AWS accounts and the structure of your AWS organization are a critical aspect of AWS Security Architecture. The AWS account is the primary, and strongest partition between identities and protecting resources in the Cloud. See these posts for a detailed discussion:
Patterns that solve common problems:
Governance, Risk, Compliance
Establishing Enterprise-wide guardrails for activities in AWS:
- Improving Enterprise Security and Compliance with AWS Organizations
- Starting Carefully with Service Control Policy
Governance of quickly changing Cloud deployments is an immature but improving practice. Ground yourself by understanding:
- The context people and tools need to work with your Cloud
- Research: Problems Engineers have Securing Cloud Deployments and ‘Shift Left’
- Research: Problems with top free security assessment tools (2020q1)
This will prepare you to push own Cloud deployments to best-in-industry by modeling Security and Risks so that you can analyze risk quantitatively:
- Assessing and Managing Information Security Risks
- Modeling Security in Cloud Deployments
- Modeling Risk in Cloud Deployments
- Computing a Risk Estimate using Netflix’s riskquant
Improving Security
As your deployments grow and you try to improve security policies, you’ll be left wondering why X can’t access Y, here’s How to debug ‘AccessDenied’ errors in AWS.
You’ll also need to understand the The First Secret Problem, how applications establish their identity, and how to deliver secrets such as passwords and api keys to them. I researched and published a report on the State of Application Secret Delivery and Audit Practices (2019q3). You can learn start by learning the fundamental problems and solutions
Guidance
If you would like some private, personalized guidance on these topics, consider a Guidance Engagement.