AWS Security

Architectural Context

Detailed reference for AWS Security in the context of Cloud Providers (Hyperscalers).

Standard Reference

• AWS Security Blog [COMMUNITY-TOOL]
• Tutorial: Configure Apache Web Server on Amazon Linux to use SSL/TLS [COMMUNITY-TOOL]
• The Most Popular AWS Security Blog Posts in 2015 [COMMUNITY-TOOL]
• Announcing Industry Best Practices for Securing AWS Resources [COMMUNITY-TOOL]
• The Most Viewed AWS Security Blog Posts so Far in 2016 [COMMUNITY-TOOL]
• How to Restrict Amazon S3 Bucket Access to a Specific IAM Role [COMMUNITY-TOOL]
• Updated Whitepaper Available: AWS Best Practices for DDoS Resiliency [COMMUNITY-TOOL]
• AWS Security Blog: In Case You Missed These: AWS Security Blog Posts from June, July, and August 2016 [COMMUNITY-TOOL]
• Amazon s2n: AWS’s new Open Source implementation of the SSL/TLS network encryption protocols [COMMUNITY-TOOL]
• acloudguru.com: How to audit and secure an AWS account [COMMUNITY-TOOL]
• yobyot.com: AWS multi-region KMS keys and Data Lifecycle Manager: better together [COMMUNITY-TOOL]
• docs.aws.amazon.com: AWS Security Reference Architecture (AWS SRA) 🌟 [COMMUNITY-TOOL]
• AWS Identity and Access Management - Getting Started [COMMUNITY-TOOL]
• AWS Identity and Access Management (IAM) best practices in 2016 [COMMUNITY-TOOL]
• How to Record and Govern Your IAM Resource Configurations Using AWS Config [COMMUNITY-TOOL]
• How to Use SAML to Automatically Direct Federated Users to a Specific AWS Management Console Page [COMMUNITY-TOOL]
• keepler.io: Gestionando el control de accesos en nuestro data lake en AWS [COMMUNITY-TOOL]
• blog.wut.dev: Moving AWS Accounts and OUs Within An Organization - Not So Simple! [COMMUNITY-TOOL]
• How to Automatically Update Your Security Groups for Amazon CloudFront and AWS WAF by Using AWS Lambda (boto3 python) [COMMUNITY-TOOL]
• How to Use AWS WAF to Block IP Addresses That Generate Bad Requests [COMMUNITY-TOOL]
• How to Reduce Security Threats and Operating Costs Using AWS WAF and Amazon CloudFront [COMMUNITY-TOOL]
• AWS WAF sample rules ⭐ 511 [COMMUNITY-TOOL]
• k21academy.com: AWS Secrets Manager [COMMUNITY-TOOL]
• Automated Let's Encrypt Certificates in Azure Key Vault with ACME Bot [COMMUNITY-TOOL]
• aws.amazon.com: New – AWS Control Tower Account Factory for Terraform [COMMUNITY-TOOL]
• hashicorp.com: HashiCorp Teams with AWS on New Control Tower Account Factory' for Terraform [COMMUNITY-TOOL]
• AWS Control Tower [COMMUNITY-TOOL]
• AWS Security [COMMUNITY-TOOL]
• AWS Security docs [COMMUNITY-TOOL]
• Amazon’s customer service backdoor [COMMUNITY-TOOL]
• Oracle Database Encryption Options on Amazon RDS [COMMUNITY-TOOL]
• Learn AWS Security Fundamentals with Free and Online Training [COMMUNITY-TOOL]
• Amazon Inspector Announces General Availability for Windows [COMMUNITY-TOOL]
• encrypt and decrypt data: Importing Key Material in AWS Key Management Service' (AWS KMS) [COMMUNITY-TOOL]
• Encrypt global data client-side with AWS KMS multi-Region keys [COMMUNITY-TOOL]
• dzone: Removing the Bastion Host and Improving the Security in AWS [COMMUNITY-TOOL]
• How to automate AWS account creation with SSO user assignment [COMMUNITY-TOOL]
• Security practices in AWS multi-tenant SaaS environments [COMMUNITY-TOOL]
• How to use AWS Security Hub and Amazon OpenSearch Service for SIEM [COMMUNITY-TOOL]
• faun.pub: Handling Exposed AWS Access Key [COMMUNITY-TOOL]
• github.com/aws-samples: How to set up continuous replication from your third-party' secrets manager to AWS Secrets Manager ⭐ 16 [COMMUNITY-TOOL]
• medium.com/@neonforge: Why You Shouldn’t Use AWS managed KMS Keys [COMMUNITY-TOOL]
• linkedin.com: Complexities of AWS Security Groups in the Cloud World [COMMUNITY-TOOL]
• awslabs/cognito-at-edge ⭐ 238 [COMMUNITY-TOOL]
• github.com/aws-samples: Service Control Policy examples ⭐ 302 [COMMUNITY-TOOL]
• medium.parttimepolymath.net: No more AWS Access Keys? [COMMUNITY-TOOL]
• darryl-ruggles.cloud: AWS SSO Credentials With Multiple Accounts [COMMUNITY-TOOL]
• github.com/awslabs/sustainability-scanner: Sustainability Scanner (SusScanner) ⭐ 123 [COMMUNITY-TOOL]
• aws.amazon.com: Update of AWS Security Reference Architecture is now available [COMMUNITY-TOOL]
• docs.aws.amazon.com: Application security [COMMUNITY-TOOL]
• Realize Policy-as-Code with AWS Cloud Development Kit through Open Policy Agent 🌟 [COMMUNITY-TOOL]
• PCI DSS Standardized Architecture on the AWS Cloud: Quick Start Reference' Deployment [COMMUNITY-TOOL]
• New IAMCTL tool compares multiple IAM roles and policies [COMMUNITY-TOOL]
• Bring your own CLI to Session Manager with configurable shell profiles [COMMUNITY-TOOL]
• aws.amazon.com: IAM Access Analyzer now supports over 100 policy checks' with actionable recommendations to help you author secure and functional policies [COMMUNITY-TOOL]
• aws.amazon.com: IAM Access Analyzer Update – Policy Validation [COMMUNITY-TOOL]
• netflixtechblog.com: ConsoleMe: A Central Control Plane for AWS Permissions' and Access [COMMUNITY-TOOL]
• cloudkatha.com: Difference between Root User and IAM User in AWS You Need' to Know [COMMUNITY-TOOL]
• ben11kehoe.medium.com: AWS Authentication: Principals (users and roles)' in AWS IAM [COMMUNITY-TOOL]
• infoq.com: Incorrect IAM Policy Raised Questions About AWS Access to S3' Data [COMMUNITY-TOOL]
• iann0036/iamlive ⭐ 3381 [ENTERPRISE-STABLE]
• awsiam.info: AWS IAM Search [COMMUNITY-TOOL]
• daan.fyi: AWS IAM Demystified [COMMUNITY-TOOL]
• willdady/cdk-iam-credentials-rotator: IAM Credentials Rotator ⭐ 17 [COMMUNITY-TOOL]
• Organizing Your AWS Environment Using Multiple Accounts (white paper for best practices) [COMMUNITY-TOOL]
• aws.amazon.com: When and where to use IAM permissions boundaries [COMMUNITY-TOOL]
• Extend AWS IAM roles to workloads outside of AWS with IAM Roles Anywhere 🌟 [COMMUNITY-TOOL]
• binx.io: Working with AWS Permission Policies 🌟 [COMMUNITY-TOOL]
• Use IAM Access Analyzer policy generation to grant fine-grained permissions for your AWS CloudFormation service roles [COMMUNITY-TOOL]
• globaldatanet.com: .AWS IAM Identity Center Permission Management at Scale' Part 2 [COMMUNITY-TOOL]
• How to monitor and query IAM resources at scale – Part 1 [COMMUNITY-TOOL]
• github.com/aws-samples: Visualize AWS IAM Access Analyzer Policy Validation' Findings ⭐ 21 [COMMUNITY-TOOL]
• thenewstack.io: A Deep Dive into the Security of IAM in AWS [COMMUNITY-TOOL]
• awslabs/terraform-iam-policy-validator ⭐ 346 [COMMUNITY-TOOL]
• jimmydqv.com: AWS IAM Anywhere 🌟 [COMMUNITY-TOOL]
• Simplifying permissions management at scale using tags in AWS Organizations [COMMUNITY-TOOL]
• Standardize compliance in AWS using DevOps and a Cloud Center of Excellence (CCOE) approach [COMMUNITY-TOOL]
• aws.amazon.com: Automate AWS Control Tower landing zone operations using' APIs [COMMUNITY-TOOL]
• doit-intl.com: AWS Firewalls 101: How and when to use each one [COMMUNITY-TOOL]
• Automatically block suspicious traffic with AWS Network Firewall and Amazon GuardDuty [COMMUNITY-TOOL]
• AWS WAF - Web Application Firewall [COMMUNITY-TOOL]
• medium: Blocking bots using AWS WAF [COMMUNITY-TOOL]
• medium: Protecting your Web Application or APIs using AWS WAF [COMMUNITY-TOOL]
• faun.pub: Set up global rate limiting with AWS WAF in 5 minutes [COMMUNITY-TOOL]
• dev.to: AWS WAF (Web Application Firewall): Deep Dive [COMMUNITY-TOOL]
• How to replicate secrets in AWS Secrets Manager to multiple Regions [COMMUNITY-TOOL]
• AWS Secrets Manager controller POC: an EKS operator for automatic rotation' of secrets [COMMUNITY-TOOL]
• blog.devops.dev: Debugging Kubernetes Secrets, Why My Pod Wouldn’t Start [COMMUNITY-TOOL]
• AWS Vault ⭐ 8976 [ENTERPRISE-STABLE]

Platform Engineering

CI-CD Security

Azure DevOps

• Securing Azure DevOps When Using Private Repositories [COMMUNITY-TOOL] — Analyses secure integration patterns for private Azure DevOps environments. Offers standard reference controls for isolating source code hosting, managing external worker access, and mitigating common misconfiguration patterns across self-hosted agent pools.

Cloud Identity

• Avoiding Mistakes with AWS OIDC Integration Conditions [ADVANCED LEVEL] [DE FACTO STANDARD] — An in-depth security analysis detailing how to configure AWS OpenID Connect (OIDC) trust relationships correctly in GitHub Actions and other CI providers. Highlights major vulnerabilities arising from missing subject (sub) or audience (aud) validation and shows how to restrict access patterns safely.

Security

Linux Hardening

Best Practices

• How-To Secure A Linux Server ⭐ 27424 [ADVANCED LEVEL] [DE FACTO STANDARD] — An exhaustive, highly popular guide for securing production Linux environments. Covers SSH hardening, firewalls, user permission boundaries, 2FA, kernel optimization, audit logs, and automated vulnerability scanning.

---

💡 Explore Related: AWS Tools Scripts | Azure | AWS