AWS Security — Zero Trust & DevSecOps Guides

I'll be blunt: most AWS security content is either "enable MFA" (thanks, I know) or 400-page compliance frameworks that nobody reads. The stuff in between — the practical, "here's how to actually lock down a production account without grinding your team to a halt" content — is weirdly rare.

That's what these guides are. Real IAM policies, real network architectures, real incident response runbooks. Every recommendation has been implemented in a production AWS environment. I don't write about security controls I haven't deployed myself.

Start Here

Security is overwhelming if you try to do everything at once. These three give you the foundation that blocks 90% of the attack surface that actually matters.

Zero Trust Network Architecture on AWS: A BeyondCorp-Style Reference — The full implementation: identity-aware proxies, micro-segmentation with security groups and NACLs, no implicit trust between VPCs, mTLS between services. This isn't a whitepaper — it's a deployable architecture with CDK code and the reasoning behind every design choice.

IAM Least Privilege in Practice (Not Just in Theory) — Everyone says "use least privilege." Nobody shows you how to get there when you have 200 IAM roles and 15 engineers who all need slightly different access. Here's the process I use: IAM Access Analyzer, permission boundaries, SCPs, and the role consolidation strategy that took one team from 200 roles to 40.

AWS Account Security Baseline: The First 30 Minutes — Every new AWS account should have these controls before anything else gets deployed. CloudTrail, GuardDuty, Config rules, root account lockdown, password policies, and the billing alert that saves you from a crypto mining surprise. I treat this as a checklist — nothing else gets deployed until these are green.

Deep Dives

Once your foundation is solid, these guides cover the harder problems — the ones that show up when you're operating at scale or handling sensitive data.

DevSecOps Pipeline: Security Scanning That Developers Don't Hate — I've seen security scanning kill developer velocity so many times. Here's the pipeline that works: SAST and SCA in pre-commit (fast, local), container scanning in CI (blocking on critical only), and DAST in staging (async, non-blocking). The trick is tuning the noise. I show you exactly how.

Secrets Management on AWS: The Full Picture — Secrets Manager vs Parameter Store vs Vault. When to use which, how to rotate automatically, and the common mistake of putting secrets in environment variables that end up in CloudWatch logs. Includes the Lambda layer pattern I use for injecting secrets without hardcoding ARNs.

Incident Response Runbook for AWS — The runbook I wish I'd had before my first security incident. Containment steps for compromised credentials, unauthorized EC2 launches, S3 bucket exposure, and data exfiltration. Each scenario includes the exact CLI commands, the order to run them, and who to notify when.

Cross-Account Security Architecture — Multi-account is the right call for isolation. But it introduces a whole new class of problems: cross-account IAM trust, centralized logging, shared security tooling, and the organizational SCP hierarchy that prevents one team's misconfiguration from becoming everyone's problem. This is the architecture I deploy for every organization with more than 3 AWS accounts.

Container Security on ECS and EKS: What Actually Matters — Image scanning is table stakes. This goes deeper: runtime security with Falco, network policies in EKS, task role scoping in ECS, and the supply chain attack vector that most teams ignore completely (hint: it's your base images, and you're probably pulling them from Docker Hub without verification).

Encryption at Rest and in Transit: The Boring but Critical Guide — KMS key policies, S3 bucket encryption, RDS encryption, TLS termination at the ALB, and certificate management with ACM. None of this is exciting. All of it matters. I also cover the one KMS mistake that can make your data permanently unrecoverable (it involves key deletion and a 7-day waiting period that you really don't want to discover in an emergency).

What We're Building Next

I'm working on an automated AWS security audit tool — think ScoutSuite but opinionated, with InfraTales-style plain-English explanations of what's wrong and exactly how to fix it. Not just "this S3 bucket is public" but "this S3 bucket is public, here's what's in it, and here's the one-liner to lock it down." Stay tuned.

Get These Guides in Your Inbox

Every week: one AWS failure broken down + the fix that worked. Security incidents, misconfigurations, and the fixes — explained like a human, not a compliance document.

Subscribe Now

More from InfraTales:

Every week: one AWS failure broken down + the fix that worked