AzureBest Practices
Azure Linux VM Password Authentication Enabled: Risks and Fix
Azure Linux VMs with SSH password auth are brute-force magnets. Learn why it matters and how to enforce key-based authentication with CLI, Terraform, and policy.
Lensix Blog
Cloud Operations Insights
Practical guides on security, cost, performance, reliability, and operations across AWS, Azure, and GCP.
592 posts — page 3 of 33
AWSBest Practices
IAM Role Unused for 90+ Days: Find and Remove Stale AWS Roles
Stale IAM roles widen your AWS attack surface. Learn how to detect roles unused for 90+ days, remove them safely, and prevent them from piling up again.
AWSBest Practices
API Gateway Detailed Metrics Disabled: Why It Matters and How to Fix It
Learn why disabled API Gateway detailed metrics leave you blind during outages, and how to enable per-method CloudWatch metrics with CLI, Terraform, and policy as code.
AWSBest Practices
MSK Cluster Not Encrypted at Rest: Enforcing Customer-Managed KMS Keys on Amazon MSK
Learn why Amazon MSK clusters need a customer-managed KMS key for broker storage encryption, the risks of the default key, and how to remediate with CLI and Terraform.
AWSBest Practices
Default Security Group In Use: Why It Matters and How to Fix It
Learn why attaching resources to the AWS default security group is risky, how to move them to purpose-built groups, and how to prevent it with policy-as-code.
AWSBest Practices
Network ACL Allows Unrestricted Outbound: Why Open Egress Is a Risk
Learn why AWS Network ACLs that allow unrestricted outbound traffic are a security risk, plus step-by-step CLI, Terraform, and CI fixes to scope egress safely.
AWSBest Practices
DynamoDB Table Not Using CMK: Why Default Encryption Is Not Enough
Learn why DynamoDB tables should use a customer-managed KMS key instead of the default, plus CLI and Terraform steps to remediate and prevent drift.
AWSBest Practices
AMI Contains Unencrypted Volumes: Risks and How to Fix It
Learn why AMIs with unencrypted EBS snapshots are a data exposure risk, how to re-encrypt them with CLI commands, and how to prevent it with policy-as-code.
AWSBest Practices
Firehose Uses Default KMS Key: Why It Matters and How to Fix It
Learn why Kinesis Firehose should use a customer-managed KMS key instead of the default AWS key, plus CLI, Terraform, and policy-as-code remediation steps.
AWSBest Practices
DAX Cluster Not Encrypted: Why It Matters and How to Fix It
Learn why unencrypted AWS DAX clusters expose cached DynamoDB data, how to remediate them, and how to enforce server-side encryption in CI/CD.
Best PracticesCloud Security
User Has Both Service Account User and Admin Roles: A GCP Privilege Escalation Risk
Learn why holding both serviceAccountUser and serviceAccountAdmin in GCP is a privilege escalation path, and how to fix and prevent it with scoped IAM and policy-as-code.
AWSBest Practices
Neptune Cluster Not Using a Customer-Managed KMS Key
Learn why Amazon Neptune clusters should use a customer-managed KMS key instead of the AWS-managed default, with step-by-step remediation and prevention.
AzureBest Practices
NSG Allows Public PostgreSQL: Closing Port 5432 on Azure
Learn why an Azure NSG rule exposing PostgreSQL port 5432 to the internet is dangerous, how to fix it with CLI and Terraform, and how to prevent it with policy.
Best PracticesCloud Security
PostgreSQL Temp File Logging Disabled on Cloud SQL
Learn why log_temp_files matters on GCP Cloud SQL PostgreSQL, how disk spills hurt performance and security, and how to enable and enforce the flag.
AzureBest Practices
Event Grid Domain Has Public Access: Why It Matters and How to Fix It
Learn why a public Event Grid domain expands your attack surface, plus step-by-step CLI, Terraform, and Azure Policy fixes to lock it down for good.
AWSBest Practices
ASG References Inactive Load Balancer: Fixing Stale Target Group References
Learn why an Auto Scaling group referencing a deleted target group causes silent capacity loss, and how to detect, fix, and prevent it on AWS.
Best PracticesCloud Security
VM vTPM Not Enabled: Securing GCP Compute Engine Boot Integrity
Learn why a missing vTPM on GCP Compute Engine VMs weakens boot integrity, and how to enable Shielded VM with CLI, Terraform, and Org Policy guardrails.
AWSBest Practices
Elasticsearch Domain Not Encrypted at Rest
Learn why unencrypted AWS Elasticsearch/OpenSearch domains are a risk, how to enable encryption at rest, and how to prevent it with policy as code.