AWSBest Practices
Athena Encryption Can Be Overridden: Enforce Workgroup Encryption
Learn why unenforced Athena workgroup encryption lets clients write plaintext query results to S3, and how to enforce it with CLI, Terraform, and CI gates.
Lensix Blog
Cloud Operations Insights
Practical guides on security, cost, performance, reliability, and operations across AWS, Azure, and GCP.
592 posts — page 4 of 33
AzureBest Practices
Enabling Automatic Repairs on Azure VM Scale Sets
Learn why Azure VM Scale Sets need automatic instance repairs enabled, the outage risk of leaving it off, and how to fix it with CLI, Terraform, and Azure Policy.
Best PracticesCloud Security
GKE Node Pool Uses Default Service Account: Why It's Risky and How to Fix It
Learn why GKE node pools on the default Compute Engine service account are a serious risk, plus step-by-step fixes, Terraform, and policy-as-code prevention.
AWSBest Practices
User Can Escalate Privileges: Finding and Fixing IAM Escalation Paths in AWS
Learn how to detect and remediate IAM users who can escalate to admin in AWS, with CLI fixes, permissions boundaries, SCPs, and CI/CD policy gates.
AzureBest Practices
Azure API Management May Allow Insecure TLS: Detection, Fix, and Prevention
Learn why Azure API Management accepting TLS 1.0 or 1.1 is a security risk, and how to disable legacy protocols with CLI, Bicep, Terraform, and Azure Policy.
AWSBest Practices
EBS Snapshot Not Encrypted: Why It Matters and How to Fix It
Learn why unencrypted EBS snapshots are a security risk, how to encrypt them with the AWS CLI, and how to enforce default EBS encryption with SCPs and IaC.
AzureCloud Security
No Alert for NSG Changes: Catch Risky Network Security Group Edits in Azure
Learn why missing activity log alerts for Azure NSG changes is a security risk, plus CLI, Bicep, and Terraform steps to set up and enforce them.
AWSBest Practices
VPC Appears Unused: Finding and Cleaning Up Abandoned AWS Networks
Learn why empty AWS VPCs with no subnets or ENIs are a security and governance risk, plus CLI steps and policy-as-code to find, fix, and prevent them.
Best PracticesCloud Security
No Alert for VPC Route Changes in GCP
Learn why missing GCP VPC route change alerts are a security risk, plus step-by-step gcloud and Terraform fixes to detect route changes in real time.
AzureBest Practices
Key Vault Key Has No Expiration: Why It Matters and How to Fix It
Azure Key Vault keys without an expiration date stay valid forever. Learn the risks, how to set expiry with CLI and Terraform, and how to enforce it in CI/CD.
AWSBest Practices
No Alarm for AWS Organizations Changes (CIS 3.15)
Learn how to detect and fix missing CloudWatch alarms for AWS Organizations changes (CIS 3.15), with CLI and Terraform remediation steps.
AWSBest Practices
Unused Internet Gateway: Finding and Cleaning Up Orphaned AWS IGWs
Learn why detached AWS internet gateways matter, how to find and remove orphaned IGWs, and how to prevent leaks with IaC and policy-as-code gates.
AzureBest Practices
NSG Allows Public Telnet: Why Port 23 Should Never Face the Internet
Learn why an Azure NSG allowing public Telnet on port 23 is a critical risk, plus step-by-step CLI, Terraform, and Azure Policy fixes to remediate it.
Best PracticesCloud Security
Firewall Allows Unrestricted Egress in GCP: Risks and Remediation
Learn why allow-all egress firewall rules in GCP are dangerous, how attackers exploit them for data exfiltration, and how to lock down outbound traffic.
AWSBest Practices
VPC Endpoint Has Permissive Policy: Closing the Wildcard Principal Gap
Learn why a wildcard principal in a VPC endpoint policy is a data exfiltration risk, and how to scope, remediate, and prevent it with CLI, Terraform, and policy-as-code.
AWSBest Practices
ACM Certificate Expiring Soon: Prevent TLS Outages on AWS
An expiring ACM certificate can break HTTPS and take your site down. Learn how to detect, renew, and automate AWS certificate renewal to avoid TLS outages.
AWSBest Practices
ECR Repository Allows Cross-Account Access: Risks and Remediation
Learn how to detect and fix ECR repository policies that grant cross-account access, why they create supply chain risk, and how to lock them down with IaC.
AWSBest Practices
IMDSv2 Not Enforced: Closing the EC2 Metadata Credential Theft Gap
Learn why allowing IMDSv1 on EC2 exposes you to SSRF credential theft, and how to enforce IMDSv2 with CLI, Terraform, SCPs, and CI gates.