AWSBest Practices
KMS Key Is Disabled and Unused: Stop Paying for Dead Encryption Keys
Disabled customer-managed KMS keys keep costing $1/month each. Learn how to find, verify, and safely delete unused AWS KMS keys, plus prevent the sprawl.
Lensix Blog
Cloud Operations Insights
Practical guides on security, cost, performance, reliability, and operations across AWS, Azure, and GCP.
592 posts — page 8 of 33
Best PracticesCloud Security
Firewall Allows Public SSH on GCP: Risks and Remediation
Learn why GCP firewall rules allowing SSH from 0.0.0.0/0 are dangerous, how to remediate them with IAP and CLI commands, and how to prevent recurrence.
AWSBest Practices
No Alarm for AWS Config Changes (CIS 3.9): Why It Matters and How to Fix It
Learn why a missing CloudWatch alarm for AWS Config changes is a serious blind spot, and how to fix CIS 3.9 with CLI, Terraform, and policy-as-code.
AzureBest Practices
Azure VM Data Disk Not Encrypted: Why It Matters and How to Fix It
Learn why unencrypted Azure VM data disks are a risk, how to apply customer-managed keys and Azure Disk Encryption, and how to enforce it with policy-as-code.
AzureBest Practices
NSG Allows Public SQL Server: Closing Port 1433 on Azure
Learn why an Azure NSG rule exposing SQL Server port 1433 to the internet is dangerous, and how to fix and prevent it with CLI, Terraform, and policy.
AWSBest Practices
CloudTrail Not Encrypted with a Customer-Managed KMS Key
Learn why CloudTrail trails should use a customer-managed KMS key, the risks of SSE-S3 defaults, and step-by-step CLI and Terraform fixes.
AWSBest Practices
Instance Appears Unused: Finding and Fixing Idle EC2 Instances
Idle EC2 instances waste money and create security risk. Learn how to detect, stop, right-size, and prevent unused AWS instances with CLI and policy-as-code.
AzureBest Practices
Azure Service Bus Namespace Has Public Access: Why It Matters and How to Fix It
Learn why public network access on Azure Service Bus namespaces is risky, how to lock it down with private endpoints and IP rules, and how to prevent regressions.
AzureBest Practices
PostgreSQL Query Duration Logging Disabled on Azure
Learn why Azure PostgreSQL query duration logging matters, the risks of leaving log_duration off, and how to enable and enforce it with CLI, Terraform, and Azure Policy.
Best PracticesCloud Security
VM Automatic Restart Disabled on GCP Compute Engine
Learn why GCP Compute Engine VMs with automatic restart disabled risk silent outages, plus gcloud and Terraform fixes and CI policy gates to prevent drift.
AWSBest Practices
S3 Bucket Versioning Not Enabled: Why It Matters and How to Fix It
Learn why disabled S3 versioning leaves your data unrecoverable, how to enable it via CLI, console, and Terraform, and how to enforce it in CI/CD.
AWSBest Practices
Root Account Uses Virtual MFA: Why Hardware MFA Matters on AWS
Learn why your AWS root user needs a hardware MFA device instead of a virtual TOTP app, the attack scenarios it blocks, and step-by-step remediation.
AWSBest Practices
Neptune Cluster Storage Not Encrypted: Detection, Fix, and Prevention
Learn why unencrypted Amazon Neptune storage is a risk, how to migrate to a KMS-encrypted cluster, and how to enforce encryption with SCPs and CI/CD gates.
Best PracticesCloud Security
Cloud Function HTTP Trigger Does Not Require HTTPS
Learn why GCP Cloud Functions accepting plaintext HTTP are a security risk, and how to enforce HTTPS with gcloud, Terraform, and policy-as-code gates.
Cloud SecurityGCP
IAM Audit Logging Not Configured on GCP: Why It Matters and How to Fix It
Learn why missing GCP IAM audit logging blinds your breach investigations, and how to enable Data Access logs across all services with gcloud and Terraform.
AWSBest Practices
SNS Topic Not Encrypted: Enabling Server-Side Encryption on AWS SNS
Learn why unencrypted SNS topics fail audits and expose data at rest, plus step-by-step KMS encryption fixes with CLI, Terraform, and policy-as-code gates.
AWSBest Practices
WorkSpaces Has No IP Access Control: Lock Down Your Cloud Desktops
Learn why an AWS WorkSpaces directory with no IP access control group is a serious risk, and how to fix and prevent it with CLI, Terraform, and policy-as-code.
AWSBest Practices
WorkSpace Disk Not Encrypted: Securing Amazon WorkSpaces at Rest
Learn why unencrypted Amazon WorkSpaces volumes are a risk, how to rebuild them with KMS encryption, and how to enforce encryption with IaC and policy-as-code.