Best practices and deep dives into cloud security — from zero trust architectures to WAF configurations and penetration testing.
18 articles in this seriesAWS KMS can technically sign with asymmetric keys, but it speaks REST — not PKCS#11. For PKI workloads that need HSM-backed signing, key export, and multi-tenant isolation, CloudHSM's Crypto User model gives you partition-equivalent isolation without legacy constraints.
Your AI agent has access to tools that perform real actions -- approving expenses, querying databases, modifying infrastructure. Prompt-based guardrails don't survive adversarial inputs. Here's how AgentCore Gateway + Cedar policies create a deterministic enforcement layer that operates independently of the agent's reasoning.
AWS released the Agent Toolkit for AWS on May 6, 2026 -- a managed MCP server exposing the full AWS API surface to autonomous agents. I shipped an infrastructure agent the same week. Here's the two-phase safety pattern that lets you hand an agent the keys to your account without waking up to a $10K bill.
Your board asks 'is our data safe in the cloud?' The answer is not yes or no — it is a classification decision that maps each workload to the right control tier. Here is the framework, with the metadata exposure gap most teams miss.
Your CFO asks 'is our cloud well-run?' You need one dashboard, eight numbers, and zero jargon. Here is the framework: 4 money KPIs + 4 risk KPIs = Trust. With specific formulas, targets, and what to explicitly exclude.
Anthropic just dropped a model that autonomously finds and exploits zero-days in every major OS and browser. Then they built an industry coalition to use it defensively. Here's why this changes everything.
AWS Verified Access is a strong ZTNA solution for internal users, but it breaks down for external contractors and partners on unmanaged devices. Here's a hybrid architecture that closes the gap with AppStream 2.0.
Enterprise teams invest in best-of-breed CSPM tools and still face critical IAM incidents. The gap isn't tooling — it's security governance. Here's how native AWS services fill it.
How to map the ANSSI AD tiering model onto AWS, why Managed AD may not be enough for Tier 0, and which AWS security services close the compliance gaps.
Step-by-step guide to configuring a custom subdomain with Route 53 and securing an AWS Lightsail instance with a free TLS certificate using Let's Encrypt and Certbot.
A practical guide to replacing a third-party CA with ACM exportable public certificates — covering pricing, automation patterns, industry validity changes, and the gotchas nobody mentions.
AWS KMS doesn't allow key material export by design. When an external PKI partner generates keys but doesn't retain them, you're stuck. Here are the four AWS alternatives — CloudHSM, XKS, Private CA, and fixing the process — with a decision framework to pick the right one.
A deep architectural comparison of four open-source frameworks that turn messaging apps into AI assistant interfaces — from a 349-file TypeScript monolith to a 10MB Go binary that runs on a $10 board.
A deep dive into the multi-agent architecture behind AWS Security Agent's automated penetration testing — from specialized agent swarms to assertion-based validation.
A deep dive into World Monitor — an open-source intelligence dashboard that aggregates 150+ feeds, 40+ geospatial layers, and AI-powered analysis into a real-time situational awareness platform. What OSINT is, how these platforms work under the hood, and why it matters now more than ever.
When your security team says 'make it private', they usually mean 'make it secure.' This post compares four approaches — VPC privatization, WAF IP allowlisting, CloudFront + auth hardening, and AWS Verified Access — and explains why Zero Trust beats network perimeters for internal applications.
How to architect a secure, multi-tenant SFTP service across AWS accounts using Transfer Family, NLB, Transit Gateway, and per-partner S3 isolation.
XKS protects key material from extraction, but does it protect against legal compulsion to use those keys? Updated with AWS European Sovereign Cloud (GA January 2026).
Deep dives into artificial intelligence, large language models, transformers, embeddings, and the core concepts powering modern AI systems.
25 articlesPatterns, services, and architectural decisions for building on AWS — including Bedrock, SageMaker, Transfer Family, and more.
49 articlesExploring the frontier of autonomous AI agents — multi-agent systems, RAG pipelines, and agentic frameworks like Strands.
13 articles