Posts

I worked with Barak Schoster to build Cloudsplaining’s IAM Scanning logic into Checkov so you can enforce least privilege in Terraform code.

A cheatsheet of SQL queries to use in CloudQuery to identify public network endpoints in AWS.

Short tutorial to set up recurring Prowler scans in AWS

Worried about AWS IAM permissions that allow you to access data (like S3 objects, CodeCommit code, others) or return credentials in their response? I’ve updated my list of these potentially dangerous API calls and you can read about them here.

How to abuse Azure Resource hierarchy and tenant-wide service principals so you can watch the world burn.

Salesforce engineering interviewed me, Jacob Kaplan Moss (co-creator Django), and Carol Willing (Member of the Steering Council for Python) about each project’s type of governance, how we make changes, and how governance affects our communities.

From the ‘Accidental Maintainer’ series by Salesforce Engineering. In this blog post, I share my experience with writing and maintaining two open source tools. I also share some of the strategies I’ve used for building a community around these tools, which are now staples in OSS tooling for AWS security.

My techniques and strategies for quitting nicotine - documented here to help others who also struggle while quitting.

This tutorial covers building secure AWS AMIs with Packer. We go over building the prerequisite infrastructure to create EC2 AMIs from scratch, how to use the example hardening scripts for CentOS, and how to validate the testing with Amazon Inspector.

Introduction to Policy Sentry, an easy way to create least privilege policies by copying/pasting ARNs into a YAML file.