9 reference guides for anyone working with AWS Security
Over the past few days I started putting together a series of technical guides on AWS security covering everything from detection to attack, response, governance and threat modeling.
The goal was never to create content "copied from the documentation".
I wanted something closer to reality:
what actually happens in cloud environments, how attacks work, how to detect them, how to automate response and most importantly understand the why behind things.
So I organized the beginning into 9 guides:
Guide 1 — GuardDuty in depth: finding types + multi-account
A real deep dive into GuardDuty.
Not just "how to enable it", but:
- finding types
- difference between suspicious behavior and compromise
- multi-account integration
- delegated administrator
- security centralization in AWS Organizations
- EventBridge for automation
Because enabling GuardDuty without understanding the findings is almost like using antivirus without looking at alerts.
Guide 2 — Security Hub: ASFF + cross-account aggregation + EventBridge
This guide dives into the part many people ignore:
the ASFF format (AWS Security Finding Format).
It also covers:
- cross-account aggregation
- automation with EventBridge
- finding normalization
- integration between security services
In practice, this is where security starts becoming a platform.
Guide 3 — Offensive security: IAM privilege escalation
Probably one of the most critical topics in AWS.
This guide shows:
- privilege escalation paths
- PassRole abuse
- dangerous policies
- misconfigured trust policies
- persistence via IAM
And most importantly:
how small mistakes turn into full account compromise.
Guide 4 — Amazon Inspector v2: agentless scanning + ECR + Lambda
Many people still think Inspector is just EC2 scanning.
In this guide I explored:
- agentless scanning
- container analysis in ECR
- Lambda scanning
- vulnerability correlation
- prioritization based on exposure
The interesting part is understanding how much AWS has evolved Inspector in recent years.
Guide 5 — AWS Config + Conformance Packs: Custom Rules + Automatic Remediation
Here the focus was governance and automation.
Including:
- Config Rules
- Conformance Packs
- custom rules
- auto-remediation with SSM Automation
- continuous compliance
Because manual security doesn't scale.
Guide 6 — Exfiltration via S3 + flaws2.cloud
This guide turned out really well because it mixes attack and defense.
Exploring:
- data exfiltration via S3
- classic permission mistakes
- enumeration
- abuse paths
- lab using flaws2.cloud
This is the kind of content that helps you see risks beyond the "public bucket".
Guide 7 — Advanced CloudTrail: Organization Trail, Log Integrity and Lake SQL
CloudTrail is one of the most underrated AWS services.
In this guide I explored:
- Organization Trail
- Log File Integrity
- CloudTrail Lake
- SQL queries
- investigation
- centralized auditing
Because incident response without a reliable trail becomes guesswork.
Guide 8 — Amazon Macie: Sensitive Data Discovery + Suppression Rules
This guide goes deep into data protection.
Covering:
- sensitive data discovery
- automatic classification
- PII
- suppression rules
- finding tuning
- integration with security and compliance
Especially useful for environments that need to handle GDPR/data privacy regulations.
Guide 9 — Threat Modeling in AWS Workloads: STRIDE + IAM Lateral Movement
Perhaps the most strategic guide of all.
The idea was to show how to think about security before an incident happens.
Including:
- STRIDE
- threat modeling
- lateral movement in IAM
- trust boundaries
- cross-service abuse
- offensive mindset applied to architecture
Because many flaws are born in the design, not in the implementation.
The goal of the 9 guides:
At the end of the day, my goal was to create something I would actually use day-to-day in AWS environments.
No superficial content.
No "copy and paste ready-made architecture".
Just cloud security the way it happens in practice.
The guides are public on GitHub: