34 posts tagged with "Security"

Your company started with one AWS account. Then someone needed a dev environment, so you made a second. Then staging. Then a sandbox for the data team. Now you have twelve accounts, each with different IAM policies, no consistent logging, and a security audit that makes everyone nervous. A landing zone is the fix — it's the foundational structure that makes multi-account AWS actually manageable instead of chaotic.

You have built your app, containerized it, wrote the Kubernetes manifests, and it works great in staging. Now someone says "let's go to production" and suddenly you are wondering what you forgot. This checklist exists because every production incident I have seen traces back to skipping something obvious during setup.

You have been given the green light to migrate 200 workloads to Azure. You create a subscription, deploy a VNet, spin up a few VMs, and everything works. Six months later you have 47 subscriptions with overlapping IP ranges, no consistent naming, three different firewall configurations, and a security team that refuses to sign off on anything. Azure Landing Zones exist to prevent exactly this nightmare — they give you a prescriptive, battle-tested foundation before a single workload moves to the cloud.

Every megabyte in your Docker image is attack surface you do not need, bandwidth you pay for, and startup time your users wait through. A default Node.js image weighs over 1 GB. The same application built on a distroless base can drop to 120 MB. This post walks through every base image option, shows real size comparisons, and gives you language-specific recommendations for building the smallest, most secure images possible.

In December 2020, attackers compromised SolarWinds' build pipeline and injected malicious code into a routine software update. 18,000 organizations — including the US Treasury, Department of Homeland Security, and Fortune 500 companies — installed the backdoored update without suspicion. The software was legitimately signed, passed all checks, and came through official channels. This is why supply chain security matters.

That mysterious "Permission denied" when everything looks correct — SELinux is probably why. Every SRE has had the moment: file permissions are 777, the process runs as root, yet it still can't read the file. The reflex is to run setenforce 0 and move on. This post teaches you why that's dangerous and how to actually work with Mandatory Access Control.