Cloud Security Resources

I’ve found the following resources useful in my time in the cloud security space. If you’re interested in the field, I’d recommend checking them out.

Getting Started

• I’ve broken down a lot of the useful skills to build, and how to approach some of those, in my guide to breaking into cloud security.
• Rami McCarthy’s Extended AWS Security Ramp Up Guide is a learning and development guide for AWS security, published while he was at NCC Group.

Places to Hang Out

• Cloud Security Forum Slack Workspace - an open invite slack workspace where most of those active in the cloud security community hang out. It’s a goldmine of knowledge and a great place to get answers to obscure cloud security questions, or to bounce ideas off other people. Drop me a line on twitter, or Scott Piper or most of the other active members of the cloud security community, and we can drop you an invite.

Knowlegebases

• Cloud Security Zotero Library - a library I maintain of tools, blog posts, articles and other content related to cloud security. Works best with the Zotero desktop client, but usable from the web client too.
• Secwiki.cloud - a cloud security knowledge base containing assessment methodologies, offensive techniques and defensive controls. Open sourced by WithSecure, contents taken from our internal knowledge base.
• CloudSecDocs - a collection of notes and cheatsheets on cloud security, maintained by Marco Lancini
• Hacking The Cloud - an encyclopedia of offensive cloud content, maintained by Nick Frichette
• Toniblyx’s Arsenal of AWS Security Tools - a list of security tooling for AWS, maintained by Toni de la Fuente

Guides and Frameworks

• The SummitRoute AWS Security Maturity Framework - Scott Piper’s AWS security maturity framework, designed to outline
• WithSecure’s Microsoft Azure Security Framework - how to get your Azure security right across a number of different areas of Azure, by Emilian Cebuc and Chris Philipov.
• On Establishing a Cloud Security Program by Marco Lancini is a great cloud-agnostic roadmap, and worth looking at if you’re working in a multi-cloud organization in particular.

Keeping up to Date

• CloudSecList - a weekly digest of cloud security content by Marco Lancini
• TL;DR Sec - Not cloud-specific, but Clint Gibler’s security newsletter frequently includes a lot of useful content around Cloud, DevOps, DevSecOps etc, and is well worth a read.
• Last Week in AWS - Corey Quinn’s AWS newsletter is a great way to keep up to date with the latest AWS news, and tends to be pretty amusing to boot.

Conferences

• fwd:cloudsec - by far the best of the cloud security-focused conferences. There’s always a ton of great content, and it’s run by some of the biggest names in cloud security. If you pay attention to one cloud conference, make it this one.
• DEF CON Cloud Village - the Cloud Village at DEF CON attracts a lot of attention, by virtue of being part of DEF CON. There’s often some good content there, but talks tend to vary a lot more in quality than at fwd:cloudsec in my experience.

People to Follow

I’ve found the following people to put out great content, they’re all well worth a follow. Many aren’t security people, but half the game here is keeping up with the cloud industry as a whole, so worth it for that if nothing else

• Chris Farris - @jcfarris
• Karl Fosaaen - @kfosaaen
• Nick Frichette - @Frichette_n
• Matt Fuller - @matthewdfuller
• Brad Geesaman - @bradgeesaman
• Clint Gibler - @clintgibler
• Daniel Grzelak - @dagrz
• Kelsey Hightower - @kelseyhightower
• Houston Hopkins - @hhopk
• Ben Kehoe - @ben11kehoe
• Rami McCarthy - @ramimacisabird
• Ian McKay - @iann0036
• Kinnaird McQuade - @kmcquade3
• Sean Metcalf - @PyroTek3
• Rich Mogull - @rmogull
• Scott Piper - @0xdabbad00
• Corey Quinn - @QuinnyPig
• Roberto Rodriguez - @Cyb3rWard0g
• Kelly Shortridge - @swagitda_
• Aidan Steele - @__steele
• Kat Traxler - @NightmareJS