Cloud Security Resources
A curated list of resources I've found useful in the cloud security space — from getting started guides to newsletters, conferences, and people to follow.
I’ve found the following resources useful in my time in the cloud security space. If you’re interested in the field, I’d recommend checking them out.
Getting Started
- I’ve broken down a lot of the useful skills to build, and how to approach some of those, in my guide to breaking into cloud security.
- Rami McCarthy’s Extended AWS Security Ramp Up Guide is a learning and development guide for AWS security, published while he was at NCC Group.
Places to Hang Out
- Cloud Security Forum Slack Workspace — an open invite Slack workspace where most of those active in the cloud security community hang out. It’s a goldmine of knowledge and a great place to get answers to obscure cloud security questions, or to bounce ideas off other people. Drop me a line on Twitter, or Scott Piper or most of the other active members of the cloud security community, and we can drop you an invite.
Knowledgebases
- Cloud Security Zotero Library — a library I maintain of tools, blog posts, articles and other content related to cloud security. Works best with the Zotero desktop client, but usable from the web client too.
- Secwiki.cloud — a cloud security knowledge base containing assessment methodologies, offensive techniques and defensive controls. Open sourced by WithSecure, contents taken from our internal knowledge base.
- CloudSecDocs — a collection of notes and cheatsheets on cloud security, maintained by Marco Lancini
- Hacking The Cloud — an encyclopedia of offensive cloud content, maintained by Nick Frichette
- Toniblyx’s Arsenal of AWS Security Tools — a list of security tooling for AWS, maintained by Toni de la Fuente
Guides and Frameworks
- The SummitRoute AWS Security Maturity Framework — Scott Piper’s AWS security maturity framework, designed to outline a path to securing your AWS estate.
- WithSecure’s Microsoft Azure Security Framework — how to get your Azure security right across a number of different areas of Azure, by Emilian Cebuc and Chris Philipov.
- On Establishing a Cloud Security Program by Marco Lancini is a great cloud-agnostic roadmap, and worth looking at if you’re working in a multi-cloud organisation in particular.
Keeping up to Date
- CloudSecList — a weekly digest of cloud security content by Marco Lancini
- TL;DR Sec — not cloud-specific, but Clint Gibler’s security newsletter frequently includes a lot of useful content around Cloud, DevOps, DevSecOps etc, and is well worth a read.
- Last Week in AWS — Corey Quinn’s AWS newsletter is a great way to keep up to date with the latest AWS news, and tends to be pretty amusing to boot.
Conferences
- fwd:cloudsec — by far the best of the cloud security-focused conferences. There’s always a ton of great content, and it’s run by some of the biggest names in cloud security. If you pay attention to one cloud conference, make it this one.
- DEF CON Cloud Village — the Cloud Village at DEF CON attracts a lot of attention, by virtue of being part of DEF CON. There’s often some good content there, but talks tend to vary a lot more in quality than at fwd:cloudsec in my experience.
People to Follow
I’ve found the following people to put out great content — they’re all well worth a follow. Many aren’t security people, but half the game here is keeping up with the cloud industry as a whole.
Chris Farris
@jcfarris
Karl Fosaaen
@kfosaaen
Nick Frichette
@Frichette_n
Matt Fuller
@matthewdfuller
Brad Geesaman
@bradgeesaman
Clint Gibler
@clintgibler
Daniel Grzelak
@dagrz
Kelsey Hightower
@kelseyhightower
Houston Hopkins
@hhopk
Ben Kehoe
@ben11kehoe
Rami McCarthy
@ramimacisabird
Ian McKay
@iann0036
Kinnaird McQuade
@kmcquade3
Sean Metcalf
@PyroTek3
Rich Mogull
@rmogull
Scott Piper
@0xdabbad00
Corey Quinn
@QuinnyPig
Roberto Rodriguez
@Cyb3rWard0g
Kelly Shortridge
@swagitda_
Aidan Steele
@__steele
Kat Traxler
@NightmareJS