Why We Built Native Security Without an Agent
Adding another agent to enforce security policies on a cloud account that already has security policies is the problem, not the solution.
Practical writing on cloud-native security, IaC policy enforcement, and the gap between security policies and what actually runs in your cloud.
Adding another agent to enforce security policies on a cloud account that already has security policies is the problem, not the solution.
An SCP that doesn't cover every account in an OU is a gap your auditor will find. Here is how to systematically enumerate unattached policies across your AWS Organization.
NIST CSF 2.0 added a Govern function and expanded the scope of Protect. Several of the new controls have direct cloud-native analogs in AWS, Azure, and GCP.
Most IAM hardening happens at the resource level. The organization boundary is a coarser but more powerful enforcement surface that most teams underuse.
CloudFormation Hooks let you run custom logic before a stack create/update is applied. Combined with SCP evaluation, they give you a deterministic gate before infrastructure changes reach AWS APIs.
When the same workload runs in AWS and Azure, maintaining consistent policy enforcement across both control planes requires deliberate design — not hoping the two systems agree.
CC6 covers logical and physical access controls. Several of those controls map directly to SCP conditions you can write today. Here is a working reference for the mapping.
CSPM as a category has drifted from its original meaning. Clarifying what the term covers — and what it doesn't — helps teams pick the right tools for the actual gaps they have.
You can wire SCP evaluation into your GitHub Actions pipeline using only AWS APIs and a Python script. Here is exactly how — and where the approach breaks down at scale.
Azure lets you bundle policies into initiatives and assign them at management group scope. Understanding the assignment model is the prerequisite to enforcing anything at scale.
If your SCP denies s3:PutBucketPublicAccess and your Terraform tries to set it — what happens? The answer depends on exactly where in the call chain the SCP condition fires.
Google Cloud ships Organization Policy constraints by default. Most teams never look at them. Here's what they control and how to start using them before your next audit.
Security documentation and security enforcement are different things. Here's the mental model we use to think about the gap — and why bridging it matters more than adding new controls.
SCPs exist in your org. Your security policy document says they're enforced. But when did you last test what they actually block? Most teams haven't — and the gap is predictable.