I’ve found the following resources useful in my time in the cloud security space. If you’re interested in the field, I’d recommend checking them out.
- I’ve broken down a lot of the useful skills to build, and how to approach some of those, in my guide to breaking into cloud security.
- Rami McCarthy’s Extended AWS Security Ramp Up Guide is a learning and development guide for AWS security, published while he was at NCC Group.
Places to Hang Out
- Cloud Security Forum Slack Workspace - an open invite slack workspace where most of those active in the cloud security community hang out. It’s a goldmine of knowledge and a great place to get answers to obscure cloud security questions, or to bounce ideas off other people. Drop me a line on twitter, or Scott Piper or most of the other active members of the cloud security community, and we can drop you an invite.
- Cloud Security Zotero Library - a library I maintain of tools, blog posts, articles and other content related to cloud security. Works best with the Zotero desktop client, but usable from the web client too.
- CloudSecDocs - a collection of notes and cheatsheets on cloud security, maintained by Marco Lancini
- Hacking The Cloud - an encyclopedia of offensive cloud content, maintained by Nick Frichette
- Toniblyx’s Arsenal of AWS Security Tools - a list of security tooling for AWS, maintained by Toni de la Fuente
Guides and Frameworks
- The SummitRoute AWS Security Maturity Framework - Scott Piper’s AWS security maturity framework, designed to outline
- WithSecure’s Microsoft Azure Security Framework - how to get your Azure security right across a number of different areas of Azure, by Emilian Cebuc and Chris Philipov.
- On Establishing a Cloud Security Program by Marco Lancini is a great cloud-agnostic roadmap, and worth looking at if you’re working in a multi-cloud organization in particular.
Keeping up to Date
- CloudSecList - a weekly digest of cloud security content by Marco Lancini
- TL;DR Sec - Not cloud-specific, but Clint Gibler’s security newsletter frequently includes a lot of useful content around Cloud, DevOps, DevSecOps etc, and is well worth a read.
- Last Week in AWS - Corey Quinn’s AWS newsletter is a great way to keep up to date with the latest AWS news, and tends to be pretty amusing to boot.
- fwd:cloudsec - by far the best of the cloud security-focused conferences. There’s always a ton of great content, and it’s run by some of the biggest names in cloud security. If you pay attention to one cloud conference, make it this one.
- DEF CON Cloud Village - the Cloud Village at DEF CON attracts a lot of attention, by virtue of being part of DEF CON. There’s often some good content there, but talks tend to vary a lot more in quality than at fwd:cloudsec in my experience.
People to Follow
I’ve found the following people to put out great content, they’re all well worth a follow. Many aren’t security people, but half the game here is keeping up with the cloud industry as a whole, so worth it for that if nothing else
- Chris Farris - @jcfarris
- Karl Fosaaen - @kfosaaen
- Nick Frichette - @Frichette_n
- Matt Fuller - @matthewdfuller
- Brad Geesaman - @bradgeesaman
- Clint Gibler - @clintgibler
- Daniel Grzelak - @dagrz
- Kelsey Hightower - @kelseyhightower
- Houston Hopkins - @hhopk
- Ben Kehoe - @ben11kehoe
- Rami McCarthy - @ramimacisabird
- Ian McKay - @iann0036
- Kinnaird McQuade - @kmcquade3
- Sean Metcalf - @PyroTek3
- Rich Mogull - @rmogull
- Scott Piper - @0xdabbad00
- Corey Quinn - @QuinnyPig
- Roberto Rodriguez - @Cyb3rWard0g
- Kelly Shortridge - @swagitda_
- Aidan Steele - @__steele
- Kat Traxler - @NightmareJS