awsmatthttps://awsmatt.com/Recent content on awsmattHugoen-auSat, 25 Apr 2026 00:00:00 +0000D3FEND-AWS: Structured Defensive Mappings for the AWS Threat Technique Cataloghttps://awsmatt.com/posts/d3fend-aws-defensive-technique-mappings/Sat, 25 Apr 2026 00:00:00 +0000https://awsmatt.com/posts/d3fend-aws-defensive-technique-mappings/The AWS Threat Technique Catalog documents how attackers operate in AWS. D3FEND-AWS maps the defensive counterpart — what to detect, harden, and evict — as structured, machine-readable YAML. Open source on GitHub.Behavioural Detection with Automated Agents: The Future of Managed Detection & Responsehttps://awsmatt.com/posts/behavioural-detection-automated-agents-mdr/Mon, 20 Apr 2026 00:00:00 +0000https://awsmatt.com/posts/behavioural-detection-automated-agents-mdr/Rule-based detection has a ceiling. Behavioural profiling with automated agents catches what static rules miss — especially in cloud environments.SCPs and RCPs: Using Both to Close the Preventive Control Gaphttps://awsmatt.com/posts/scps-rcps-preventive-controls/Thu, 16 Apr 2026 00:00:00 +0000https://awsmatt.com/posts/scps-rcps-preventive-controls/Service Control Policies restrict what your principals can do. Resource Control Policies restrict what can be done to your resources. Most AWS organisations use one or neither. Here&rsquo;s why both matter.Correlating GuardDuty Findings with CloudTrail: The Signal Gap Most Teams Misshttps://awsmatt.com/posts/guardduty-cloudtrail-signal-gap/Tue, 10 Mar 2026 00:00:00 +0000https://awsmatt.com/posts/guardduty-cloudtrail-signal-gap/GuardDuty tells you something happened. CloudTrail tells you what happened next. Most teams treat these as separate workflows — and that gap is where attackers complete their objectives.IAM Privilege Escalation in AWS: The Paths Most Teams Misshttps://awsmatt.com/posts/iam-privilege-escalation-patterns/Tue, 03 Mar 2026 00:00:00 +0000https://awsmatt.com/posts/iam-privilege-escalation-patterns/Each step in an IAM privilege escalation chain looks like a routine API call. The attack only becomes visible when you trace the full sequence.AWS Security Researchhttps://awsmatt.com/posts/aws-security-research/Sun, 01 Mar 2026 00:00:00 +0000https://awsmatt.com/posts/aws-security-research/Introducing awsmatt.com — a home for AWS security research, tools, and practical guides.Backgroundhttps://awsmatt.com/background/Mon, 01 Jan 0001 00:00:00 +0000https://awsmatt.com/background/<p>Senior cybersecurity and cloud security leader with over 25 years&rsquo; experience across incident response, security architecture, and risk management. Focused on helping organisations secure their AWS environments through practical research, tooling, and hands-on guidance.</p> <h2 id="focus-areas">Focus Areas</h2> <ul> <li><strong>Cloud Security</strong> — AWS security architecture, misconfiguration detection, identity and access management</li> <li><strong>Incident Response</strong> — cloud-native IR, forensics in AWS, playbook development</li> <li><strong>Security Architecture</strong> — landing zone design, network segmentation, defence in depth</li> <li><strong>Identity &amp; Access Management</strong> — IAM policy analysis, privilege escalation paths, federation</li> <li><strong>Governance &amp; Compliance</strong> — security frameworks, risk management, audit readiness</li> </ul> <h2 id="selected-expertise">Selected Expertise</h2> <p><strong>Cloud Infrastructure</strong> AWS security services (GuardDuty, Security Hub, IAM Access Analyzer, CloudTrail, Config), infrastructure as code (Terraform, CloudFormation), container security, serverless security patterns.</p>