Skip to content

    Latest Posts

    Using Fugue to Protect Against the Apache Log4j Vulnerability on AWS

    Becki Lee

    Richard Park also contributed to this post. The Apache Log4j vulnerability known as Log4Shell (CVE-2021-44228) is a serious vulnerability that allows an attacker to execute arbitrary code on any server running the popular Apache Log4j Java logging library. It has a CVSS score of 10, the highest possible value, and should be addressed immediately.

    Read More

    6 Big AWS IAM Vulnerabilities – and How to Avoid Them

    Becki Lee

    What’s a cloud vulnerability? In the simplest terms, it’s an exploitable weakness in a cloud environment. Vulnerabilities are commonly caused by cloud resource misconfigurations and can lead to breaches and security failures — especially when the vulnerability is related to Identity and Access Management (IAM).

    Read More

    Securing an AWS Cloud Development Kit (CDK) App Using Regula and Open Policy Agent (OPA)

    Becki Lee

    This blog post was updated on December 15, 2021, to reflect version 2.20 of the AWS CDK. You may already know that Regula, Fugue's open-source policy engine that uses Open Policy Agent (OPA) for checking infrastructure as code (IaC), can evaluate Terraform and AWS CloudFormation templates for security issues. But did you know that you can use Regula to secure your AWS Cloud Development Kit (CDK) apps, too?

    Read More

    Checking AWS CloudFormation IaC Security with Regula [Tutorial]

    Becki Lee

    Regula, our open-source infrastructure as code (IaC) policy engine, now supports AWS CloudFormation. This means you can use Regula to perform static analysis of CloudFormation YAML or JSON templates for security vulnerabilities and compliance violations – including templates that use the Serverless Application Model. For instance, if a template declares an EBS volume that does not have encryption enabled, Regula’s report will show which template – and which specific resource – failed the check.

    Read More

    Cloud Network Security 101: Azure Service Endpoints vs. Private Endpoints

    Becki Lee

    Azure offers two similar but distinct services to allow virtual network (VNet) resources to privately connect to other Azure services. Azure VNet Service Endpoints and Azure Private Endpoints (powered by Azure Private Link) both promote network security by allowing VNet traffic to communicate with service resources without going over the internet, but there are some differences. This three-part blog series goes into detail about both services.

    Read More
    1 2
    Fugue Developer

    Free Cloud Security for Engineers

    • Visualize your cloud infrastructure
    • Run policy checks and get feedback
    • Detect change and eliminate misconfiguration
    GET STARTED CONTACT SALES