C.Ellyson-tech career blueprint
@techwithellyson.bsky.social
AWS Cloud Sec Engineer | purple teamer||stake holder ||documenting || helping beginners start their journey without confusion https://techellyson.gumroad.com/l/vmhbv
A strong IAM setup:
User → MFA enforced
Role → Least privilege
Access → Logged and monitored
User → MFA enforced
Role → Least privilege
Access → Logged and monitored
February 13, 2026 at 8:04 PM
A strong IAM setup:
User → MFA enforced
Role → Least privilege
Access → Logged and monitored
User → MFA enforced
Role → Least privilege
Access → Logged and monitored
CloudTrail records every API call. If someone changes a security group at 2AM, you should know.
February 13, 2026 at 4:03 PM
CloudTrail records every API call. If someone changes a security group at 2AM, you should know.
GuardDuty uses threat intelligence and behavior analysis to detect suspicious activity in your AWS environment. Turn it on. Always.
February 13, 2026 at 8:00 AM
GuardDuty uses threat intelligence and behavior analysis to detect suspicious activity in your AWS environment. Turn it on. Always.
Bastion hosts should allow SSH only from your IP, not 0.0.0.0/0. Convenience is the enemy of security.
February 12, 2026 at 8:02 PM
Bastion hosts should allow SSH only from your IP, not 0.0.0.0/0. Convenience is the enemy of security.
You can restrict S3 access so it only works from your VPC. Even stolen credentials won’t help an attacker outside your network.
February 12, 2026 at 4:04 PM
You can restrict S3 access so it only works from your VPC. Even stolen credentials won’t help an attacker outside your network.
Security Groups should reference other Security Groups. That way only approved workloads can talk to each other.
February 12, 2026 at 8:01 AM
Security Groups should reference other Security Groups. That way only approved workloads can talk to each other.
Micro-segmentation in AWS = Multiple subnets + strict SG rules + NACL filtering. Layers matter.
February 11, 2026 at 8:01 PM
Micro-segmentation in AWS = Multiple subnets + strict SG rules + NACL filtering. Layers matter.
Zero Trust = Assume breach. Design so that if one server is compromised, the attacker can’t move sideways easily.
February 11, 2026 at 1:01 PM
Zero Trust = Assume breach. Design so that if one server is compromised, the attacker can’t move sideways easily.
AWS PrivateLink keeps traffic inside AWS’s backbone network. No public internet = smaller attack surface.
February 11, 2026 at 8:01 AM
AWS PrivateLink keeps traffic inside AWS’s backbone network. No public internet = smaller attack surface.
If your S3 bucket is reachable from the public internet, it’s not Zero Trust. Use VPC Endpoints and lock it down.
February 10, 2026 at 8:01 PM
If your S3 bucket is reachable from the public internet, it’s not Zero Trust. Use VPC Endpoints and lock it down.
Least privilege in IAM means giving access to one action on one resource, not “*” because it’s easier.
February 10, 2026 at 4:02 PM
Least privilege in IAM means giving access to one action on one resource, not “*” because it’s easier.
An IAM policy that says "Action": "*" is not permission management — it’s surrender.
February 10, 2026 at 8:00 AM
An IAM policy that says "Action": "*" is not permission management — it’s surrender.
Zero Trust in AWS isn’t about one tool — it’s about designing your network so nothing is trusted by default. Every request must prove it belongs.
February 9, 2026 at 8:00 PM
Zero Trust in AWS isn’t about one tool — it’s about designing your network so nothing is trusted by default. Every request must prove it belongs.
Your VPC is the foundation of Zero Trust on AWS. If your network is flat, you’ve already lost. Segmentation is everything.
February 9, 2026 at 4:03 PM
Your VPC is the foundation of Zero Trust on AWS. If your network is flat, you’ve already lost. Segmentation is everything.
Public subnet = exposure. Private subnet = protection. If your database sits in a public subnet, that’s not cloud… that’s chaos.
February 9, 2026 at 8:00 AM
Public subnet = exposure. Private subnet = protection. If your database sits in a public subnet, that’s not cloud… that’s chaos.
Security Groups are your instance-level firewalls. Only allow traffic from specific security groups, not IP ranges, whenever possible.
February 8, 2026 at 8:00 PM
Security Groups are your instance-level firewalls. Only allow traffic from specific security groups, not IP ranges, whenever possible.
Network ACLs work at the subnet level. Think of them as a second security guard checking traffic before it even reaches your servers.
February 8, 2026 at 3:02 PM
Network ACLs work at the subnet level. Think of them as a second security guard checking traffic before it even reaches your servers.
AWS projects like this turn theory into real defensive architecture.
February 7, 2026 at 8:01 PM
AWS projects like this turn theory into real defensive architecture.
Automated daily backups using AWS Backup — no manual work, no excuses.
February 7, 2026 at 4:01 PM
Automated daily backups using AWS Backup — no manual work, no excuses.
If you’re not testing your backup restore process, you’re gambling.
February 7, 2026 at 8:00 AM
If you’re not testing your backup restore process, you’re gambling.
Ransomware playbook: encrypt → delete backups. My setup breaks step 2.
February 6, 2026 at 8:02 PM
Ransomware playbook: encrypt → delete backups. My setup breaks step 2.
Security lesson: Prevention is great. Recovery is survival.
February 6, 2026 at 4:03 PM
Security lesson: Prevention is great. Recovery is survival.
Designing for failure is what makes systems resilient. Backups are step one.
February 6, 2026 at 8:01 AM
Designing for failure is what makes systems resilient. Backups are step one.
Cloud security tip: Separate backup access roles from admin roles. Limit blast radius.
February 5, 2026 at 8:03 PM
Cloud security tip: Separate backup access roles from admin roles. Limit blast radius.
Immutable storage is the seatbelt of cloud security. You hope you never need it.
February 5, 2026 at 4:02 PM
Immutable storage is the seatbelt of cloud security. You hope you never need it.