Blog

AWS Security & compliance for regulated Australia

Practitioner guides on APRA CPS 234, CPS 230 and the Essential Eight on AWS — plus deep dives on Kafka, CDP, Spark and Big Data operations.

AWS Security 2 min

Fix: Unencrypted S3, EBS and RDS (Encryption at Rest)

Encryption-at-rest findings come in bulk and are easy to clear with account defaults — so they should never be the thing that's still red at audit. Here's the one-time fix per service.

AWS Security 2 min

Fix: CloudTrail Not Multi-Region or Missing Log File Validation

If CloudTrail isn't multi-region with log file validation on, you have a blind spot and no proof your logs are untampered. Both are direct audit findings. Here's the fix.

AWS Security 2 min

Fix: Security Groups Open to 0.0.0.0/0 on SSH/RDP

A security group allowing the whole internet to reach port 22 or 3389 is the highest-blast-radius finding most environments have. Here's how to find them all and close them properly.

AWS Security 2 min

Fix: Root Account Without MFA and With Access Keys

The root user with no MFA, or with active access keys, is a top finding and a genuine crown-jewels risk. Here's the exact remediation and how to prove it stays fixed.

AWS Security 2 min

Fix: Public S3 Buckets Flagged by Prowler / Security Hub

Public S3 access is the most common high-severity finding in any first scan. Here's the exact fix — account-wide and per-bucket — plus how to handle buckets that are public on purpose.

AWS Security 3 min

Prompt Injection on AWS Bedrock: How It Happens and How to Contain It

Prompt injection is the one genuinely new threat in a Bedrock app — and you can't fully prevent it. Here's how direct and indirect injection actually work, and the AWS controls that limit the damage.

AWS Security 3 min

CPS 234 Controls That Are Theatre (and What to Do Instead)

Some of what teams do in the name of CPS 234 is security theatre — effort that produces a checkbox and no risk reduction. Here are the worst offenders and where to spend that effort instead.

AWS Security 3 min

Automated Remediation on AWS: EventBridge + Lambda Done Safely

Auto-remediation is how you show APRA that gaps get closed, not just noticed. But auto-remediating the wrong finding breaks production. Here's the safe pattern — and what to never auto-fix.

AWS Security 4 min

Least-Privilege for AI Agents with AgentCore Identity

An AI agent that can call tools is a new kind of identity in your AWS account — one that can be talked into doing things. AgentCore Identity is how you bound what a hijacked agent can reach.

AWS Security 3 min

Building a CPS 234-Compliant Landing Zone with Control Tower

A CPS 234-aligned AWS foundation isn't a checklist you apply later — it's a baseline you bake in from account zero. Here's the security-baseline + guardrails approach, as Terraform.

AWS Security 3 min

Prowler vs Security Hub vs Config Conformance Packs for CPS 234 Evidence

Three AWS-native-ish ways to check your security posture, and teams waste money running all three badly. Here's which one to use for what — especially when the goal is CPS 234 audit evidence.

AWS Security 3 min

The CPS 234 72-Hour Notification Runbook on AWS

CPS 234 gives you 72 hours to notify APRA of a material incident. That's not a documentation task — it's an automated path from a GuardDuty finding to a decision. Here's how to build and test it.

AWS Security 4 min

Securing Hadoop/EMR on AWS — lessons from MNC scale

I spent 15+ years securing Kafka, Hadoop and CDP in production. Moving that to AWS EMR, the controls change but the questions don't. Here's what maps cleanly, what changes, and the trap teams fall into.

AWS Security 3 min

Essential Eight Maturity Level 3 on AWS

The ASD Essential Eight was written for on-prem Windows fleets. Here's what each of the eight mitigation strategies actually means when your workloads run on AWS — at Maturity Level 3.

AWS Security 4 min

IAM Policy Evaluation Logic — the diagram AWS should have made

"Why is this denied when I clearly allowed it?" The answer is the IAM evaluation order — six layers, and an explicit deny beats a hundred allows. Here's the mental model that ends the AccessDenied guessing.

AWS Security 5 min

Turning AWS Security Findings into APRA-Paragraph Narrative with Bedrock

Security tools produce findings. Boards and regulators want narrative evidence mapped to the standard. That translation is the real bottleneck in an APRA review — so I built a tool that does it with Amazon Bedrock, on Australian-resident inference.

AWS Security 4 min

Securing a Bedrock App End-to-End

Securing a generative-AI app on AWS Bedrock is mostly the security you already know — IAM, network, logging — plus one genuinely new threat class: prompt injection. Here's the full picture.

AWS Security 3 min

Prowler ThreatScore Explained: Risk-Weighted Cloud Security Scoring

ThreatScore is Prowler's answer to the 'every finding looks equally urgent' problem. It scores your environment across four areas weighted by real risk — here's how to read it.

AWS Security 3 min

Prowler 5 Full Setup in 2026 (CLI + Prowler Cloud)

Most Prowler tutorials predate version 5 and some are actively broken. Here's a clean 2026 setup for both the CLI and Prowler Cloud — without the dead ends.

AWS Security 5 min

The Agentic AI Security Scoping Matrix, Explained (with the CPS 234 Lens)

How much security does an AI agent need? It depends entirely on how much it can do on its own. AWS's new Agentic AI Security Scoping Matrix gives you the structure — here's how it works, and what it means for a regulated environment.

AWS Security 4 min

The Evidence an APRA Auditor Actually Asks For on AWS

Controls that work aren't the same as controls you can prove worked. Here's the exact AWS export that answers each thing an APRA auditor asks — and why a console screenshot fails every time.

AWS Security 4 min

From 500 Prowler Findings to a Plan You Can Actually Execute

Every Prowler tutorial shows you how to run a scan. Almost none show you what to do with the 500 findings it returns. Here's the triage method that turns a wall of red into a Monday-morning plan.

AWS Security 3 min

Deploy the AWS APRA CPG 234 Conformance Pack — and Read the Failures

AWS gives you a ready-made APRA CPG 234 conformance pack mapping 130 controls to 48 objectives. Deploying it takes ten minutes. Understanding the 40 failures it returns is the actual job.

AWS Security 3 min

CPS 230 Is Live: What Changed for Your AWS Environment

CPS 230 took effect 1 July 2025. It's an operational-resilience standard, not a security one — but it reaches straight into your AWS setup through service providers, critical operations, and CPS 234.

AWS Security 5 min

CPS 234 on AWS: Mapping Every Control to a Real AWS Service

A practitioner's mapping of every APRA CPS 234 requirement to the AWS service, Config rule, and audit evidence that satisfies it — and the one place most AWS environments fail.

CDP 1 min

Why Your YARN Containers Keep Getting OOM-Killed

The virtual memory check is unstable and platform-dependent. Here's exactly when to disable it and what to set instead.

Kafka 2 min

Kafka ACL Patterns That Actually Work in Production

Forget the textbook examples. Here are the ACL matrices we use at scale across multiple environments.