AWS Security & compliance for regulated Australia
Practitioner guides on APRA CPS 234, CPS 230 and the Essential Eight on AWS — plus deep dives on Kafka, CDP, Spark and Big Data operations.
Fix: Unencrypted S3, EBS and RDS (Encryption at Rest)
Encryption-at-rest findings come in bulk and are easy to clear with account defaults — so they should never be the thing that's still red at audit. Here's the one-time fix per service.
Fix: CloudTrail Not Multi-Region or Missing Log File Validation
If CloudTrail isn't multi-region with log file validation on, you have a blind spot and no proof your logs are untampered. Both are direct audit findings. Here's the fix.
Fix: Security Groups Open to 0.0.0.0/0 on SSH/RDP
A security group allowing the whole internet to reach port 22 or 3389 is the highest-blast-radius finding most environments have. Here's how to find them all and close them properly.
Fix: Root Account Without MFA and With Access Keys
The root user with no MFA, or with active access keys, is a top finding and a genuine crown-jewels risk. Here's the exact remediation and how to prove it stays fixed.
Fix: Public S3 Buckets Flagged by Prowler / Security Hub
Public S3 access is the most common high-severity finding in any first scan. Here's the exact fix — account-wide and per-bucket — plus how to handle buckets that are public on purpose.
Prompt Injection on AWS Bedrock: How It Happens and How to Contain It
Prompt injection is the one genuinely new threat in a Bedrock app — and you can't fully prevent it. Here's how direct and indirect injection actually work, and the AWS controls that limit the damage.
CPS 234 Controls That Are Theatre (and What to Do Instead)
Some of what teams do in the name of CPS 234 is security theatre — effort that produces a checkbox and no risk reduction. Here are the worst offenders and where to spend that effort instead.
Automated Remediation on AWS: EventBridge + Lambda Done Safely
Auto-remediation is how you show APRA that gaps get closed, not just noticed. But auto-remediating the wrong finding breaks production. Here's the safe pattern — and what to never auto-fix.
Least-Privilege for AI Agents with AgentCore Identity
An AI agent that can call tools is a new kind of identity in your AWS account — one that can be talked into doing things. AgentCore Identity is how you bound what a hijacked agent can reach.
Building a CPS 234-Compliant Landing Zone with Control Tower
A CPS 234-aligned AWS foundation isn't a checklist you apply later — it's a baseline you bake in from account zero. Here's the security-baseline + guardrails approach, as Terraform.
Prowler vs Security Hub vs Config Conformance Packs for CPS 234 Evidence
Three AWS-native-ish ways to check your security posture, and teams waste money running all three badly. Here's which one to use for what — especially when the goal is CPS 234 audit evidence.
The CPS 234 72-Hour Notification Runbook on AWS
CPS 234 gives you 72 hours to notify APRA of a material incident. That's not a documentation task — it's an automated path from a GuardDuty finding to a decision. Here's how to build and test it.
Securing Hadoop/EMR on AWS — lessons from MNC scale
I spent 15+ years securing Kafka, Hadoop and CDP in production. Moving that to AWS EMR, the controls change but the questions don't. Here's what maps cleanly, what changes, and the trap teams fall into.
Essential Eight Maturity Level 3 on AWS
The ASD Essential Eight was written for on-prem Windows fleets. Here's what each of the eight mitigation strategies actually means when your workloads run on AWS — at Maturity Level 3.
IAM Policy Evaluation Logic — the diagram AWS should have made
"Why is this denied when I clearly allowed it?" The answer is the IAM evaluation order — six layers, and an explicit deny beats a hundred allows. Here's the mental model that ends the AccessDenied guessing.
Turning AWS Security Findings into APRA-Paragraph Narrative with Bedrock
Security tools produce findings. Boards and regulators want narrative evidence mapped to the standard. That translation is the real bottleneck in an APRA review — so I built a tool that does it with Amazon Bedrock, on Australian-resident inference.
Securing a Bedrock App End-to-End
Securing a generative-AI app on AWS Bedrock is mostly the security you already know — IAM, network, logging — plus one genuinely new threat class: prompt injection. Here's the full picture.
Prowler ThreatScore Explained: Risk-Weighted Cloud Security Scoring
ThreatScore is Prowler's answer to the 'every finding looks equally urgent' problem. It scores your environment across four areas weighted by real risk — here's how to read it.
Prowler 5 Full Setup in 2026 (CLI + Prowler Cloud)
Most Prowler tutorials predate version 5 and some are actively broken. Here's a clean 2026 setup for both the CLI and Prowler Cloud — without the dead ends.
The Agentic AI Security Scoping Matrix, Explained (with the CPS 234 Lens)
How much security does an AI agent need? It depends entirely on how much it can do on its own. AWS's new Agentic AI Security Scoping Matrix gives you the structure — here's how it works, and what it means for a regulated environment.
The Evidence an APRA Auditor Actually Asks For on AWS
Controls that work aren't the same as controls you can prove worked. Here's the exact AWS export that answers each thing an APRA auditor asks — and why a console screenshot fails every time.
From 500 Prowler Findings to a Plan You Can Actually Execute
Every Prowler tutorial shows you how to run a scan. Almost none show you what to do with the 500 findings it returns. Here's the triage method that turns a wall of red into a Monday-morning plan.
Deploy the AWS APRA CPG 234 Conformance Pack — and Read the Failures
AWS gives you a ready-made APRA CPG 234 conformance pack mapping 130 controls to 48 objectives. Deploying it takes ten minutes. Understanding the 40 failures it returns is the actual job.
CPS 230 Is Live: What Changed for Your AWS Environment
CPS 230 took effect 1 July 2025. It's an operational-resilience standard, not a security one — but it reaches straight into your AWS setup through service providers, critical operations, and CPS 234.
CPS 234 on AWS: Mapping Every Control to a Real AWS Service
A practitioner's mapping of every APRA CPS 234 requirement to the AWS service, Config rule, and audit evidence that satisfies it — and the one place most AWS environments fail.
Why Your YARN Containers Keep Getting OOM-Killed
The virtual memory check is unstable and platform-dependent. Here's exactly when to disable it and what to set instead.
Kafka ACL Patterns That Actually Work in Production
Forget the textbook examples. Here are the ACL matrices we use at scale across multiple environments.