Blog

AWS Well-Architected best practices and Terraform security guides.

• General Pillar

  Terraform Architecture Review Checklist (CIS-Mapped, 2026)

  A practitioner checklist for Terraform architecture reviews, organised by AWS Well-Architected Framework pillar and mapped to CIS AWS Foundations Benchmark v3.0.0 controls.

  2026-05-27 · 8 min read

• Guide · Compared

  The Best Terraform Security Scanners in 2026 (Compared)

  An honest comparison of the leading Terraform security scanners in 2026: Checkov, tfsec, Trivy, KICS, Snyk IaC, Prowler, and ArchGuard. Pricing, coverage, output format, and when to use each.

  2026-05-27 · 15 min read

• Guide · Compared

  The Best AWS Well-Architected Review Tools in 2026 (Compared)

  An honest comparison of AWS Well-Architected Review tools in 2026: AWS WA Tool, IaC Analyzer, Partner-led reviews, boutique consulting, and ArchGuard. When to use each.

  2026-05-27 · 14 min read

• General Pillar

  Investor Due Diligence for a Series A AWS Startup: What Gets Flagged

  Series A technical DD now includes cloud infrastructure review. What reviewers flag in AWS environments — IAM debt, encryption gaps, cost opacity, absent monitoring — and how to get ahead of it with a Well-Architected review before DD begins.

  2026-05-23 · 10 min read

• Security Pillar

  S3 Encryption in Terraform: What the AWS Well-Architected Framework Actually Requires

  SSE-S3 vs SSE-KMS vs SSE-C explained, why Checkov CKV_AWS_19 is not enough, and how to implement Well-Architected compliant S3 encryption in Terraform — with before/after HCL.

  2026-05-20 · 8 min read

• General Pillar

  The New CTO's AWS Infrastructure Audit: What to Check in Week One

  A structured three-phase audit framework for CTOs inheriting AWS infrastructure: inventory, architecture quality review, and risk prioritisation — with a week-one checklist.

  2026-05-19 · 10 min read

• Security Pillar

  IAM Is Where AWS Breaches Start: Seven Years of Incidents, Four Recurring Patterns

  Every major AWS-adjacent breach over the past seven years shares at least one of four IAM conditions. All four are visible in Terraform before deployment — and fixable.

  2026-05-12 · 11 min read

• Security Pillar

  What Checkov Catches — and What It Misses

  Checkov is excellent at catching misconfigurations deterministically and fast. But it cannot evaluate blast radius, workload context, or cross-service patterns. This post explains exactly where that gap sits — with three real Terraform examples.

  2026-05-06 · 8 min read

• Security Pillar

  The Five Terraform Misconfigurations That Fail an AWS Well-Architected Security Review

  Five specific Terraform patterns that consistently fail the AWS Well-Architected Security pillar — with HCL before/after examples you can fix today.

  2026-04-21 · 9 min read