u/Cloudaware_CMDB

I’m working on our cloud security strategy right now and honestly getting a bit stuck on what should actually go into the document.

My org has around 1000 people, mostly AWS, some Azure, and Kubernetes in the mix. and multiple engineering teams deploying independently. At this point the problem feels less like cloud security and more like trying to keep IAM, logging, guardrails, vulnerability management, and ownership remotely consistent across environments that evolved separately for years.

There’s a lot of advice out there, but a lot of it feels like strategy-slide material or AI shit that nobody uses.

Curious from people running similar environments: what did you include in your cloud security strategy that actually proved useful? Would appreciate real examples.

I’m looking deeper into cloud security automation frameworks right now and honestly there’s a huge amount of tooling and terminology around this space.

CNAPP, CSPM, CWPP, CIEM, policy-as-code, IaC scanning, SOAR, auto-remediation, agentic remediation, continuous compliance… in practice not all of it seems worth the operational overhead to implement and maintain.

Would especially appreciate examples around:

• OPA/Rego or Sentinel
• Terraform / IaC scanning
• SCPs / Azure Policy / Org Policy
• drift detection
• CIEM / identity sprawl
• auto-remediation
• compliance evidence/audit workflows
• CNAPP consolidation
• Kubernetes security automation

I’m looking deeper into cloud security automation frameworks right now and honestly there’s a huge amount of tooling and terminology around this space.

CNAPP, CSPM, CWPP, CIEM, policy-as-code, IaC scanning, SOAR, auto-remediation, agentic remediation, continuous compliance… in practice not all of it seems worth the operational overhead to implement and maintain.

Would especially appreciate examples around:

• OPA/Rego or Sentinel
• Terraform / IaC scanning
• SCPs / Azure Policy / Org Policy
• drift detection
• CIEM / identity sprawl
• auto-remediation
• compliance evidence/audit workflows
• CNAPP consolidation
• Kubernetes security automation

I’m going through and tightening up our AWS security baseline right now, and there are a ton of best practices out there. But in reality, not all of them are worth the effort to implement and maintain.

Curious from people running real workloads: what AWS security practices have actually paid off for you? What do you consider non-negotiable or just nice to have?

Would appreciate your examples.