The Department of "Yes, And": Rethinking Security Governance for Cloud Speed

The Secure Velocity Report Modernisation, Migration, and the CISSP Edge.

This article was originally published on LinkedIn as part of The Secure Velocity Report. You can read the original and subscribe to the weekly live feed here. Issue #3 | Velocity via Automation: How Infrastructure as Code (IaC) Is Your Best Audit Tool 📰 In the News: Weaponising the Copy-and-Paste Workflow A recent report from Security Buzz, detailing research by Ontinue, exposes a highly sophisticated social engineering campaign targeting developer workstations:

"A fake Claude Code installation page promoted through sponsored search results delivered an undocumented credential stealer by mimicking a familiar developer workflow... Victims looking for Claude Code installation instructions were directed to a lookalike documentation page and told to run a one-line PowerShell command... Ontinue found that the installer file appeared benign. A direct request to the site’s /install.ps1 URL returned what looked like a legitimate Claude Code installation script. But the command shown on the webpage was different. According to the researchers, the malicious PowerShell instruction was embedded in the page’s HTML rather than in the installer file." — Security Buzz

The Secure Velocity Take: This attack is a masterpiece of deception because it targets the way modern engineers work. We are culturally conditioned to copy a one-line command (like irm | iex) straight from a documentation page into a terminal.

Because the actual hosted script file was entirely clean, automated URL scanners and security tools saw absolutely no threat. The malware existed purely in the HTML on the victim's screen, resulting in a credential stealer capable of bypassing browser encryption.

If your engineering teams are still treating cloud infrastructure as a series of manual setup steps, copy-pasting commands on their local workstations, you are wide open to this brand of supply chain poisoning.

Moving Beyond "Copy-Paste" Engineering

During an AWS Migration Acceleration Program (MAP) engagement, velocity is everything. Teams are under immense pressure to spin up resources, test configurations, and move workloads out of legacy environments.

When humans are under pressure, they take shortcuts. They look for lookalike documentation, copy installation scripts from search results, and click around the AWS Management Console to "just get it working."

This creates a chaotic environment where no one truly knows what has been deployed, who deployed it, or what credentials have been stored locally.

The antidote to this risk isn't tighter restriction or locking down terminal access—it is Infrastructure as Code (IaC).

IaC: Your Continuous Security Auditor

When you treat your infrastructure purely as software—written in Terraform, OpenTofu, or AWS Cloud Development Kit (CDK)—you remove the human element from the deployment pipeline. IaC isn’t just an efficiency mechanism; it is your strongest security control.

Here is how a fully automated pipeline turns IaC into a continuous audit tool:

1. Security Analysis Before the Deploy

If a developer wants to deploy an AWS resource, they don't do it from their workstation terminal. They submit a pull request. Your CI/CD pipeline then automatically runs static analysis tools (like Checkov or tfsec) against the code.

The Audit Win: The pipeline catches overly permissive IAM roles, unencrypted S3 buckets, or public security groups before they are ever provisioned in AWS.

2. Eliminate Workstation Trust

In a mature IaC model, developers do not have write access to Production or Staging environments from their local machines. They cannot accidentally run a malicious copy-pasted PowerShell script that alters your cloud perimeter, because the only entity with deployment privileges is the automated pipeline itself.

3. Eradicating "Configuration Drift"

Manual cloud setups suffer from "drift"—gradual, unlogged changes that happen when an engineer fixes a problem directly in the console at 2:00 AM. IaC allows you to run automated drift detection. If an environment diverges from the version-controlled code, the system alerts you or automatically overwrites the rogue change.

With my CISSP hat on: Traditional auditing is historical; it tells you what went wrong three months ago. IaC compliance is real-time and preventative. Your Git repository becomes the single, immutable source of truth for your entire cloud estate. If a change isn't documented in code, it simply doesn't exist.

The Governance Gap in Your SaaS Supply Chain

The fake Claude Code attack demonstrates a terrifying reality: threat actors are actively poisoning the tools and vendors that developers trust.

While you can lock down your internal AWS infrastructure using IaC pipelines, what happens when your developers want to onboard an external SaaS vendor or third-party API?

If your procurement and security teams are still sending out static 40-page Excel questionnaires to vet these vendors, you are using a legacy tool to fight a machine-speed war. If a lookalike website can fool automated URL scanners, a static spreadsheet stands absolutely no chance against an active vendor compromise.

Seeking Beta Partners: Vendor Assure We built Vendor Assure to bridge the gap between internal cloud velocity and external supply chain risk. Just as IaC automates the continuous validation of your cloud code, Vendor Assure automates the continuous risk profiling of your third-party ecosystem.

It moves your business away from point-in-time security questionnaires and into a state of continuous, automated third-party assurance.

We are currently looking for three AWS-centric firms undergoing cloud modernisations to join our Beta programme. If you are ready to ditch manual spreadsheets and bring continuous visibility to your vendor supply chain, let's have a brief conversation.

👉 Join the Vendor Assure Beta Waitlist Here

Next Week: The AI Velocity Trap: Why Your AI Strategy Will Fail Without a Modernised AWS Infrastructure.