Table of Contents
Shared Responsibility Model
Understanding who is responsible for what:
| Cloud Provider | Customer |
|---|---|
| Physical infrastructure | Data classification |
| Network infrastructure | Identity & access management |
| Hypervisor | Application security |
| Global network security | OS patching (IaaS) |
IAM Best Practices
AWS IAM Policy (Least Privilege)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadOnlyS3Access",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
}
]
}Azure RBAC (Terraform)
resource "azurerm_role_assignment" "reader" {
scope = azurerm_resource_group.main.id
role_definition_name = "Reader"
principal_id = data.azuread_user.developer.object_id
}Key IAM Rules
- Enable MFA for all users (especially admins)
- Use roles/groups instead of individual permissions
- Rotate access keys every 90 days
- Never embed credentials in code
- Use temporary credentials (STS AssumeRole)
S3 Bucket Security
Secure S3 Configuration (Terraform)
resource "aws_s3_bucket" "secure" {
bucket = "my-secure-bucket"
}
# Block all public access
resource "aws_s3_bucket_public_access_block" "secure" {
bucket = aws_s3_bucket.secure.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
# Enable encryption
resource "aws_s3_bucket_server_side_encryption_configuration" "secure" {
bucket = aws_s3_bucket.secure.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
kms_master_key_id = aws_kms_key.s3.arn
}
}
}
# Enable versioning
resource "aws_s3_bucket_versioning" "secure" {
bucket = aws_s3_bucket.secure.id
versioning_configuration {
status = "Enabled"
}
}Network Security
VPC Security Groups (AWS)
resource "aws_security_group" "web" {
name = "web-sg"
description = "Security group for web servers"
vpc_id = aws_vpc.main.id
# Allow HTTPS from anywhere
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
# Allow SSH from bastion only
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
security_groups = [aws_security_group.bastion.id]
}
# Deny all other inbound
# Allow all outbound to specific destinations
egress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}Logging & Monitoring
AWS CloudTrail (All API Calls)
resource "aws_cloudtrail" "main" {
name = "main-trail"
s3_bucket_name = aws_s3_bucket.logs.id
include_global_service_events = true
is_multi_region_trail = true
enable_log_file_validation = true
event_selector {
read_write_type = "All"
include_management_events = true
}
}Critical Alerts to Configure
- Root account usage
- IAM policy changes
- Security group modifications
- Failed authentication attempts
- Public S3 bucket creation
Compliance Frameworks
| SOC 2 | Service organization controls |
| ISO 27001 | Information security management |
| PCI DSS | Payment card industry |
| HIPAA | Healthcare data protection |
| GDPR | EU data protection |
Updated: December 2024