Key Takeaways
- Shared responsibility model: cloud provider secures infrastructure; you secure your data.
- Least privilege IAM policies are critical for cloud security.
- Enable MFA on all cloud accounts, especially root/admin.
- Encrypt data at rest and in transit.
- Log everything; centralize logs for security monitoring.
- Cloud misconfigurations are the #1 cause of breaches.
Table of Contents
1. Cloud Security Fundamentals
Cloud computing has transformed IT infrastructure, but it introduces new security challenges. Understanding the shared responsibility model is crucial: cloud providers secure the underlying infrastructure, while customers are responsible for securing their data, applications, and configurations.
1.1 Shared Responsibility Model
| Service Type | Provider Responsibility | Customer Responsibility |
|---|---|---|
| IaaS | Physical security, hypervisor | OS, applications, data, network config |
| PaaS | +Runtime, OS | Applications, data |
| SaaS | +Application | Data, access control, configuration |
Common Cloud Breaches
Most cloud breaches stem from customer misconfigurations, not provider failures: exposed S3 buckets, overly permissive IAM roles, publicly accessible databases, and leaked credentials. Security is about configuration as much as technology.
2. Identity and Access Management
2.1 IAM Best Practices
- Least Privilege: Grant minimum required permissions
- MFA Everywhere: Require MFA for all human users
- No Root Usage: Never use root/admin account for daily tasks
- Rotate Credentials: Regular key rotation; use temporary credentials
- Role-Based Access: Group permissions by job function
2.2 AWS IAM Example
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.0.0.0/8"
}
}
}
]
}2.3 Service Accounts
For applications, use service accounts with roles instead of static keys. AWS uses IAM roles for EC2/Lambda; Azure uses Managed Identities; GCP uses Service Accounts with Workload Identity.
3. Network Security
3.1 VPC/VNet Design
- Use private subnets for databases and backend services
- Place only load balancers and bastion hosts in public subnets
- Use NAT gateways for outbound internet from private subnets
- Enable VPC Flow Logs for network visibility
3.2 Security Groups
# AWS Security Group - Web Server
Inbound:
- TCP 443 from 0.0.0.0/0 (HTTPS)
- TCP 22 from 10.0.0.0/8 (SSH from internal only)
Outbound:
- TCP 443 to 0.0.0.0/0 (HTTPS)
- TCP 3306 to sg-database (MySQL to DB security group)
# Never allow:
- 0.0.0.0/0 to 0.0.0.0/0 (all traffic)
- SSH (22) from 0.0.0.0/0 (use bastion)Common Network Mistakes
Open Security Groups: Allowing 0.0.0.0/0 on SSH, RDP, or database ports
No Egress Controls: Allowing all outbound traffic
Public Databases: RDS/Cloud SQL accessible from internet
Missing Flow Logs: Can't investigate without network logs
4. Data Protection
4.1 Encryption
- At Rest: Enable encryption for all storage (S3, EBS, RDS)
- In Transit: TLS 1.2+ for all communications
- Key Management: Use cloud KMS; avoid storing keys with data
- Customer Managed Keys: Greater control for sensitive data
4.2 S3 Bucket Security
# Block public access (AWS CLI)
aws s3api put-public-access-block \
--bucket my-bucket \
--public-access-block-configuration \
"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
# Enable encryption
aws s3api put-bucket-encryption \
--bucket my-bucket \
--server-side-encryption-configuration \
'{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"aws:kms"}}]}'5. Logging and Monitoring
5.1 Essential Logs
| AWS | Azure | GCP | Purpose |
|---|---|---|---|
| CloudTrail | Activity Log | Audit Logs | API activity |
| VPC Flow Logs | NSG Flow Logs | VPC Flow Logs | Network traffic |
| S3 Access Logs | Blob Diagnostic | GCS Access Logs | Storage access |
| GuardDuty | Defender | Security Command | Threat detection |
5.2 Centralized Logging
Send all logs to a centralized location (CloudWatch, Azure Monitor, Stackdriver, or SIEM). Set up alerts for suspicious activity like IAM changes, large data transfers, or access from unusual locations.
6. Compliance and Governance
- AWS: Config Rules, Control Tower, Security Hub
- Azure: Policy, Blueprints, Security Center
- GCP: Organization Policy, Security Command Center
6.1 Compliance Frameworks
Cloud providers offer compliance certifications (SOC 2, ISO 27001, HIPAA, PCI-DSS). However, certification of the infrastructure doesn't mean your workload is compliant—you must configure it correctly.
7. Cloud Security Tools
| Tool | Type | Purpose |
|---|---|---|
| Prowler | Open Source | AWS security assessments |
| ScoutSuite | Open Source | Multi-cloud security auditing |
| Checkov | Open Source | IaC security scanning |
| Prisma Cloud | Commercial | CSPM, CWPP |
| Wiz | Commercial | Agentless cloud security |
Security Automation
Integrate security scanning into CI/CD pipelines. Use Infrastructure as Code (Terraform, CloudFormation) with security policies. Automated remediation can fix common misconfigurations before they become breaches.
8. Frequently Asked Questions
Conclusion
Cloud security is primarily about configuration and access control. Understand the shared responsibility model, implement least-privilege IAM, encrypt everything, log extensively, and use automated security tools. Most cloud breaches are preventable with proper configuration and monitoring.
Continue Learning:
Container Security
Infrastructure Security