☁️ Cloud Security
Securing cloud-native and hybrid workloads across AWS, Azure, and GCP — IAM policies, encryption, network controls, CSPM, CWPP, and the shared responsibility model.
Overview
Cloud security addresses the unique challenges of protecting data, applications, and infrastructure in cloud environments. The shared responsibility model defines where the cloud provider's security obligations end and the customer's begin. Key areas include identity and access management, data encryption, network security, compliance, container security, and continuous monitoring across IaaS, PaaS, and SaaS models.
Key Concepts
Shared Responsibility Model
Cloud providers secure the infrastructure (hypervisor, physical, network), while customers secure their data, applications, identity, and configurations. Responsibilities shift across IaaS/PaaS/SaaS.
CSPM (Cloud Security Posture Management)
Continuous monitoring of cloud configurations for compliance violations, misconfigurations, and security risks. Tools: AWS Config, Azure Policy, Prisma Cloud, Wiz.
CWPP (Cloud Workload Protection)
Runtime protection for VMs, containers, and serverless workloads. Includes vulnerability scanning, integrity monitoring, and runtime threat detection.
Cloud IAM
Identity policies, roles, service accounts, and least-privilege access across cloud providers. Includes SCPs, permission boundaries, and identity federation.
Data Encryption
Encryption at rest (KMS, HSM), in transit (TLS), and in use (confidential computing). Key management lifecycle and rotation policies.
Container & K8s Security
Image scanning, pod security policies, network policies, secrets management, RBAC, and admission controllers for Kubernetes environments.
Cloud Security Architecture
Defense-in-Depth Cloud Security Layers
Multi-layered security controls from identity to monitoring
Common Risks & Threats
| Threat | Severity | Description | Mitigation |
|---|---|---|---|
| Misconfigured S3/Blob Storage | Critical | Publicly exposed storage buckets with sensitive data | Enable bucket policies, block public access, CSPM monitoring |
| Overprivileged IAM Roles | Critical | Service accounts and users with excessive permissions | Least privilege, permission boundaries, regular access reviews |
| Exposed API Keys/Secrets | Critical | Hard-coded credentials in code repositories or configs | Secrets manager, environment variables, automated scanning |
| Insecure Container Images | High | Vulnerabilities in base images and dependencies | Image scanning, minimal base images, signed images |
| Lack of Encryption | High | Data at rest or in transit without encryption | KMS-managed encryption, enforce TLS, CMKs |
Remediation & Best Practices
Enforce Least Privilege IAM
Use permission boundaries, SCPs, and condition keys. Regularly audit with access analyzer tools.
Encrypt Everything
Enable default encryption for storage, databases, and messaging. Use customer-managed keys (CMKs) for sensitive data.
Network Segmentation
Use VPCs, subnets, security groups, and NACLs. Implement private endpoints for service-to-service communication.
Continuous Monitoring
Enable CloudTrail/Activity Log, GuardDuty/Defender, and CSPM tools. Set alerts for anomalous API calls.
Interview Preparation
Explain the Shared Responsibility Model.
In the shared responsibility model, the cloud provider is responsible for security OF the cloud (physical infrastructure, hypervisor, networking, storage), while the customer is responsible for security IN the cloud (data, identity, applications, OS patching, network configurations). The division shifts by service model: IaaS gives customers more responsibility, SaaS gives them less. For example, in IaaS (EC2), you patch the OS; in SaaS (Gmail), Google manages everything except data and access.
How would you secure an AWS account from scratch?
1) Enable MFA on root account and lock it away. 2) Create IAM users with least-privilege policies. 3) Enable CloudTrail for API logging and GuardDuty for threat detection. 4) Configure SCPs via AWS Organizations. 5) Enable default encryption on S3, EBS, RDS. 6) Set up VPC with private subnets and security groups. 7) Use AWS Config for compliance monitoring. 8) Enable AWS Security Hub for centralized findings. 9) Implement secrets rotation via Secrets Manager.
Framework Mapping
| Framework | Relevant Controls |
|---|---|
| NIST | SP 800-53 AC-2 (Account Mgmt), SC-28 (Data at Rest), AU-2 (Audit Events), CM-7 (Least Functionality) |
| ISO | A.13.1 (Network Security), A.10.1 (Cryptographic Controls), A.9.2 (User Access Mgmt) |
| MITRE | T1078 (Valid Accounts), T1530 (Data from Cloud Storage), T1537 (Transfer to Cloud Account) |