Cloud doesn't make security easier — it changes the controls and shifts the failure modes. The number-one cause of cloud breaches isn't sophisticated attackers; it's misconfiguration. This lesson covers what the cloud provider handles for you, what you still own, and the tooling that helps you manage it at scale.
The Shared Responsibility Model
Every cloud provider publishes a version of this. The split depends on the service tier:
| Layer | IaaS (EC2) | PaaS (App Service) | SaaS (Microsoft 365) |
|---|---|---|---|
| Data | Customer | Customer | Customer |
| App code & config | Customer | Customer | Provider |
| Identity / access policies | Customer | Customer | Customer |
| OS / runtime | Customer | Provider | Provider |
| Network controls | Customer (rules) / Provider (fabric) | Provider | Provider |
| Hypervisor / hardware / data centre | Provider | Provider | Provider |
Three things always belong to you, no matter the tier: your data, your identities, and your access policies.
Cloud Identity
Cloud IAM is the modern perimeter. Core practices:
- Use roles, not long-lived access keys. EC2 instance roles, EKS IRSA, GitHub OIDC federation — short-lived credentials issued on demand.
- MFA on every human account, including the root / global admin (then put root credentials in a safe and don't use them).
- Least privilege. Grant the narrowest set of actions on the narrowest set of resources. Use access analysers (AWS IAM Access Analyzer, Azure Conditional Access insights) to find unused permissions.
- Service control policies / org policies. Guardrails at the organisation level — block disabling logging, restrict regions, deny risky services.
- Centralised logging of all identity events (CloudTrail, Entra audit logs, GCP audit logs) into a SIEM.
Network Controls
| AWS | Azure | GCP | Purpose |
|---|---|---|---|
| Security Group | NSG | VPC firewall rule | Stateful instance/subnet firewall |
| Network ACL | (via NSG) | (via firewall) | Stateless subnet filter |
| VPC + subnets | VNet + subnets | VPC + subnets | Network isolation |
| PrivateLink / VPC Endpoint | Private Endpoint | Private Service Connect | Reach managed services without internet |
| Transit Gateway | Virtual WAN | Network Connectivity Center | Hub-and-spoke connectivity |
Default to private connectivity. There is rarely a good reason for a database, queue, or object store to be reachable from the public internet — even with auth in front of it.
Encryption
- In transit: TLS on every endpoint, mTLS between services where feasible, no plaintext databases or queues.
- At rest: enable provider encryption (it's default-on for many services). Use customer-managed keys (CMK / BYOK) when you need cryptographic separation, audit, or rotation control.
- KMS / Key Vault: central key management with audit logs. Apps call KMS to encrypt/decrypt — keys never leave the service.
- Envelope encryption: data encrypted with a fast symmetric data key; the data key is itself encrypted by the KMS key. Standard pattern for large objects.
- Field-level encryption for the most sensitive fields (PII, payment data) on top of disk encryption.
Cloud Security Posture Management (CSPM)
CSPM continuously scans your cloud configuration against best-practice baselines and compliance frameworks (CIS, PCI, HIPAA, ISO). Findings: open S3 buckets, security groups allowing 0.0.0.0/0 to admin ports, unencrypted volumes, old IAM keys.
Examples: AWS Security Hub, Azure Defender for Cloud (CSPM), GCP Security Command Center, Wiz, Prisma Cloud, Lacework.
Cloud Workload Protection (CWPP)
CWPP focuses on what's running — VMs, containers, serverless. Capabilities: vulnerability scanning of images and hosts, runtime threat detection, compliance, file integrity monitoring. Often delivered as an EDR-style agent (or agentless via cloud APIs and snapshot scanning).
Cloud Infrastructure Entitlement Management (CIEM)
The newest pillar. CIEM analyses identity entitlements at scale — humans, service accounts, roles, federated identities — to find:
- Unused permissions you can remove
- Toxic combinations (a role that can both write and bypass logging)
- Cross-account and cross-cloud paths an attacker could traverse
Modern CSPM platforms (Wiz, Prisma, Orca) bundle CIEM features.
Native Detection Services
| AWS | Azure | GCP |
|---|---|---|
| GuardDuty (threat detection) | Defender for Cloud | Security Command Center |
| Inspector (vuln scanning) | Defender for Servers / Containers | Container Threat Detection |
| Macie (data discovery) | Purview | Sensitive Data Protection (DLP) |
| CloudTrail + Config | Activity Log + Policy | Audit Logs + Asset Inventory |
| Security Hub (aggregator) | Defender XDR / Sentinel | SCC + Chronicle |
Container and Kubernetes Security
- Image hardening: minimal base images (distroless, alpine), no secrets in layers, scanned in CI
- Image signing with Sigstore/cosign and admission policies that only allow signed images
- Pod security: non-root, read-only root filesystem, drop capabilities, no host network/PID
- Network policies (Calico, Cilium) — default-deny pod-to-pod traffic
- Workload identity — IRSA on EKS, Workload Identity on GKE, Pod Identity on AKS — pods get cloud credentials without static secrets
- Runtime detection with Falco or commercial CWPP agents
Secrets in the Cloud
- Use the managed secret store: AWS Secrets Manager, Azure Key Vault, GCP Secret Manager
- Rotate automatically where supported (DB credentials, API keys)
- Mount via env or sidecar at runtime — never bake into images
- Audit access — who read which secret, when
Common Cloud Mistakes
- Public S3 / blob / GCS buckets
- Overly broad IAM policies (
*:*,iam:PassRole *) - Unrestricted security groups (0.0.0.0/0 to SSH/RDP/databases)
- Long-lived access keys committed to Git
- Disabled logging — or logs that nobody reviews
- Lateral cross-account trust without external IDs / conditions
CSPM finds most of these in minutes — turn it on and act on the findings.