Cloud Security Fundamentals
Security in the cloud is a shared effort. Your cloud provider secures the infrastructure, but you're responsible for securing what you put on it. Getting this right is non-negotiable β one misconfiguration can expose sensitive data to the world.
The Shared Responsibility Model
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SHARED RESPONSIBILITY MODEL β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β CUSTOMER RESPONSIBILITIES β β
β β βββββββββββ ββββββββββββ βββββββββββββββββββββ β β
β β β Data β β Identity β β Application β β β
β β β β β & Access β β Security β β β
β β βEncrypt, β β Mgmt, β β Patches, Config β β β
β β βbackup, β β IAM β β Firewall, Code β β β
β β βclassify β β policiesβ β scanning β β β
β β βββββββββββ ββββββββββββ βββββββββββββββββββββ β β
β β βββββββββββ ββββββββββββ βββββββββββββββββββββ β β
β β β OS β β Network β β Client & Server β β β
β β β Patches β β Config β β Encryption β β β
β β βββββββββββ ββββββββββββ βββββββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β PROVIDER RESPONSIBILITIES β β
β β ββββββββββββ βββββββββββββ ββββββββββββββββββ β β
β β βPhysical β β Host β β Network β β β
β β βSecurity β β OS,HW β β Infrastructureβ β β
β β ββββββββββββ βββββββββββββ ββββββββββββββββββ β β
β β ββββββββββββ βββββββββββββ ββββββββββββββββββ β β
β β βData β β Software β β Global β β β
β β βCenter β β Updates β β Infrastructureβ β β
β β ββββββββββββ βββββββββββββ ββββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Identity and Access Management (IAM)
IAM is your first line of defense. It controls who can do what in your cloud environment. The golden rule: grant the least privilege necessary. No one gets admin access unless they truly need it.
ββββββββββββββββββββββββββββββββββββββββββββββββ
β IAM POLICY STRUCTURE β
β β
β "Effect" "Action" "Resource" β
β β β β β
β βΌ βΌ βΌ β
β ββββββββββ ββββββββββββ ββββββββββββ β
β β Allow β β s3:Put β β bucket/* β β
β β or β β s3:Get β β β β
β β Deny β β ec2:Startβ β arn:aws: β β
β β β β iam:... β β s3:::my β β
β ββββββββββ ββββββββββββ ββββββββββββ β
β β
β Example Policy: β
β { β
β "Effect": "Allow", β
β "Action": "s3:GetObject", β
β "Resource": "arn:aws:s3:::mybucket/*" β
β } β
ββββββββββββββββββββββββββββββββββββββββββββββββ
Security Groups and Network ACLs
Think of security groups as firewalls for your instances. They control inbound and outbound traffic at the instance level. Network ACLs work at the subnet level and act as a secondary barrier.
Internet
β
βΌ
ββββββββββββββββββββββββ
β Network ACL β (Subnet level - stateless)
β ββββββββββββββββ β
β β Inbound Rulesβ β Allow/Deny by port, CIDR
β ββββββββββββββββ β
β ββββββββββββββββ β
β βOutbound Rulesβ β Evaluated separately
β ββββββββββββββββ β
ββββββββββββ¬ββββββββββββ
β
βΌ
ββββββββββββββββββββββββ
β Security Group β (Instance level - stateful)
β ββββββββββββββββ β
β β Inbound Rulesβ β e.g., allow 443 from 0.0.0.0/0
β ββββββββββββββββ β
β ββββββββββββββββ β
β βOutbound Rulesβ β e.g., allow all outbound
β ββββββββββββββββ β
ββββββββββββ¬ββββββββββββ
β
βΌ
βββββββββββ
β EC2 β
βInstance β
βββββββββββ
Compliance Frameworks
Cloud providers hold certifications like SOC 2, ISO 27001, HIPAA, and PCI DSS. But certification doesn't make you compliant β you still need to configure your resources correctly. Use tools like AWS Config or Azure Policy to continuously audit your environment against compliance rules.
Security Best Practices Checklist
[x] Enable MFA for all root and admin accounts
[x] Use IAM roles instead of access keys where possible
[x] Rotate access keys every 90 days
[x] Enable CloudTrail for audit logging
[x] Encrypt data at rest and in transit
[x] Apply security groups with minimal permissions
[x] Use VPC endpoints to keep traffic off the public internet
[x] Enable GuardDuty or equivalent threat detection
[x] Run regular vulnerability scans
[x] Document and test your incident response plan