Universal Cloud Security Principles
1. Identity and Access Management (IAM)
Principle of Least Privilege
• Grant minimum permissions necessary
• Use role-based access control (RBAC)
• Regularly review and revoke unused permissions
• Never use root/admin accounts for daily operations
Multi-Factor Authentication (MFA)
• Enable MFA for ALL users
• Especially critical for admin/root accounts
• Use hardware tokens for high-privilege accounts
2. Encryption
• Encrypt data at rest (storage, databases)
• Encrypt data in transit (TLS/HTTPS)
• Use cloud provider managed keys or bring your own (BYOK)
• Enable automatic key rotation
3. Network Security
• Use Virtual Private Cloud (VPC) / VNet
• Implement network segmentation
• Configure security groups/firewalls properly
• Disable public access unless absolutely necessary
• Use private endpoints for internal services
4. Logging and Monitoring
• Enable cloud audit logs
• Set up alerts for suspicious activity
• Centralize logs in secure location
• Retain logs for compliance requirements
• Monitor for configuration changes
AWS Security Best Practices
AWS IAM Security
Secure Root Account
# AWS CLI - Check root account usage
aws iam get-account-summary
# Enable MFA for root (via AWS Console)
# IAM → Dashboard → Security Status → Activate MFA
IAM Best Practices
# Create IAM user instead of using root
aws iam create-user --user-name admin-user
# Attach administrator access policy
aws iam attach-user-policy --user-name admin-user --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
# Enable MFA for IAM user
aws iam enable-mfa-device --user-name admin-user --serial-number arn:aws:iam::ACCOUNT-ID:mfa/admin-user --authentication-code1 123456 --authentication-code2 654321
# Rotate access keys regularly
aws iam create-access-key --user-name admin-user
aws iam delete-access-key --user-name admin-user --access-key-id OLD_KEY_ID
AWS S3 Bucket Security
Block Public Access
# Block public access (recommended default)
aws s3api put-public-access-block --bucket my-bucket --public-access-block-configuration \
"BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
# Enable versioning for backup
aws s3api put-bucket-versioning --bucket my-bucket --versioning-configuration Status=Enabled
# Enable encryption at rest
aws s3api put-bucket-encryption --bucket my-bucket --server-side-encryption-configuration \
'{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'
# Enable access logging
aws s3api put-bucket-logging --bucket my-bucket --bucket-logging-status \
'{"LoggingEnabled":{"TargetBucket":"my-log-bucket","TargetPrefix":"my-bucket-logs/"}}'
AWS EC2 Security
# Secure security group (allow only necessary ports)
aws ec2 authorize-security-group-ingress --group-id sg-xxxxx --protocol tcp --port 22 --cidr 203.0.113.0/24
# Remove overly permissive rules
aws ec2 revoke-security-group-ingress --group-id sg-xxxxx --protocol tcp --port 22 --cidr 0.0.0.0/0
# Enable detailed monitoring
aws ec2 monitor-instances --instance-ids i-xxxxx
# Use Systems Manager Session Manager instead of SSH (more secure)
aws ssm start-session --target i-xxxxx
AWS CloudTrail (Audit Logging)
# Enable CloudTrail for all regions
aws cloudtrail create-trail --name my-trail --s3-bucket-name my-cloudtrail-bucket --is-multi-region-trail
# Start logging
aws cloudtrail start-logging --name my-trail
# Enable log file validation
aws cloudtrail update-trail --name my-trail --enable-log-file-validation
# Check trail status
aws cloudtrail get-trail-status --name my-trail
AWS Security Tools
• AWS GuardDuty: Threat detection
• AWS Security Hub: Centralized security findings
• AWS Config: Configuration compliance
• AWS Inspector: Vulnerability assessments
• AWS Macie: Data security and privacy
Azure Security Best Practices
Azure Active Directory (AAD)
# Enable MFA for all users
az ad user update --id [email protected] --force-change-password-next-login true
# Create conditional access policy requiring MFA
# (Use Azure Portal: Azure AD → Security → Conditional Access)
# List privileged role assignments
az role assignment list --role "Owner" --output table
# Review and remove unnecessary role assignments
az role assignment delete --assignee [email protected] --role "Contributor"
Azure Storage Security
# Disable public blob access
az storage account update --name mystorageaccount --resource-group myResourceGroup --allow-blob-public-access false
# Enable encryption at rest (enabled by default, but verify)
az storage account update --name mystorageaccount --resource-group myResourceGroup --encryption-services blob
# Enable soft delete for blobs
az storage blob service-properties delete-policy update --account-name mystorageaccount --enable true --days-retained 30
# Require secure transfer (HTTPS only)
az storage account update --name mystorageaccount --resource-group myResourceGroup --https-only true
# Enable storage analytics logging
az storage logging update --account-name mystorageaccount --services b --log rwd --retention 90
Azure Network Security
# Create Network Security Group with restricted rules
az network nsg create --name myNSG --resource-group myResourceGroup
# Allow HTTPS only
az network nsg rule create --name AllowHTTPS --nsg-name myNSG --resource-group myResourceGroup \
--priority 100 --destination-port-ranges 443 --access Allow --protocol Tcp
# Deny all other inbound traffic
az network nsg rule create --name DenyAll --nsg-name myNSG --resource-group myResourceGroup \
--priority 4096 --access Deny --protocol '*' --direction Inbound
# Enable DDoS Protection
az network ddos-protection create --name myDDoSProtection --resource-group myResourceGroup
Azure Security Tools
• Microsoft Defender for Cloud: Security posture management
• Azure Sentinel: SIEM and SOAR
• Azure Policy: Governance and compliance
• Azure Key Vault: Secrets management
Google Cloud (GCP) Security Best Practices
GCP IAM Security
# List all IAM bindings for a project
gcloud projects get-iam-policy PROJECT_ID
# Add user with specific role
gcloud projects add-iam-policy-binding PROJECT_ID \
--member='user:[email protected]' \
--role='roles/viewer'
# Remove overly permissive binding
gcloud projects remove-iam-policy-binding PROJECT_ID \
--member='user:[email protected]' \
--role='roles/owner'
# Enable organization policy for domain restriction
gcloud resource-manager org-policies set-policy policy.yaml
GCP Cloud Storage Security
# Remove public access
gsutil iam ch -d allUsers:objectViewer gs://my-bucket
# Enable uniform bucket-level access
gsutil uniformbucketlevelaccess set on gs://my-bucket
# Enable versioning
gsutil versioning set on gs://my-bucket
# Enable encryption at rest (default, but can specify keys)
gsutil encryption set -k projects/PROJECT_ID/locations/LOCATION/keyRings/KEYRING/cryptoKeys/KEY gs://my-bucket
# Set lifecycle rules to auto-delete old data
gsutil lifecycle set lifecycle.json gs://my-bucket
GCP Compute Engine Security
# Create firewall rule (deny by default, allow specific)
gcloud compute firewall-rules create allow-https \
--allow tcp:443 \
--source-ranges 0.0.0.0/0 \
--target-tags https-server
# Remove overly permissive rules
gcloud compute firewall-rules delete allow-all
# Enable OS patch management
gcloud compute instances os-patch-update INSTANCE_NAME --zone=ZONE
# Use shielded VMs for extra security
gcloud compute instances create INSTANCE_NAME \
--shielded-secure-boot \
--shielded-vtpm \
--shielded-integrity-monitoring
GCP Security Tools
• Security Command Center: Security and risk management
• Cloud Armor: DDoS and application defense
• VPC Service Controls: Data exfiltration protection
• Binary Authorization: Container image security
Common Cloud Misconfigurations
| Misconfiguration | Risk | Fix |
|---|---|---|
| Public S3 buckets / Storage | Critical | Enable block public access, use private ACLs |
| Unrestricted security groups | High | Limit to specific IPs/ranges, use principle of least privilege |
| No MFA on accounts | High | Enforce MFA for all users, especially privileged accounts |
| Disabled logging | High | Enable CloudTrail/Activity Logs, retain for compliance |
| Unencrypted data at rest | High | Enable encryption for all storage services |
| Overprivileged IAM roles | Medium | Regular access reviews, use least privilege principle |
| Exposed credentials in code | Critical | Use secrets management (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) |
| No network segmentation | Medium | Use VPCs/VNets, implement subnets, use private endpoints |
| Unpatched instances | High | Enable automatic patching, use managed services when possible |
| No backup/disaster recovery | High | Implement automated backups, test recovery procedures |
Cloud Security Checklist
Identity & Access
☐ MFA enabled for all users
☐ Root/admin accounts secured
☐ Least privilege access implemented
☐ Regular access reviews conducted
☐ Service accounts properly secured
Data Protection
☐ Encryption at rest enabled
☐ Encryption in transit enforced
☐ Automated backups configured
☐ Data classification implemented
☐ Key rotation enabled
Network Security
☐ VPC/VNet properly configured
☐ Security groups restrictive
☐ Public access disabled by default
☐ DDoS protection enabled
☐ Private endpoints used for internal services
Monitoring & Logging
☐ Audit logs enabled (CloudTrail/Activity Logs)
☐ Log retention meets compliance
☐ Security alerts configured
☐ Log analysis automated
☐ Centralized logging implemented
Compliance & Governance
☐ Security policies enforced
☐ Compliance monitoring enabled
☐ Regular security assessments
☐ Incident response plan documented
☐ Configuration management automated
Cloud Security Scanning Tools
Open Source Tools:
• ScoutSuite: Multi-cloud security auditing
• Prowler: AWS security assessment
• CloudSploit: Cloud security scanning
• Trivy: Container and infrastructure scanning
• Checkov: Infrastructure as Code scanning
Commercial Tools:
• Prisma Cloud (Palo Alto)
• Wiz
• Orca Security
• Lacework