In This Guide
- 1. The Shared Responsibility Model — What's Actually Your Problem
- 2. IAM — The Foundation of Cloud Security
- 3. Network Security — VPCs, Security Groups, and Private Endpoints
- 4. Data Encryption — At Rest and In Transit
- 5. Logging and Monitoring — You Can't Protect What You Can't See
- 6. Top 10 Cloud Misconfigurations We Find in Audits
- 7. Cloud Security Posture Management (CSPM)
- 8. Compliance Frameworks Mapped to Cloud Controls
- 9. Frequently Asked Questions
82% of cloud data breaches involve data stored in the cloud that was misconfigured, not hacked (IBM, 2024). The attacker didn't break encryption or exploit a zero-day — they found an S3 bucket set to public, an IAM role with admin privileges assigned to a Lambda function, or a database with no VPC and a default password. Cloud security isn't about advanced threats. It's about getting the basics right across hundreds of configuration options.
We've helped organizations migrate to and secure workloads on AWS, Azure, and GCP. This guide covers the patterns and misconfigurations we see most often — with provider-specific fixes.
1. The Shared Responsibility Model — What's Actually Your Problem
Every cloud provider operates under a shared responsibility model. They secure the infrastructure; you secure what runs on it. The split varies by service type:
| Layer | IaaS (EC2, VMs) | PaaS (RDS, App Service) | SaaS (S3, DynamoDB) |
|---|---|---|---|
| Data classification & encryption | You | You | You |
| IAM & access control | You | You | You |
| Application security | You | You | Provider |
| Network configuration | You | Shared | Provider |
| OS patching | You | Provider | Provider |
| Physical infrastructure | Provider | Provider | Provider |
Notice: IAM and data security are always your responsibility, regardless of service type. Moving to managed services reduces your surface area (no more OS patching) but doesn't eliminate your security obligations.
2. IAM — The Foundation of Cloud Security
Identity and Access Management is where cloud security starts and where most breaches originate. An overprivileged service account is the master key attackers look for.
IAM Across Providers
| Concept | AWS | Azure | GCP |
|---|---|---|---|
| Identity Provider | IAM Users + Identity Center (SSO) | Entra ID (Azure AD) | Cloud Identity + Workspace |
| Service Identity | IAM Roles (for EC2, Lambda) | Managed Identity | Service Accounts |
| Policy Model | JSON policies (allow/deny) | RBAC roles on scopes | IAM roles + resource policies |
| Temporary Credentials | STS AssumeRole | Managed Identity tokens | Workload Identity |
| MFA Enforcement | IAM policy condition + Identity Center | Conditional Access policies | 2-Step Verification + Context-Aware |
// ❌ BAD — "AdministratorAccess" on a Lambda
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}]
}
// ✅ GOOD — Only the actions and resources this function needs
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query"
],
"Resource": "arn:aws:dynamodb:ap-south-1:123456789:table/orders"
},
{
"Effect": "Allow",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::invoices-bucket/*"
},
{
"Effect": "Allow",
"Action": ["sqs:SendMessage"],
"Resource": "arn:aws:sqs:ap-south-1:123456789:order-notifications"
}
]
}IAM rules that prevent 90% of issues:
- No long-lived access keys — use roles, managed identities, or workload identity
- MFA required for all human users, especially root/global admin accounts
- No
"Action": "*"or"Resource": "*"in any policy - Service accounts get the minimum permissions they need — audit quarterly
- Use AWS Organizations SCPs / Azure Management Groups / GCP Organization Policies to set guardrails
- Enable IAM Access Analyzer (AWS) / Entra ID Access Reviews (Azure) / IAM Recommender (GCP)
3. Network Security — VPCs, Security Groups, and Private Endpoints
Default cloud networking is often more open than you think. The goal: nothing is accessible from the internet unless explicitly intended.
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Firewall | Security Groups + NACLs | NSGs + Azure Firewall | VPC Firewall Rules |
| Private Service Access | VPC Endpoints (Gateway + Interface) | Private Endpoints | Private Service Connect |
| DNS Security | Route 53 Resolver DNS Firewall | Azure DNS Private Resolver | Cloud DNS policies |
| WAF | AWS WAF (on ALB/CloudFront) | Azure WAF (on Application Gateway) | Cloud Armor |
resource "aws_security_group" "app" {
name_prefix = "app-"
vpc_id = aws_vpc.main.id
# ✅ Only accept traffic from ALB
ingress {
from_port = 3000
to_port = 3000
protocol = "tcp"
security_groups = [aws_security_group.alb.id]
}
# ✅ Only allow outbound to specific destinations
egress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # HTTPS out for APIs
}
egress {
from_port = 5432
to_port = 5432
protocol = "tcp"
security_groups = [aws_security_group.database.id]
}
# ❌ NEVER: ingress from 0.0.0.0/0 on any port
# ❌ NEVER: egress to 0.0.0.0/0 on all ports
}4. Data Encryption — At Rest and In Transit
Encryption should be the default, not an opt-in. All three providers offer encryption for their managed services — the issue is that some services still default to unencrypted.
| Encryption Type | AWS | Azure | GCP |
|---|---|---|---|
| Key Management | KMS (CMK) | Key Vault | Cloud KMS |
| Storage at Rest | S3: SSE-S3 (default), SSE-KMS, SSE-C | Blob: Microsoft-managed or CMK | GCS: Google-managed or CMEK |
| Database at Rest | RDS: enable encryption (can't add after creation) | SQL DB: TDE enabled by default | Cloud SQL: encrypted by default |
| In Transit | TLS 1.2+ on ALB, enforce in S3 bucket policy | TLS 1.2+ enforced by default | TLS 1.2+ on all Google Front Ends |
resource "aws_s3_bucket" "data" {
bucket = "pillai-customer-data"
}
# ✅ Block ALL public access
resource "aws_s3_bucket_public_access_block" "data" {
bucket = aws_s3_bucket.data.id
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
# ✅ Enforce encryption with customer-managed key
resource "aws_s3_bucket_server_side_encryption_configuration" "data" {
bucket = aws_s3_bucket.data.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "aws:kms"
kms_master_key_id = aws_kms_key.data_key.arn
}
bucket_key_enabled = true # Reduces KMS API calls and cost
}
}
# ✅ Enforce TLS in transit
resource "aws_s3_bucket_policy" "enforce_tls" {
bucket = aws_s3_bucket.data.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Sid = "EnforceTLS"
Effect = "Deny"
Principal = "*"
Action = "s3:*"
Resource = ["${aws_s3_bucket.data.arn}/*"]
Condition = { Bool = { "aws:SecureTransport" = "false" } }
}]
})
}5. Logging and Monitoring — You Can't Protect What You Can't See
The first thing we enable on any cloud account: centralized logging. If you're compromised and don't have logs, you can't determine what was accessed, when, or by whom.
| What to Log | AWS | Azure | GCP |
|---|---|---|---|
| API Calls | CloudTrail (all regions) | Activity Log | Cloud Audit Logs |
| Network Traffic | VPC Flow Logs | NSG Flow Logs | VPC Flow Logs |
| DNS Queries | Route 53 Query Logging | DNS Analytics | Cloud DNS Logging |
| Threat Detection | GuardDuty | Microsoft Defender for Cloud | Security Command Center |
| SIEM | Security Lake + Athena | Microsoft Sentinel | Chronicle SIEM |
Minimum viable logging: CloudTrail (AWS) / Activity Log (Azure) / Audit Logs (GCP) enabled in all regions, stored in a separate account/project with write-once/append-only policies. S3 access logs on sensitive buckets. VPC Flow Logs on production VPCs. GuardDuty / Defender / SCC for automated threat detection. Total cost for a small-to-mid infrastructure: $50-200/month — a fraction of what a breach investigation costs. For more on building observability, see our monitoring and observability guide.
6. Top 10 Cloud Misconfigurations We Find in Audits
These aren't theoretical — we find these in real client environments. Ranked by how often we see them:
| # | Misconfiguration | Risk | Fix |
|---|---|---|---|
| 1 | Overprivileged IAM roles | Critical | Use IAM Access Analyzer, enforce least privilege |
| 2 | Public S3 buckets / storage blobs | Critical | Block public access at account level |
| 3 | No MFA on root / global admin | Critical | Hardware security key on root, MFA on all humans |
| 4 | Database publicly accessible | Critical | Private subnet, no public IP, VPC endpoints |
| 5 | Security group with 0.0.0.0/0 on SSH/RDP | High | Use SSM Session Manager / Bastion / VPN |
| 6 | CloudTrail / audit logs disabled | High | Enable in all regions, store in separate account |
| 7 | Unencrypted EBS / disk volumes | High | Default encryption in account settings |
| 8 | Long-lived access keys (never rotated) | High | Roles for services, SSO for humans, 90-day max |
| 9 | Default VPC in use for production | Medium | Create custom VPC with proper subnet design |
| 10 | No resource tagging / cost allocation | Medium | Enforce tagging via SCP / Azure Policy / Org Policy |
The scariest finding in any cloud audit isn't a single misconfiguration — it's finding no CloudTrail logs. When we ask "how long has your root account had no MFA?" and the answer is "we don't know, we don't have logs from before last month" — that's when you realize you can't assess the damage. Enable logging before everything else. It costs pennies compared to the alternative.
7. Cloud Security Posture Management (CSPM)
Manually checking hundreds of configuration options across dozens of services doesn't scale. CSPM tools continuously scan your cloud accounts against security benchmarks (CIS, NIST, PCI DSS).
| Tool | Clouds | Type | Best For |
|---|---|---|---|
| AWS Security Hub | AWS | Native | AWS-only shops, aggregates GuardDuty + Inspector + Macie |
| Prowler | AWS, Azure, GCP | Open source | CIS benchmark scanning, CI/CD integration |
| Wiz | AWS, Azure, GCP | Commercial | Attack path analysis, agentless scanning |
| ScoutSuite | AWS, Azure, GCP | Open source | One-time audits, HTML report |
# Install
pip install prowler
# Run full CIS AWS Foundations Benchmark
prowler aws --compliance cis_2.0_aws
# Run specific checks
prowler aws --check s3_bucket_public_access \
iam_root_mfa_enabled \
cloudtrail_multi_region_enabled
# Output as JSON for CI pipeline
prowler aws --compliance cis_2.0_aws -M json -o results/
# Exit code 1 if critical findings → use in CI
prowler aws --severity critical --status FAIL --exit-code 18. Compliance Frameworks Mapped to Cloud Controls
If you need to comply with SOC 2, HIPAA, PCI DSS, or GDPR, cloud providers offer compliance-mapped services. But the mapping is "this service can help you comply" — not "using this service means you are compliant."
| Requirement | AWS | Azure | GCP |
|---|---|---|---|
| Access Control (SOC 2 CC6) | IAM + Identity Center + SCP | Entra ID + RBAC + PIM | IAM + Org Policy + BeyondCorp |
| Encryption (PCI DSS 3.4) | KMS + CloudHSM | Key Vault + Managed HSM | Cloud KMS + Cloud HSM |
| Audit Logging (HIPAA §164.312) | CloudTrail + Config | Activity Log + Diagnostic Settings | Cloud Audit Logs + Access Transparency |
| Data Residency (GDPR Art. 44) | Region selection + S3 Object Lock | Azure Policy + region lock | Resource location constraint |
For a deep dive into SOC 2 specifically, see our SOC 2 compliance guide for startups. For GDPR, see our data privacy and GDPR compliance guide.
9. Frequently Asked Questions
Which cloud provider is most secure?
All three major providers (AWS, Azure, GCP) have excellent infrastructure security, SOC 2 Type II certifications, and extensive compliance coverage. The security difference is almost entirely in how you configure them. A well-configured AWS account is more secure than a misconfigured GCP project, and vice versa. Choose based on your team's expertise and your compliance requirements — then configure properly. See our cloud platform comparison for details.
Do I need a WAF?
If you have public-facing APIs or web applications, yes. A WAF catches common attack patterns (SQL injection, XSS, path traversal) before they reach your application. But a WAF is a safety net, not a substitute for secure code. We use Cloudflare WAF for most projects — it's cost-effective, globally distributed, and has good managed rulesets. AWS WAF and Azure WAF are solid alternatives if you're already on those platforms.
How do I secure a multi-account / multi-project setup?
Use the provider's organization features: AWS Organizations with SCPs, Azure Management Groups with Azure Policy, GCP Organization with Org Policies. Create separate accounts for prod/staging/dev/security. Centralize logging in a dedicated security account that other accounts can write to but not delete from. Use SSO (AWS Identity Center / Entra ID / Cloud Identity) so humans never have per-account credentials.
Should I use CSPM tools or the provider's native security tools?
Start with native tools — they're cheaper and already integrated. AWS Security Hub, Azure Defender for Cloud, and GCP Security Command Center cover most use cases. Move to third-party CSPM (Wiz, Prowler, Orca) when you're multi-cloud, need attack path analysis, or need a single pane of glass across providers. Open-source Prowler is excellent for CIS benchmark scanning in CI/CD.
What's the first thing to do when setting up a new cloud account?
In order: (1) MFA on root/admin account with a hardware key. (2) Enable CloudTrail / audit logging in all regions. (3) Block public S3/Blob/GCS access at the account level. (4) Create a custom VPC — don't use the default. (5) Set up billing alerts. These five steps take under an hour and prevent the most common breach scenarios. Everything else builds on this foundation.
Pillai Infotech LLP
We help organizations secure their cloud infrastructure — from initial architecture to ongoing compliance. Zero trust principles, DevSecOps pipelines, and cloud-native security. Let's secure your cloud.