01 — FOUNDATION
Shared Responsibility Model
The cornerstone of cloud security — understanding precisely what the cloud provider secures versus what you must secure. Misunderstanding this boundary is responsible for the majority of cloud breaches.
Physical Infrastructure
Provider
Provider
Hypervisor & Host OS
Provider
Provider
Network Controls
Provider (HW)
Customer (Config)
Identity & Access (IAM)
Provides Service
Customer Owns Config
Data Encryption
Provides Tools
Customer Must Enable
OS Patching (IaaS)
—
Customer Fully
Application Security
—
Customer Fully
Data Classification
—
Customer Fully
LAYER
Cloud Provider
Customer
02 — ZERO TRUST
Zero Trust Architecture
"Never trust, always verify." Zero Trust assumes breach — every access request is treated as potentially hostile regardless of network origin. Identity replaces the network perimeter.
Verify Identity Explicitly
Authenticate and authorise every request using all available signals — identity, location, device health, service, workload, and data classification.
Use Least Privilege Access
Limit user access with just-in-time (JIT) and just-enough-access (JEA), risk-based adaptive policies, and data protection.
Assume Breach
Minimise blast radius. Encrypt everything end-to-end. Use analytics to detect threats and improve defences proactively.
03 — IAM GOVERNANCE
IAM Governance
Identity and Access Management is the single most important security control in cloud. Mismanaged IAM is the root cause of the majority of cloud breaches. A robust IAM program continuously monitors, audits, and right-sizes permissions.
Never Use Root
Lock root/owner accounts. MFA enabled. Access keys deleted. Use only for account-level operations.
Roles Not Users
EC2/Lambda/containers use IAM Roles — short-lived, auto-rotating credentials. Never long-lived access keys.
Permission Boundaries
SCP caps in AWS Organizations. Even overprivileged roles cannot exceed the boundary.
Least Privilege
Grant minimum permissions for minimum duration. JIT access for admin tasks. No standing privilege.
Regular Audits
IAM Access Analyser + CloudTrail for used-permissions analysis. Quarterly right-sizing reviews.
AWS IAM POLICY — Least Privilege S3 Read (with MFA condition)
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": ["arn:aws:s3:::myapp-prod-bucket/*"],
"Condition": {
"Bool": {
"aws:SecureTransport": true,
"aws:MultiFactorAuthPresent": true
},
"DateLessThan": {
"aws:CurrentTime": "2026-12-31T23:59:59Z"
}
}
}]
}
04 — CLOUD PROVIDER SERVICES
AWS · Azure · GCP Security Services
AWS
GuardDuty
Threat detection — ML-based anomaly, malware, compromised credentials
Security Hub
Centralised security findings aggregation and compliance scoring
IAM Access Analyzer
Identifies over-permissioned and externally accessible resources
Macie
Automated PII/sensitive data discovery in S3 with ML classification
Inspector
Automated vulnerability assessment for EC2, Lambda, and containers
CloudTrail
Complete API activity logging for audit and forensics
Azure
Defender for Cloud
CSPM + CWPP — unified threat protection across hybrid environments
Sentinel
Cloud-native SIEM with AI-driven threat detection and response
Entra ID (AAD)
Identity platform with Conditional Access and Privileged Identity Management
Key Vault
Centralised secrets, certificates, and encryption key management
DDoS Protection
Adaptive real-time DDoS mitigation with attack analytics
Policy
Enforce and audit compliance policies across all Azure resources
GCP
Security Command Center
Centralised security and risk dashboard for GCP resources
Chronicle
Cloud-native SIEM — petabyte-scale security analytics and threat hunting
BeyondCorp
Zero Trust access without VPN — context-aware access policies
Cloud Armor
WAF and DDoS protection with adaptive ML-based threat signatures
Secret Manager
Centralised secrets management with automatic rotation and audit
Binary Authorization
Deploy-time security controls for container images in GKE
05 — CONTAINER SECURITY
Container & Kubernetes Security
Build Time
Build
Secure Dockerfile practices, minimal base images (distroless/Alpine), multi-stage builds, non-root user, pinned versions. Scan with Trivy/Anchore during CI.
Registry
Store
Private registries with access control. Image signing with Sigstore/Cosign. Automated re-scanning on CVE publication. Block unsigned images from deployment.
Deploy Time
Deploy
Admission controllers (OPA Gatekeeper). Pod Security Admission. Only signed, scanned images from approved registries. Immutable container filesystems.
Runtime
Run
Network Policies for pod isolation. Resource limits (CPU/memory). Seccomp/AppArmor profiles. No privileged containers. Runtime threat detection with Falco.
Governance
Govern
Kubernetes RBAC with least privilege. Audit logging to SIEM. Regular CIS Benchmark compliance scans. Namespace isolation. Secret encryption at rest.
06 — MONITORING
Cloud Security Monitoring Stack
CSPM
Continuous cloud configuration assessment against CIS benchmarks and NIST. Real-time misconfiguration alerts. Prisma Cloud, AWS Security Hub, Defender for Cloud.
Threat Detection
ML-based anomaly detection — unusual API calls, crypto mining, data exfiltration, lateral movement. GuardDuty, Azure Sentinel, Chronicle.
Observability
Prometheus + Grafana for metrics. ELK/Splunk for logs. Distributed tracing with Jaeger. New Relic APM for application-level visibility.
Compliance
Automated compliance reporting against PCI-DSS, HIPAA, SOC 2, ISO 27001. Policy-as-code with OPA Conftest. Continuous audit readiness.
WAF & DDoS
AWS Shield + WAF, Azure Firewall, Cloud Armor for edge protection. Rate limiting, geo-blocking, SQL injection rules, bot management.
Secrets Rotation
HashiCorp Vault dynamic secrets. Auto-rotation for DB credentials (30 days), API keys (90 days), certificates (before expiry).