☁️ Cloud Security
Securing cloud-native and hybrid workloads across AWS, Azure, and GCP — IAM policies, encryption, network controls, CSPM, CWPP, and the shared responsibility model.
Cloud security addresses the unique challenges of protecting data, applications, and infrastructure in cloud environments. The shared responsibility model defines where the cloud provider's security obligations end and the customer's begin. Key areas include identity and access management, data encryption, network security, compliance, container security, and continuous monitoring across IaaS, PaaS, and SaaS models.
Key Concepts
Cloud Feature Equivalents (AWS ↔ Azure ↔ GCP ↔ OCI)
WAF (Web Application Firewall): AWS WAF → Azure WAF (on Application Gateway/Front Door) → GCP Cloud Armor → OCI WAF. All provide Layer 7 filtering, OWASP rule sets, bot mitigation, and rate limiting. AWS WAF uses WebACLs; Azure WAF uses policies; Cloud Armor uses security policies with CEL expressions. Firewall: AWS Network Firewall → Azure Firewall → GCP Cloud Firewall → OCI Network Firewall. Layer 3/4 stateful packet inspection, IDS/IPS capabilities. Threat Detection (GuardDuty equivalents): AWS GuardDuty → Microsoft Defender for Cloud → GCP Security Command Center (SCC) + Event Threat Detection → OCI Cloud Guard. All analyze logs for anomalous activity — unauthorized API calls, crypto mining, credential exfiltration. GuardDuty uses VPC Flow Logs, DNS logs, and CloudTrail; Defender analyzes Azure activity; SCC uses Cloud Audit Logs. Centralized Security (Security Hub equivalents): AWS Security Hub → Microsoft Defender for Cloud (with Secure Score) → GCP Security Command Center → OCI Cloud Guard. Aggregate findings from multiple services into a single pane, compliance scoring, and prioritized remediation. AWS uses ASFF format; Azure provides Secure Score (0-100%); GCP SCC provides Attack Exposure Score. Zero Trust / ZTNA: AWS Verified Access → Azure Entra Private Access → GCP BeyondCorp Enterprise → OCI Zero Trust Packet Routing. Replace traditional VPN with identity-aware access. Serverless Compute: AWS Lambda → Azure Functions → GCP Cloud Functions → OCI Functions. Container Orchestration: EKS → AKS → GKE → OKE. Infrastructure as Code: CloudFormation → ARM/Bicep → Deployment Manager/Terraform → Resource Manager. Cost Management: AWS Cost Explorer → Azure Cost Management → GCP Cloud Billing → OCI Cost Analysis.
Cloud IAM
Identity policies, roles, service accounts, and least-privilege access across cloud providers. Includes SCPs, permission boundaries, and identity federation.
Container & K8s Security
Image scanning, pod security policies, network policies, secrets management, RBAC, and admission controllers for Kubernetes environments.
🔍 CSPM (Cloud Security Posture Management)
What it is: CSPM continuously monitors cloud infrastructure configurations across AWS, Azure, and GCP to detect misconfigurations, compliance violations, and security risks — the #1 cause of cloud breaches. Why it matters: Gartner predicts that through 2025, 99% of cloud security failures will be the customer's fault — primarily misconfigurations. CSPM provides continuous visibility that point-in-time audits cannot. Core capabilities: Continuous misconfiguration scanning (public S3 buckets, overprivileged IAM roles, unencrypted databases, open security groups), multi-cloud posture dashboard (single pane of glass across AWS + Azure + GCP + OCI), compliance mapping to frameworks (CIS Benchmarks, NIST 800-53, PCI-DSS, HIPAA, SOC 2), auto-remediation (automatically close public buckets, enforce encryption, fix security group rules), infrastructure drift detection (alert when running config deviates from IaC baseline), and attack path analysis (identify exploitable chains: e.g., public EC2 → overprivileged role → sensitive S3 bucket). Leading Platforms: Wiz (agentless, graph-based risk visualization, attack path analysis — fastest-growing cloud security company), Prisma Cloud by Palo Alto (CSPM + CWPP + CIEM + DSPM in one platform), Orca Security (SideScanning — agentless, agentless full-stack visibility), AWS Security Hub + Config (native AWS posture management), Microsoft Defender for Cloud CSPM (native Azure with Secure Score), Lacework (anomaly-based cloud security with Polygraph behavioral analytics). CISO Value: Reduces cloud breach risk by 60-80%, provides board-ready compliance reporting, and enables security teams to keep pace with developer cloud velocity without becoming a bottleneck.
CWPP (Cloud Workload Protection)
Runtime protection for VMs, containers, and serverless workloads. Includes vulnerability scanning, integrity monitoring, and runtime threat detection.
Data Encryption
Encryption at rest (KMS, HSM), in transit (TLS), and in use (confidential computing). Key management lifecycle and rotation policies.
Shared Responsibility Model (AWS / Azure / GCP)
The foundational principle of cloud security — divides security obligations between the cloud provider and the customer. Provider Responsibility (Security OF the Cloud): Physical data centers, hardware, hypervisor, global network infrastructure, and managed service internals. Customer Responsibility (Security IN the Cloud): Data classification and encryption, identity and access management, OS patching (IaaS), application security, network configurations (security groups, NACLs), and compliance. IaaS (EC2 / Azure VM / GCE): Customer manages OS, middleware, applications, data, and network configs. Provider manages virtualization, storage, networking hardware, and facilities. PaaS (Lambda / Azure Functions / Cloud Functions): Customer manages code, data, and IAM. Provider manages runtime, OS, scaling, and infrastructure. SaaS (Microsoft 365 / Google Workspace / Salesforce): Customer manages data, user access, and device security. Provider manages everything else. AWS-specific: Shared Responsibility Model documentation, AWS Artifact for compliance reports, AWS Config for resource compliance, IAM Access Analyzer. Azure-specific: Microsoft Defender for Cloud with Secure Score, Azure Policy for guardrails, Azure Blueprints for compliance templates, Entra ID for identity. GCP-specific: Shared Fate model (Google's evolved approach — actively helps customers secure workloads), Security Command Center, Chronicle SIEM, BeyondCorp for Zero Trust. Common pitfalls: Assuming the provider handles everything (it doesn't), neglecting IAM policies, leaving storage buckets public, not enabling logging (CloudTrail/Activity Log/Audit Logs), and failing to encrypt data at rest.
Shared Responsibility Model
Shared Responsibility Matrix
As you move from IaaS → PaaS → SaaS, the provider takes on more responsibility. Customer always owns data & access.
Cloud Security Architecture
Defense-in-Depth Cloud Security Layers
Multi-layered security controls from identity to monitoring
Cloud Security Tools Comparison
| Security Area | 🟠 AWS | 🔵 Azure | 🟢 GCP | 🔴 OCI |
|---|---|---|---|---|
| Identity & Access | IAM, STS, SSO (Identity Center) | Entra ID (Azure AD), PIM | Cloud IAM, Workload Identity | IAM, Identity Domains |
| SIEM / Log Analytics | Security Lake, OpenSearch | Microsoft Sentinel | Chronicle SIEM | Logging Analytics |
| Threat Detection | GuardDuty | Defender for Cloud | Security Command Center (SCC) | Cloud Guard |
| CSPM | Security Hub, Config | Defender CSPM, Azure Policy | SCC Premium | Cloud Guard Detector |
| Key Management | KMS, CloudHSM | Key Vault, Managed HSM | Cloud KMS, Cloud HSM | Vault, Key Management |
| Secrets Management | Secrets Manager | Key Vault Secrets | Secret Manager | Vault Secrets |
| Network Security | VPC, Security Groups, WAF | VNet, NSG, Azure Firewall | VPC, Cloud Armor, Firewall | VCN, NSG, WAF |
| DDoS Protection | Shield (Standard/Advanced) | DDoS Protection | Cloud Armor | WAF with DDoS |
| API Logging / Audit | CloudTrail | Activity Log, Monitor | Cloud Audit Logs | Audit Service |
| Container Security | ECR Scanning, Inspector | Defender for Containers | Artifact Analysis, Binary Auth | Container Scanning |
| Data Loss Prevention | Macie | Purview DLP | Cloud DLP | Data Safe |
| Compliance | Artifact, Audit Manager | Compliance Manager, Purview | Compliance Reports, Assured Workloads | Compliance Documents |
| Zero Trust / ZTNA | Verified Access | Entra Private Access | BeyondCorp Enterprise | Zero Trust Packet Routing |
| Vulnerability Scanning | Inspector | Defender Vulnerability Mgmt | Web Security Scanner | Vulnerability Scanning |
Common Risks & Threats
| Threat | Severity | Description | Mitigation |
|---|---|---|---|
| Misconfigured S3/Blob Storage | Critical | Publicly exposed storage buckets with sensitive data | Enable bucket policies, block public access, CSPM monitoring |
| Overprivileged IAM Roles | Critical | Service accounts and users with excessive permissions | Least privilege, permission boundaries, regular access reviews |
| Exposed API Keys/Secrets | Critical | Hard-coded credentials in code repositories or configs | Secrets manager, environment variables, automated scanning |
| Insecure Container Images | High | Vulnerabilities in base images and dependencies | Image scanning, minimal base images, signed images |
| Lack of Encryption | High | Data at rest or in transit without encryption | KMS-managed encryption, enforce TLS, CMKs |
Remediation & Best Practices
Enforce Least Privilege IAM
Use permission boundaries, SCPs, and condition keys. Regularly audit with access analyzer tools.
Encrypt Everything
Enable default encryption for storage, databases, and messaging. Use customer-managed keys (CMKs) for sensitive data.
Network Segmentation
Use VPCs, subnets, security groups, and NACLs. Implement private endpoints for service-to-service communication.
Continuous Monitoring
Enable CloudTrail/Activity Log, GuardDuty/Defender, and CSPM tools. Set alerts for anomalous API calls.
☁️ Cloud Native AppSec Considerations
Cloud-native apps (microservices, containers, serverless, Kubernetes) shift security left and require fundamentally different approaches than traditional monolith security.
📦 Container Security
• Image scanning — Trivy, Snyk, Prisma Cloud
• Minimal base images — Distroless/Alpine
• No root — Run as non-root user
• Immutable containers — No SSH, rebuild & redeploy
• Image signing — Cosign/Notary for integrity
• Registry security — Private, scanned, access-controlled
⚙️ Kubernetes Security
• RBAC — API server access control
• Network Policies — Default-deny pod traffic
• Pod Security Standards — Restricted/Baseline
• Secrets management — Vault, Sealed Secrets
• Admission controllers — OPA/Gatekeeper, Kyverno
• Audit logging — API server audit logs
🔗 Microservices Security
• Service mesh — Istio/Linkerd for mTLS
• API gateway — Centralized auth & rate limiting
• Service-to-service auth — SPIFFE/SPIRE
• Circuit breakers — Prevent cascading failures
• Distributed tracing — Jaeger/Zipkin
⚡ Serverless Security
• Function-level IAM — Least privilege per function
• Input validation — All event triggers (API, S3, SQS)
• Dependency scanning — Smaller packages
• Ephemeral runtime — No persistent compromise
• Timeout limits — Prevent crypto-mining abuse
🔒 CI/CD Pipeline Security
• Shift-left scanning — SAST/SCA/DAST in pipeline
• IaC scanning — Checkov, tfsec, KICS
• SBOM generation — Syft, CycloneDX at build
• Signed artifacts — SLSA attestation chain
• Pipeline hardening — Ephemeral runners, no secrets in logs
⚠️ Cloud-Native Threat Model
• Container escape — Seccomp, no privileged mode
• Lateral movement — Network policies, microseg
• Supply chain — Image signing, SBOM, trusted registries
• Secrets sprawl — Vault, external secret operators
• Misconfig — CSPM, policy-as-code (Wiz, Prisma)
• API abuse — Service mesh mTLS, SPIFFE
🔑 Key Principle: From perimeter security to zero-trust microsegmentation — every service authenticates to every other service, every container is treated as potentially compromised, and security is engineered into the CI/CD pipeline, not bolted on after deployment.
🗺️ Azure Cloud Services — 10 Category Reference
| Category | Key Azure Services |
|---|---|
| 1. Compute | Virtual Machines, VM Scale Sets, App Service, Azure Functions, AKS, Container Instances (ACI), Batch, Service Fabric |
| 2. Storage | Blob Storage, ADLS Gen2, File Storage, Queue Storage, Table Storage, Managed Disks, Hot / Cool / Archive tiers |
| 3. Databases | Azure SQL Database, SQL Managed Instance, Cosmos DB, PostgreSQL / MySQL Managed, Synapse SQL Pools, Redis Cache |
| 4. Data & Analytics | Azure Data Factory, Synapse Analytics, Databricks, Stream Analytics, Data Explorer (Kusto), Event Hubs, Purview, Power BI |
| 5. Networking | VNet, Subnets, NSG, Private Endpoints, VPN Gateway, ExpressRoute, Load Balancer, Application Gateway, Azure Firewall, Front Door / Traffic Manager |
| 6. Integration & Messaging | Service Bus, Event Grid, Logic Apps, API Management |
| 7. Security & Identity | Entra ID (Azure AD), RBAC, Managed Identity, Key Vault, Defender for Cloud, Azure Policy, MFA |
| 8. Monitoring & Ops | Azure Monitor, Log Analytics, Application Insights, Alerts, Workbooks, Event Grid |
| 9. DevOps & IaC | Azure DevOps, GitHub Actions, ARM Templates, Bicep, Terraform, Cost Management, SLA / Reliability basics, Advisor |
| 10. Governance | Resource Groups, Management Groups, Naming conventions, Tags, Landing Zones, Backup / DR basics, Compliance basics |
Walk through the key Azure service categories and explain the security-relevant services in each.
Azure organizes services into 10 major categories. Security-relevant highlights per category:
- Use Azure Defender for VMs, enable Just-In-Time VM access, AKS with pod security policies and RBAC
- Disable public IP on VMs where possible
- Enable storage firewalls, use Private Endpoints for Blob/ADLS access, enforce encryption with customer-managed keys (CMKs) in Key Vault
- Use immutable storage for compliance
- Enable Transparent Data Encryption (TDE), use Azure AD authentication over SQL auth, configure firewall rules and VNet service endpoints
- Enable Advanced Threat Protection on SQL
- Purview for data governance and classification
- Databricks with VNet injection for network isolation
- Event Hubs with managed identity auth
- NSGs for microsegmentation, Azure Firewall for centralized egress filtering, Private Endpoints to eliminate public exposure, DDoS Protection Standard for internet-facing services
- Front Door WAF for L7 protection
Service Bus with managed identity, API Management for centralized API security (rate limiting, OAuth validation, IP filtering).
- Entra ID with Conditional Access policies, PIM for just-in-time admin access
- Defender for Cloud with Secure Score
- Key Vault for secrets, keys, certificates with RBAC access policies
- Azure Policy for guardrails (deny public IPs, enforce tagging)
- Log Analytics workspace as central log sink
- Application Insights for APM
- Azure Monitor alerts for security events
- Diagnostic settings on all resources
- GitHub Actions with OIDC federation (no stored secrets)
- ARM/Bicep with what-if checks
- Terraform state in Azure Storage with state locking
1
- Management Groups for hierarchical policy inheritance
- Landing Zones for standardized, secure environments
- Azure Blueprints for compliance templates
Interview Preparation
What is CSPM and why is it critical for cloud security? How would you implement it?
CSPM (Cloud Security Posture Management) continuously monitors cloud infrastructure configurations to detect misconfigurations, compliance violations, and security risks. WHY IT'S CRITICAL: Gartner predicts 99% of cloud security failures through 2025 will be the customer's fault — primarily misconfigurations like public S3 buckets, overprivileged IAM roles, and unencrypted databases. CSPM provides continuous, automated visibility that periodic audits cannot. IMPLEMENTATION APPROACH:
- Deploy agentless CSPM (Wiz, Prisma Cloud, Orca) across all cloud accounts
- Inventory every resource — compute, storage, networking, IAM, databases
- Map current posture against CIS Benchmarks (AWS/Azure/GCP-specific), NIST 800-53, and organizational policies
- Establish risk scoring methodology
- Focus on attack paths, not individual findings
- A public EC2 instance alone is medium risk; a public EC2 → overprivileged role → sensitive S3 bucket is critical
- Graph-based tools like Wiz excel here
- Implement auto-remediation for high-confidence, low-risk fixes: close public S3 buckets, enforce encryption, fix permissive security groups
- Use guardrails (AWS SCPs, Azure Policy, GCP Org Policies) to prevent misconfigurations at creation time
Alert when running infrastructure deviates from IaC baseline (Terraform state, CloudFormation).
Map CSPM findings to regulatory frameworks (PCI-DSS, HIPAA, SOC
2for automated compliance reporting. KEY METRICS: % of cloud resources compliant (target >95%), mean time to remediate critical findings (target <24 hours), number of public-facing resources (target: minimize), drift incidents per month, compliance score trend over time. TOOLS: Wiz (best attack path analysis), Prisma Cloud (broadest CNAPP platform), Orca (agentless full-stack), native tools (AWS Security Hub, Azure Defender CSPM, GCP SCC).
Explain the Shared Responsibility Model.
In the shared responsibility model, the cloud provider is responsible for security OF the cloud (physical infrastructure, hypervisor, networking, storage), while the customer is responsible for security IN the cloud (data, identity, applications, OS patching, network configurations). The division shifts by service model: IaaS gives customers more responsibility, SaaS gives them less. For example, in IaaS (EC2), you patch the OS; in SaaS (Gmail), Google manages everything except data and access.
How would you secure an AWS account from scratch?
1) Enable MFA on root account and lock it away.
2Create IAM users with least-privilege policies.
3Enable CloudTrail for API logging and GuardDuty for threat detection.
4Configure SCPs via AWS Organizations.
5Enable default encryption on S3, EBS, RDS.
6Set up VPC with private subnets and security groups.
7Use AWS Config for compliance monitoring.
8Enable AWS Security Hub for centralized findings.
9Implement secrets rotation via Secrets Manager.
How do you secure cloud workloads and cloud instances across AWS, Google Cloud, and Azure?
Securing cloud workloads requires a multi-layered approach across compute, networking, identity, data, and monitoring.
- EC2/Compute Engine/Azure VMs — apply CIS Benchmarks, enforce IMDSv2 (AWS) to prevent SSRF credential theft, use golden AMIs built via Packer
- Auto-patching via AWS Systems Manager, GCP OS Patch Management, Azure Update Management
- EKS/GKE/AKS — enforce Pod Security Standards, network policies for pod segmentation, scan images with Trivy/Snyk
- Runtime security with Falco/Sysdig
- Run as non-root, read-only filesystems
Lambda/Cloud Functions/Azure Functions — least-privilege IAM per function, input validation, VPC-attached for private resources.
- Least privilege with SCPs (AWS), Org Policies (GCP), Azure Policies
- Managed identities over API keys
- MFA everywhere
- Access reviews with IAM Access Analyzer/Policy Analyzer/AD Access Reviews
- Private subnets, NAT gateways, VPC Flow Logs
- Cloud WAF — AWS WAF, Cloud Armor, Azure Front Door
- Private endpoints — PrivateLink, Private Service Connect, Azure Private Link
- Encrypt at rest (KMS/Cloud KMS/Key Vault), TLS 1.2+ in transit, block public access on storage
- DLP — AWS Macie, GCP DLP API, Azure Purview
- GuardDuty+SecurityHub (AWS), Security Command Center+Chronicle (GCP), Defender+Sentinel (Azure)
- CSPM with Prisma Cloud/Wiz for continuous posture assessment
Runtime agents — CrowdStrike Falcon Cloud, Aqua Security for process, network, and container behavior monitoring.
Scan Terraform/CloudFormation with Checkov/tfsec before deployment.
What are the key security considerations for cloud-native applications and how do they differ from traditional monolith security?
Cloud-native AppSec requires securing 4 distinct layers that don't exist in traditional architectures:
Scan images for CVEs (Trivy, Snyk), use minimal base images (distroless/Alpine), run as non-root, enforce immutable containers (no SSH, rebuild to patch), sign images with Cosign/Notary for supply chain integrity, and use private registries with vulnerability scanning gates.
Implement RBAC for API server access, default-deny network policies for pod-to-pod traffic, Pod Security Standards (Restricted profile), external secrets management (HashiCorp Vault, Sealed Secrets), admission controllers (OPA/Gatekeeper, Kyverno) to enforce policies at deploy time, and API server audit logging.
Deploy a service mesh (Istio/Linkerd) for automatic mTLS between all services (zero-trust east-west traffic), centralized API gateway for auth/rate limiting at ingress, SPIFFE/SPIRE for workload identity, circuit breakers to prevent cascading failures, and distributed tracing (Jaeger/Zipkin) for security event correlation.
Function-level IAM with least privilege per function (not shared roles), validate all event trigger inputs, smaller dependency packages to reduce attack surface, and timeout limits to prevent crypto-mining.
Shift-left with SAST/SCA/DAST in pipeline, IaC scanning (Checkov/tfsec) for misconfigs, SBOM generation (Syft/CycloneDX), signed artifacts with SLSA attestation, and ephemeral build runners.
- Container escape (mitigate with seccomp profiles, no privileged mode, gVisor), lateral movement (network policies, microsegmentation), supply chain attacks (signed images, trusted registries), secrets sprawl (Vault integration), and misconfiguration (CSPM tools, policy-as-code)
- The fundamental shift is from perimeter-based security to zero-trust microsegmentation — every service authenticates to every other service, and security is engineered into the pipeline, not bolted on after deployment
Framework Mapping
| Framework | Relevant Controls |
|---|---|
| NIST | SP 800-53 AC-2 (Account Mgmt), SC-28 (Data at Rest), AU-2 (Audit Events), CM-7 (Least Functionality) |
| ISO | A.13.1 (Network Security), A.10.1 (Cryptographic Controls), A.9.2 (User Access Mgmt) |
| MITRE | T1078 (Valid Accounts), T1530 (Data from Cloud Storage), T1537 (Transfer to Cloud Account) |
