Cloud Security Fundamentals
Cloud security encompasses the policies, technologies, and controls used to protect data, applications, and infrastructure in cloud environments. The shift to cloud computing has fundamentally changed the security landscape. You no longer manage physical servers, but you are still responsible for securing your applications, data, and configurations — this is the shared responsibility model.
In the shared responsibility model, the cloud provider (AWS, GCP, Azure) is responsible for security OF the cloud (physical infrastructure, hypervisors, network), while you are responsible for security IN the cloud (your data, access management, application security, network configuration, and encryption). Many cloud security breaches result from customer misconfiguration, not provider vulnerabilities.
Shared Responsibility Model
| Your Responsibility | Provider's Responsibility |
|---|---|
| Data encryption and classification | Physical infrastructure security |
| IAM and access control | Hypervisor and host OS |
| Network configuration (security groups) | Physical network infrastructure |
| Application security | Service availability and SLAs |
| OS patching (for VMs) | Compliance certifications |
IAM (Identity and Access Management)
IAM is the most critical component of cloud security. Misconfigured IAM policies are the number one cause of cloud security breaches. Follow the principle of least privilege: every user, role, and service should have only the minimum permissions necessary for their function.
// AWS IAM policy examples (expressed as TypeScript objects)
// WRONG: Over-permissive policy
const badPolicy = {
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: "*", // Full access to everything!
Resource: "*", // Every resource!
}],
};
// RIGHT: Least-privilege policy for a web application
const goodPolicy = {
Version: "2012-10-17",
Statement: [
{
Sid: "ReadOwnBucket",
Effect: "Allow",
Action: ["s3:GetObject", "s3:ListBucket"],
Resource: [
"arn:aws:s3:::myapp-assets",
"arn:aws:s3:::myapp-assets/*",
],
},
{
Sid: "WriteUploadBucket",
Effect: "Allow",
Action: ["s3:PutObject"],
Resource: "arn:aws:s3:::myapp-uploads/*",
Condition: {
StringEquals: {
"s3:x-amz-server-side-encryption": "AES256",
},
},
},
{
Sid: "ReadSecrets",
Effect: "Allow",
Action: "secretsmanager:GetSecretValue",
Resource: "arn:aws:secretsmanager:us-east-1:123456789:secret:myapp/*",
},
],
};
// Infrastructure as Code security checks
// Use tools like checkov, tfsec, or cfn-nag to audit IAM policies
// Example Terraform with proper IAM:
/*
resource "aws_iam_role" "app_role" {
name = "myapp-production"
assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "ecs-tasks.amazonaws.com"
}
}]
})
# Add boundary to prevent privilege escalation
permissions_boundary = aws_iam_policy.boundary.arn
}
*/Network Security in the Cloud
// Cloud network security architecture
// Security Group configuration (as TypeScript for documentation)
const webServerSecurityGroup = {
name: "web-server-sg",
ingressRules: [
{ port: 443, protocol: "tcp", source: "0.0.0.0/0", description: "HTTPS" },
{ port: 80, protocol: "tcp", source: "0.0.0.0/0", description: "HTTP redirect" },
],
egressRules: [
{ port: 443, protocol: "tcp", destination: "0.0.0.0/0", description: "Outbound HTTPS" },
{ port: 5432, protocol: "tcp", destination: "sg-database", description: "PostgreSQL" },
{ port: 6379, protocol: "tcp", destination: "sg-cache", description: "Redis" },
],
};
const databaseSecurityGroup = {
name: "database-sg",
ingressRules: [
// ONLY allow from web server security group
{ port: 5432, protocol: "tcp", source: "sg-webserver", description: "PostgreSQL from web" },
],
egressRules: [], // No outbound needed for database
};
// VPC architecture for security
const vpcArchitecture = {
publicSubnets: [
"Load Balancer", // Only public-facing component
],
privateSubnets: [
"Application Servers", // No direct internet access
"Background Workers",
],
isolatedSubnets: [
"Database (RDS)", // No internet access at all
"ElastiCache (Redis)",
],
natGateway: true, // For private subnets to reach the internet (updates, APIs)
};Cloud Storage Security
// Secure S3 bucket configuration
import { S3Client, PutBucketPolicyCommand } from "@aws-sdk/client-s3";
// Enforce encryption on all uploads
const bucketPolicy = {
Version: "2012-10-17",
Statement: [
{
Sid: "DenyUnencryptedUploads",
Effect: "Deny",
Principal: "*",
Action: "s3:PutObject",
Resource: "arn:aws:s3:::myapp-data/*",
Condition: {
StringNotEquals: {
"s3:x-amz-server-side-encryption": "aws:kms",
},
},
},
{
Sid: "DenyNonHTTPS",
Effect: "Deny",
Principal: "*",
Action: "s3:*",
Resource: [
"arn:aws:s3:::myapp-data",
"arn:aws:s3:::myapp-data/*",
],
Condition: {
Bool: { "aws:SecureTransport": "false" },
},
},
{
Sid: "DenyPublicAccess",
Effect: "Deny",
Principal: "*",
Action: "s3:*",
Resource: "arn:aws:s3:::myapp-data/*",
Condition: {
StringEquals: { "s3:acl": ["public-read", "public-read-write"] },
},
},
],
};Security Warning: Common Cloud Misconfigurations
- Public S3 buckets: Ensure all buckets have Block Public Access enabled unless explicitly needed.
- Overly permissive security groups: Never use 0.0.0.0/0 for database or SSH ports.
- Root account usage: Never use the root account for daily operations. Create IAM users with MFA.
- Unencrypted data: Enable encryption at rest for all storage (S3, RDS, EBS, ElastiCache).
- Missing logging: Enable CloudTrail, VPC Flow Logs, and S3 access logs for audit purposes.
Cloud Security Checklist
- Enable MFA: On all accounts, especially root and admin accounts.
- Use IAM roles over users: For applications and services, use roles with temporary credentials.
- Encrypt everything: At rest and in transit. Use KMS for key management.
- Network segmentation: Use VPCs, subnets, and security groups to isolate components.
- Enable audit logging: CloudTrail, GuardDuty, and Config for continuous monitoring.
- Infrastructure as Code: Use Terraform or CloudFormation and scan templates for security issues.