Cloud Security: Shared Responsibility and Defense in Depth
Cloud security operates under a shared responsibility model — the provider secures the underlying infrastructure while customers secure everything they deploy on top of it. According to the Cloud Security Alliance (CSA), 95% of cloud security incidents are caused by customer misconfiguration, not provider vulnerabilities. Understanding where provider responsibility ends and customer responsibility begins is the foundation of a robust cloud security strategy.
Shared Responsibility Model
The division of responsibility depends on the service model:
| Layer | IaaS (EC2) | PaaS (RDS) | SaaS (Salesforce) |
|---|---|---|---|
| Physical security | Provider | Provider | Provider |
| Network infrastructure | Provider | Provider | Provider |
| Hypervisor | Provider | Provider | Provider |
| Operating system | Customer | Provider | Provider |
| Application | Customer | Customer | Provider |
| Data | Customer | Customer | Customer |
| IAM | Customer | Customer | Customer |
Data and access management are always the customer’s responsibility regardless of service model. This is why the largest cloud breaches — Capital One (2019), Accenture (2021), Pegasus Airlines (2024) — all stemmed from misconfigured access controls, not cloud provider weaknesses.
IAM: The Most Critical Security Control
Identity and Access Management is the primary security boundary in any cloud environment. The AWS Well-Architected Security Pillar calls IAM the “fundamental building block for securing your AWS environment.”
Follow least-privilege access: users, roles, and services should have exactly the permissions they need — no more. Start with an explicit deny-all policy and add permissions incrementally.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::specific-bucket/uploads/*",
"Condition": {
"StringEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
}
]
---Core IAM best practices:
- Use roles, not keys — IAM roles provide temporary credentials via STS that automatically rotate. Long-lived access keys should be eliminated for human users and minimized for service accounts.
- Enable MFA for all users — MFA blocks 99.9% of account compromise attacks (Microsoft, 2024). Enforce MFA at the IAM policy level with an
aws:MultiFactorAuthPresentcondition key. - Implement permission boundaries — permission boundaries delegate administrative control while preventing privilege escalation. A developer can create IAM roles, but only within the boundary you define.
- Monitor unused permissions — AWS IAM Access Analyzer and GCP Policy Analyzer identify roles and permissions not used in the last 90 days. Remove them.
- Use provider-native identity solutions — AWS IAM Identity Center (SSO), Azure Entra ID, and GCP Workforce Identity Federation for human access. Avoid creating individual IAM users.
Network Security Architecture
VPC segmentation — divide the network into tiers. Public subnets contain only load balancers and bastion hosts. Private subnets contain application servers (with NAT gateway for outbound access). Isolated subnets contain databases with no internet access path.
Security groups vs. network ACLs — Security Groups are stateful instance firewalls supporting allow rules only. Network ACLs are stateless subnet firewalls supporting both allow and deny rules. Security Groups are evaluated first; NACLs are a secondary layer.
Web Application Firewall (WAF) — inspect and filter HTTP/HTTPS traffic. AWS WAF, GCP Cloud Armor, and Azure WAF protect against SQL injection, cross-site scripting, and OWASP Top 10 threats. Cloud Armor includes Google’s threat intelligence for real-time rule updates.
DDoS protection — AWS Shield Advanced, GCP Cloud Armor Managed Protection, and Azure DDoS Protection provide automated mitigation against volumetric and application-layer DDoS attacks.
Data Encryption
Encryption at rest: encrypt all data stored in cloud services. AWS encrypts EBS volumes, S3 objects, and RDS instances by default with provider-managed keys (SSE-S3, AES-256). For stricter control, use customer-managed keys via AWS KMS, GCP Cloud KMS, or Azure Key Vault with monthly key rotation.
Encryption in transit: enforce TLS 1.2+ for all network communication. Use AWS Certificate Manager (ACM), GCP Certificate Manager, or Azure Key Vault for automated TLS certificate provisioning and renewal. Enable HTTP Strict Transport Security (HSTS) headers on web applications.
Key management hierarchy:
Customer Master Key (CMK/Hardware Security Module)
└── Key Encryption Key (KEK)
└── Data Encryption Key (DEK)
└── Encrypted dataEnvelope encryption allows encrypting large volumes of data without exposing the master key. The data key encrypts the actual data; the master key encrypts the data key. This is the standard approach for AWS KMS, GCP CMEK, and Azure Key Vault.
Monitoring and Detection
Audit logging — enable CloudTrail (AWS) for all regions and accounts, Cloud Audit Logs (GCP) for each project, and Activity Log (Azure) for each subscription. Protect audit logs with immutable storage (S3 Object Lock, Azure Blob Immutable Storage, GCP Bucket Lock) to prevent tampering by attackers with elevated privileges.
Threat detection services:
- AWS GuardDuty — continuous threat detection using machine learning, analyzing CloudTrail events, VPC Flow Logs, and DNS logs
- GCP Security Command Center — aggregated security posture with threat detection, vulnerability scanning, and compliance reporting
- Azure Defender — integrated threat protection across workloads, containers, databases, and storage
SIEM integration — forward audit logs to a centralized Security Information and Event Management system (Splunk, Elastic Security, Sentinel) for cross-account, cross-provider correlation. Set up automated alerts for:
- Root account or privileged user activity
- API calls from anomalous geographic locations
- Mass data downloads or deletions
- Failed authentication spikes (potential brute force)
- IAM policy changes
Secrets Management
Managing API keys, database passwords, and TLS certificates is a core cloud security function. Use dedicated secrets management services:
- AWS Secrets Manager — automatically rotates secrets for RDS, Redshift, and DocumentDB. Integrates with Lambda and ECS for secure credential injection. Stores secrets encrypted at rest with KMS, with automatic rotation schedules.
- GCP Secret Manager — provides versioned secrets with IAM access control, audit logging, and replication across regions. Integrates with Cloud Run, Cloud Functions, and Compute Engine via workload identity federation, eliminating the need for service account keys.
- Azure Key Vault — stores secrets, encryption keys, and certificates with hardware security module (HSM) support. Supports access policies, firewall rules, and VNet service endpoints for network isolation.
Never hardcode secrets in application code, configuration files, or CI/CD variables that are visible in logs. Use the provider’s SDK to fetch secrets at runtime from the secrets service. Implement secret rotation policies — rotate database credentials every 90 days, API keys every 180 days.
Compliance Frameworks
Cloud providers maintain certifications that can be inherited by customer workloads:
| Framework | AWS | GCP | Azure |
|---|---|---|---|
| SOC 1/2/3 | ✓ | ✓ | ✓ |
| ISO 27001 | ✓ | ✓ | ✓ |
| HIPAA | ✓ | ✓ | ✓ |
| PCI DSS | ✓ | ✓ | ✓ |
| FedRAMP | ✓ | ✓ | ✓ |
| GDPR | ✓ | ✓ | ✓ |
Review the provider’s compliance documentation (Artifact on AWS, Compliance Reports Manager on GCP, Service Trust Portal on Azure) and configure services within the compliant boundary. Use automated compliance scanning (AWS Config rules, GCP Policy Intelligence, Azure Policy) to detect drift.
Incident Response in the Cloud
Traditional incident response processes need adaptation for cloud environments:
- Detection — alerts from GuardDuty, Security Command Center, or Defender trigger incident creation
- Containment — revoke compromised IAM credentials, isolate affected instances (apply security group that blocks all traffic), detach compromised volumes for forensic analysis
- Eradication — terminate compromised instances, rotate all access keys and database credentials, apply security patches
- Recovery — restore from clean backups (validated), re-deploy infrastructure from IaC templates
- Post-mortem — analyze root cause, update IAM policies, improve detection rules, document runbooks
FAQ
Who is responsible for patching operating systems in the cloud? In IaaS models (EC2, Compute Engine), you are responsible for OS patching. Use automated patching solutions (AWS Systems Manager Patch Manager, Azure Update Management). In PaaS models (RDS, Cloud SQL, App Service), the provider handles OS patching; you are responsible for application-level patching.
What is the most common cloud security mistake?
Overly permissive IAM policies, particularly allowing "Effect": "Allow" with "Action": "*" on "Resource": "*". The Capital One breach began with a misconfigured WAF that allowed an attacker to assume a role with excessive S3 permissions.
How do I encrypt data in a multi-tenant cloud database?
Use Transparent Data Encryption (TDE) for SQL databases, client-side encryption for sensitive columns, and always enforce TLS for connections. Cloud providers encrypt data at rest by default — verify with aws rds describe-db-instances --query 'DBInstances[*].StorageEncrypted'.
Can cloud providers access my data? Provider employees have no default access to customer data. Access requires explicit customer approval (AWS Support Case, GCP Access Transparency). AWS Nitro System and GCP Shielded VMs provide technical guarantees that prevent provider access even with physical access to the server.
Do I need a cloud security posture management tool? For organizations with multiple accounts, projects, or cloud providers, CSPM tools (Wiz, Lacework, CrowdStrike Falcon Cloud Security, Palo Alto Prisma Cloud) provide automated visibility, compliance monitoring, and misconfiguration detection that native tools lack.
Cloud Computing Overview — Cloud Networking Guide — Cloud Monitoring Guide