Cloud Security
AWS, Azure, GCP security, shared responsibility model, and cloud-native protection.
Overview
Cloud security protects data, applications, and infrastructure in cloud environments.
Shared Responsibility Model
Architecture Diagram
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
ā Customer Responsibility ā
ā āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā ā
ā ā Data Security ā ā
ā ā Application Security ā ā
ā ā Operating System ā ā
ā ā Network Configuration ā ā
ā āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā¤
ā Provider Responsibility ā
ā āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā ā
ā ā Physical Security ā ā
ā ā Network Infrastructure ā ā
ā ā Hypervisor ā ā
ā ā Hardware ā ā
ā āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā ā
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
AWS Security
IAM Policies
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket/*"
}
]
}
Security Groups
# Allow HTTPS
aws ec2 authorize-security-group-ingress \
--group-id sg-12345678 \
--protocol tcp \
--port 443 \
--cidr 0.0.0.0/0
Azure Security
Network Security Groups
# Create NSG rule
az network nsg rule create \
--nsg-name myNsg \
--resource-group myResourceGroup \
--name AllowHTTPS \
--priority 100 \
--destination-port-ranges 443 \
--protocol Tcp \
--access Allow
GCP Security
Firewall Rules
# Allow internal traffic
gcloud compute firewall-rules create allow-internal \
--network default \
--allow tcp,udp,icmp \
--source-ranges 10.0.0.0/8
Cloud Security Tools
| Tool | Provider | Purpose |
|---|---|---|
| GuardDuty | AWS | Threat detection |
| Security Center | Azure | Security posture |
| SCC | GCP | Security command |
| CloudTrail | AWS | API logging |
| Monitor | Azure | Activity logs |
Best Practices
- Enable MFA ā Multi-factor authentication
- Encrypt Data ā At rest and in transit
- Least Privilege ā Minimum access
- Logging ā Enable cloud logs
- Backup ā Regular data backups
Practice
Configure AWS IAM policies with least privilege access.