The complete Cloud Security Guide

The shared responsibility model is the foundation. It splits security between cloud provider and customer. The split varies by service:

• IaaS (EC2, Compute Engine, VMs): you secure OS, runtime, app, data, IAM
• PaaS (RDS, App Engine, App Service): provider secures OS & runtime; you secure app, data, IAM
• SaaS (Salesforce, M365): provider secures most; you secure data classification & access

IAM is where most cloud breaches start. The fundamentals:

• No long-lived access keys in CI/CD or developer machines. Use short-lived federation (OIDC, SSO, IRSA, Workload Identity).
• MFA on every human user — including emergency / break-glass accounts
• Least privilege — start with read-only roles; escalate by exception, not default
• Block root account daily use — set an alert on any root activity
• Service Control Policies (AWS Org), Conditional Access (Entra), Org Policies (GCP) — set guardrails at the account/tenant level
• Periodic access reviews — quarterly minimum, sooner for SDF-class data

Cloud-specific gotchas

Default network settings are usually too open. Tighten:

• VPCs by environment — prod, staging, dev should not share VPCs
• Private subnets for compute, public only for load balancers
• Egress filtering — most VPCs don't restrict outbound; data exfil happens via DNS, S3 to attacker-controlled buckets, etc.
• VPC endpoints / Private endpoints for S3, KMS, Secrets — keep traffic off the public internet
• WAF on public surfaces with managed rule sets enabled
• Service Mesh / Network Policy for inter-service in K8s

• Encryption at rest — KMS / Key Vault / Cloud KMS with customer-managed keys for sensitive data
• Encryption in transit — TLS 1.2+ everywhere, mTLS for service-to-service in production
• Bucket / Storage account public access blocked at account level
• S3 Block Public Access on, Object Lock for compliance-relevant data
• Database encryption with separate KMS key per tenant for multi-tenant SaaS
• Backup snapshots encrypted & cross-region replicated; restore tested quarterly
• DLP — detect & quarantine PII / cardholder data leakage in S3 / GCS / Blob

Stop putting secrets in:

• Environment variables baked into AMIs / container images
• Git repositories (use pre-commit hooks + vendor scanning)
• CI/CD pipeline plain text
• Kubernetes ConfigMaps

Start using:

• AWS Secrets Manager / SSM Parameter Store
• Azure Key Vault with managed identity access
• GCP Secret Manager with workload identity
• HashiCorp Vault for multi-cloud / on-prem hybrid
• External Secrets Operator in K8s for clean Pod injection

K8s is its own attack surface. Critical baselines:

• RBAC, not legacy ABAC — minimum-privilege roles and bindings
• Pod Security Admission at restricted level for non-system namespaces
• Network Policies — default-deny ingress/egress per namespace
• Image scanning in CI + admission control (Kyverno / OPA Gatekeeper)
• Image signing with cosign + verification at admission
• etcd encryption at rest with KMS provider plugin
• Audit logging sent to SIEM
• No privileged containers, hostPath mounts, or shared host PIDs in user workloads
• Drop NET_RAW, SYS_ADMIN capabilities by default

Without logs, you can't detect, investigate, or notify under DPDP §8(6). Minimum:

• CloudTrail / Activity Logs / Audit Logs enabled across all regions and accounts
• VPC Flow Logs on production subnets
• Centralised log aggregation (Security Hub, Sentinel, Chronicle, or self-hosted SIEM)
• Anomaly alerts on root usage, IAM changes, S3 public bucket creation, security group 0.0.0.0/0 rules
• Retention: 12 months minimum, 7 years for regulated workloads

Manual configuration auditing doesn't scale. CSPM tools continuously scan for misconfigurations:

• Native: AWS Security Hub + Config Rules, Defender for Cloud, GCP Security Command Center
• Multi-cloud: Wiz, Lacework, Prisma Cloud, Orca
• Open source: Prowler, ScoutSuite, CloudSploit, Steampipe

For Indian SMEs starting out, Prowler + native Security Hub is a credible day-1 stack at zero cost. Download our cloud security audit template (80+ controls).

The biggest cloud risk you don't control:

• Third-party SaaS integrations with broad OAuth scopes
• Container base images with unpatched CVEs
• Terraform / Helm modules from public registries
• npm / PyPI / Go module dependencies

Mitigations:

• SBOM generation in CI for every artifact
• Vulnerability scanning with severity gates blocking critical issues
• Pin dependencies + use lockfiles + verify checksums
• Vendor risk reviews for high-permission integrations

Cloud IR is faster than on-prem because everything is API-driven. Have ready:

• A compromise containment runbook per cloud — disable user/role, snapshot & isolate instance, rotate keys
• Forensic snapshots in a separate account/subscription with restricted access
• Read-only IR roles pre-created so you don't fumble during an incident
• Communication template for Board notification under DPDP §8(6) (72-hour clock)
• Tabletop exercises — every 6 months; rotate scenarios (S3 leak, IAM key theft, K8s pod escape)

Cloud security is layered. Pick the layer that's most exposed for your stack and start there:

1. Run the audit template against your AWS / Azure / GCP
2. Triage findings by severity + business risk
3. Fix top 10 high-severity issues this quarter
4. Set up CSPM (Prowler is free) for continuous monitoring
5. Run a tabletop on cloud IR before you need it