Shared Responsibility Model
Cloud providers secure the infrastructure; you secure your data and configurations. Understanding this boundary is critical for cloud security.
Identity and Access Management
AWS IAM Best Practices
// Least privilege IAM policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/uploads/*",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/Department": "Engineering"
}
}
}
]
}Azure RBAC
// Custom role definition
{
"Name": "App Reader",
"IsCustom": true,
"Description": "Read-only access to application resources",
"Actions": [
"Microsoft.Web/sites/read",
"Microsoft.Web/sites/config/read"
],
"NotActions": [],
"AssignableScopes": [
"/subscriptions/{subscription-id}/resourceGroups/app-rg"
]
}Network Security
VPC Security (AWS)
// Terraform VPC with security groups
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
tags = {
Name = "secure-vpc"
}
}
resource "aws_security_group" "web" {
name = "web-sg"
description = "Security group for web servers"
vpc_id = aws_vpc.main.id
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["10.0.0.0/16"] // Only internal
}
}Private Endpoints
// Azure Private Endpoint for Storage
resource "azurerm_private_endpoint" "storage" {
name = "storage-pe"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
subnet_id = azurerm_subnet.private.id
private_service_connection {
name = "storage-connection"
private_connection_resource_id = azurerm_storage_account.main.id
subresource_names = ["blob"]
is_manual_connection = false
}
}Data Encryption
Encryption at Rest
// AWS S3 bucket encryption
resource "aws_s3_bucket" "secure" {
bucket = "my-secure-bucket"
}
resource "aws_s3_bucket_server_side_encryption_configuration" "secure" {
bucket = aws_s3_bucket.secure.id
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = aws_kms_key.bucket_key.arn
sse_algorithm = "aws:kms"
}
bucket_key_enabled = true
}
}Encryption in Transit
// Enforce HTTPS on CloudFront
resource "aws_cloudfront_distribution" "cdn" {
viewer_certificate {
acm_certificate_arn = aws_acm_certificate.cert.arn
ssl_support_method = "sni-only"
minimum_protocol_version = "TLSv1.2_2021"
}
default_cache_behavior {
viewer_protocol_policy = "redirect-to-https"
}
}Secrets Management
// AWS Secrets Manager
import { SecretsManagerClient, GetSecretValueCommand } from '@aws-sdk/client-secrets-manager';
const client = new SecretsManagerClient({ region: 'us-east-1' });
async function getSecret(secretName) {
const command = new GetSecretValueCommand({ SecretId: secretName });
const response = await client.send(command);
return JSON.parse(response.SecretString);
}
// Usage
const dbCreds = await getSecret('prod/db/credentials');Security Monitoring
AWS GuardDuty
// Enable GuardDuty with Terraform
resource "aws_guardduty_detector" "main" {
enable = true
datasources {
s3_logs {
enable = true
}
kubernetes {
audit_logs {
enable = true
}
}
}
}Azure Defender
// Enable Defender for Cloud
resource "azurerm_security_center_subscription_pricing" "defender" {
tier = "Standard"
resource_type = "VirtualMachines"
}
resource "azurerm_security_center_contact" "security" {
email = "security@company.com"
alert_notifications = true
alerts_to_admins = true
}Compliance
// AWS Config rules for compliance
resource "aws_config_config_rule" "s3_bucket_public_read_prohibited" {
name = "s3-bucket-public-read-prohibited"
source {
owner = "AWS"
source_identifier = "S3_BUCKET_PUBLIC_READ_PROHIBITED"
}
}
resource "aws_config_config_rule" "encrypted_volumes" {
name = "encrypted-volumes"
source {
owner = "AWS"
source_identifier = "ENCRYPTED_VOLUMES"
}
}Conclusion
Cloud security requires a comprehensive approach covering identity, network, data, and monitoring. Leverage native security services and automate compliance checks.