📕 Learning Objectives

• Basics aspects of managing cloud resources and related tasks

• Cloud access control fundamentals

Cloud Security

Securing cloud resources involves implementing measures and best practices to protect data, applications and infrastructure deployed in a cloud environment from unauthorized access, data breaches and other security threats. Cloud security is a shared responsibility between the cloud service provider (CSP) and the cloud user (customer).

Shared Responsibility Model

🔗 Shared Responsibility Model - Crowdstrike

From a security standpoint, the responsibility depends on what level of service is used.

At the level of data plane and control plane (tools, consoles, CLI, SDK), securing cloud resources is important and IAM is a key aspect of it.

• Identity protection

• Strong authentication mechanisms

• Control access

• Data encryption

• Network security

• Patching and updates

Security measures must be applied to both the data and the control plane.

Defense in depth

Defense in depth (layered security) is a principle and strategy in cloud security that involves implementing multiple layers of security controls and measures to protect cloud resources from various threats and attacks.

• Robust and resilient posture

• Mitigate the risk of a single security control

Public Network (Perimeter)

• Public firewall, DDos Prevention, IDS/IPS, etc

Local Network

• nACL, Device Hardening, Monitoring, etc

Operating System (Endpoint)

• Hardening, Patching, Endpoint Protection, Monitoring, etc

Service (Application)

• Hardening, Patching, Monitoring, Vuln Scanning, Testing, etc

Workload

• Authentication, Authorization, Auditing, Data access control, Monitoring, Encryption (in transit & at rest), MFA, etc

🔗 e.g. Google Cloud networking in depth

Cloud Attacks

Cloud platform attacks refer to security incidents and vulnerabilities that specifically target cloud computing platforms.

🔗 Top 10 Cloud Attacks and What You Can Do About Them - aquasec.com

Attacks targets

• Identities - SaaS, Cloud Platform, Data plane identities

  • e.g. - administrator Azure AD credentials/identities

• Data

  • e.g. - AWS S3 bucket, or relational/non-relational data

• Services - SaaS, Control plane services, Compute instance

  • e.g. - emails, automation (API), EC2

Attack Methods

• Misconfiguration - intentional or unintentional

  • e.g. - Publicly available data stores or services (DBs, public API, etc)

• Account hijacking

  • e.g. - Brute force, Password spraying, Credentials stuffing

• Service hijacking

  • e.g. - Insecure API Keys

• Malware injection

  • e.g. - compromised web app, API compromised bad code, infected VM, code repositories (open-source libraries)

IAM & Identity Protection

Sources

Providers naming: AWS/GCP IAM, Azure AD

• Users - Cloud User, Guest User, External/Hybrid User (Federated Systems)

  • minimize privileged admin/root (cloud subscription account) user access

  • create groups and use dynamic management

  • security assessments and auditing user configuration

  • apply least required rights concept (POLP)

• Resources

  • apply least privileges and audit resource access & review

  • use dynamic access policies

  • separate control plane and data plane access

e.g. It can be useful to organize user identities into a flow like this:

User identity/credentials (Access management)

⬇️

Group

⬇️

Role

⬇️

Resource

📌 CSPs Identity Management

🔗 AWS IAM Identities

• Users, Roles, Policies

🔗 Azure AD

• Users, Service Principals, Managed Identities, Roles

🔗 Google Cloud IAM

• Google Account, Service Account, Role, Policy

All the CSPs have identity protection services like

• AWS CloudTrail, Trusted Advisor

• Azure Identity Protection and AD Logs

• Google Cloud Identity, Advanced Protection Program, Security Key

Vulnerabilities

e.g. Account & Login vulnerabilities:

• weak passwords, leaked credentials, threat intelligence

• location/IP anomalies, password spraying, brute force attacks

📌 Best practices for accessing and managing cloud resources and users:

• use strong authentication (MFA) & enforce strong password policies

• implement role-based/conditional access control

• monitor user activities & review user permissions/config

• use secure connection protocols & data encryption

• implement network segmentation

• regular systems patching & users training

• audit unused accounts

Response

1. Revoke the permissions for the compromised identity and isolate it

2. Reset identities (session tokens, API & access keys)

3. Review what happened and determine impact with IT and business colleagues

4. Remediate and fix it, improve processes and plan of action, report

5. Return to operating state and monitor

Resource Protection

Data

There are many types of cloud data like

• files, relational/non-relational databases (managed, proprietary, IaaS), big data, sensitive data

Protecting cloud data at rest involves implementing mechanisms to ensure the confidentiality, integrity and availability of data even when it is not actively being accessed or transmitted.

• network controls and permissions

• encryption, hardware security module

• backup, replication

Protecting cloud data in transit involves security measures and protocols to safeguard data transmitted across networks.

• encryption (always) through secure communication protocols

• Hardware security modules (HSM)

📌 Best practices for cloud data protection:

• Access controls - limit access to resource, data, network

• Encryption - at rest, in transit, end-to-end

• Backup and Recovery

• Regular security Audits and assessments

🔗 GCP Data Encryption options

🔗 AWS Data Encryption

🔗 Azure Storage service-side encryption

Network

The cloud provider ensures network and (virtualized and physical) infrastructure protection through DDoS protection and general threat protection.

The physical connection between the cloud resources of one customer and those of another is handled by the cloud vendor. The customer is responsible for the physical network between their cloud resources.

At tenant level, there are some layers to protect and that the customer is responsible for, such as:

• AWS VPC

  • Network ACL - Subnet level

  • Security Group - EC2 level

  • PrivateLink - establish private connectivity between Virtual Private Clouds and supported services.

• Azure Network Security

  • Network Security Group - Subnet & Instance level

  • Private Endpoint

• Google Cloud Network Security

  • Firewall Rule - VPC, Subnet, VM Level

  • VPC Service Controls

Additional network security services:

• AWS - Shield, Web Application Firewall (WAF), GuardDuty

• Azure - Firewall, App Gateway, FrontDoor

• Google - Cloud Armor

📌 Best practices for cloud network protection:

• leverage cloud provider tools and limit public attack surface

  • check firewall rules and don't open ports globally

• monitor, setup alerts for abnormal usage and have a playbook for this kind of activity

Compute

Infrastructure compute protection involves

• patch management

  • IaaS - automated OS patching (AWS, Azure) & service

• resource protection

• OS hardening (run only required services, with most secure settings)

• monitoring (logs)

• attack surface minimization (block ports).

• availability (multiple instances)

Platform compute protection involves the cloud provider to secure the services and operating system of the running application

• custom options can also be set up by the customer

• PaaS - always patched by the CSP

Confidential computing enables the execution of workloads while keeping the data and code confidential, protecting them from the cloud service provider, other tenants and potential attackers, unauthorized data access, inside a trusted isolated execution environment (application enclave).

• Confidential compute requires specific compute instance sizes and hardware

🔗 Azure Confidential Computing

• e.g. Azure - Confidential computing on a healthcare platform

Monitoring is a built-in feature into the cloud platform.

• 3rd party agent monitoring can also be used

🔗 Azure Monitoring

Compliance

Cloud Regulatory Compliance refers to the adherence to specific laws, regulations and industry standards that govern the protection, privacy and security of data and systems within the cloud computing environment. Organizations that operate in regulated industries or handle sensitive data are required to comply with various legal and industry-specific requirements and frameworks.

Key aspects:

• data protection regulations (GDPR, CCPA, HIPAA)

• security standards (PCI DSS, ISO 27001, NIST CyberSec framework

• data residency and vendor due diligence

• audit and reporting

• incident response

• data backup and retention

CSP Regulatory Support

📌 Tools

• 🔗 Amazon GuardDuty

• 🔗 Azure Compliance Manager

• 🔗 GCP Security Command Center

📌 Documentation

• 🔗 AWS Artifact

• 🔗 Microsoft Trust Center

• 🔗 GCP Compliance Resource Center

Tenant Responsibilities

Since the customer is responsible for cloud services compliance, he should

• understand customer compliance requirements and document provider compliance with regulations

• implement customer responsibilities

• use provider tools to maintain compliance

Common Protected Data

Protected data refers to sensitive information that requires special safeguards and security measures to ensure its confidentiality, integrity and availability.

• PII (Personally Identifiable Information) - individual data

• PHI (Protected Health Information) - healthcare

  • HIPAA (Health Insurance Portability and Accountability Act)

• Financial Data - sensitive banking information (PII, PCI-DSS)

• IP (Intellectual Property) - inventions, patents, copyrights, business plans

• Legal & Compliance Data

• Confidential Business Data & business reputation

• Regional Considerations

  • GDPR-EU (General Data Protection Regulation)

  • CCPA (California Consumer Privacy Act)

  • etc

🔗 HIPAA Reference Architecture on AWS

• AWS HIPAA

  • Under the HIPAA regulations, cloud service providers (CSPs) such as AWS are considered business associates

🔗 Google Cloud HIPAA - Compliance