Cloud Security Mastery: AWS, Azure & GCP in 2025

Shared Responsibility Model

Cloud provider handles: physical infrastructure, hypervisor, managed service security, global network. Customer handles: data encryption and classification, IAM, network security (VPCs, security groups), application security, OS patching (IaaS), service configuration. Misconfigurations and improper IAM cause most cloud breaches.

AWS Security

IAM Best Practices

Never use root for operations. Create IAM users/roles with specific least-privilege permissions. Use IAM roles for EC2 instead of access keys. Enable MFA for all human users. Use Organizations SCPs to enforce guardrails across accounts. Apply permission boundaries to limit maximum permissions even when policies grant more.

AWS Security Hub & GuardDuty

Security Hub aggregates findings from GuardDuty, Inspector, Macie, and third-party tools into a unified security score based on CIS Benchmarks. Enable across all regions using AWS Organizations.

GuardDuty ML detects: unauthorized API calls from unusual locations, port scanning from EC2 instances, cryptocurrency mining, compromised EC2 communicating with C2 servers, credential exfiltration. Enable via CLI: aws guardduty create-detector --enable --finding-publishing-frequency FIFTEEN_MINUTES. Also enable S3 protection, EKS audit log monitoring, RDS login monitoring.

Network Security

Security groups (stateful, instance-level) + NACLs (stateless, subnet-level). Enable VPC Flow Logs. Use AWS Network Firewall for deep packet inspection. AWS Shield Standard (free) for DDoS; Shield Advanced for production.

Azure Security

Microsoft Defender for Cloud

Secure Score target 80%+. Attack path analysis. Regulatory compliance dashboard (PCI DSS, HIPAA, SOC 2). Enhanced workload protections for VMs, App Service, SQL, Storage, Kubernetes.

Network Security

NSGs control inbound/outbound at subnet/NIC level. Azure Firewall provides stateful inspection with threat intelligence filtering. DDoS Protection Standard with adaptive tuning. Use Private Endpoints to keep PaaS traffic on Azure backbone.

Azure Policy

Enforce organization-wide: require HTTPS on storage, audit VMs without disk encryption, require SQL TDE, enforce MFA for privileged roles. Use Azure Security Benchmark as baseline initiative.

GCP Security

Security Command Center (SCC)

Unified view of findings across GCP. Security Health Analytics automated misconfiguration checks. Event Threat Detection ML identifies data exfiltration, brute force, cryptomining, compromised service accounts.

IAM Best Practices

Use service accounts for workloads. Create custom roles when built-ins are too permissive. Use Workload Identity Federation for GKE—no service account keys. Audit and remove unused keys regularly.

VPC Service Controls

Create perimeters around sensitive resources. Restrict API access to specific VPCs and authorized identities. Prevent BigQuery/Cloud Storage data exfiltration outside perimeter.

Multi-Cloud Security Governance

CSPM Tools

Wiz, Prisma Cloud, or Orca Security continuously assess across clouds: misconfigurations, excessive permissions, unencrypted data, public exposures, compliance violations. Target: detect misconfigurations within 1 hour of occurrence.

Centralized SIEM

Ingest AWS CloudTrail, Azure Monitor, and GCP Audit Logs into Microsoft Sentinel or Splunk. AI correlation detects attacks spanning multiple cloud providers.

Encryption Strategy

At rest: platform-managed keys minimum; customer-managed keys (CMK) for sensitive data. Manage CMKs in AWS KMS, Azure Key Vault, or GCP Cloud KMS. Enable automatic key rotation annually.

In transit: enforce TLS 1.2+, certificate management via AWS ACM/Azure Key Vault/GCP Certificate Manager, consider mTLS for service-to-service communication.

Container Security in Cloud

Scan images in CI with Trivy or Snyk Container. Use cloud-native registries with built-in scanning (ECR, ACR, Artifact Registry). Apply Pod Security Standards in Kubernetes. Use Falco for runtime threat detection.

Security maturity: detect misconfigurations under 1 hour, respond to threats under 4 hours.