The Shared Responsibility Model: Where Security Starts
Before diving into best practices, understand the foundational concept of cloud security: the shared responsibility model.
AWS and Azure are responsible for security OF the cloud — physical infrastructure, hypervisor, network infrastructure, storage hardware.
You are responsible for security IN the cloud — your data, identity and access management, operating system patches, network controls you configure, application security.
Most cloud breaches happen in the customer's responsibility area. Misconfigured S3 buckets, overpermissive IAM roles, and unpatched EC2 instances — these are customer failures, not cloud provider failures.
Understanding this model tells you exactly where to focus your security effort.
Identity and Access Management (IAM)
IAM is the most important security control in cloud environments. Get this right first.
Enforce Multi-Factor Authentication
Enable MFA on every IAM user — especially the root account. AWS root accounts should have MFA enforced and then locked away. Daily operations should use IAM users or roles, never root.
AWS: Enable MFA on root account immediately. Use AWS Organizations Service Control Policies to require MFA across all accounts.
Azure: Enable Azure AD Conditional Access policies that require MFA for all users. Use Microsoft Authenticator or hardware keys.
Apply Least Privilege Religiously
Every IAM role and user should have only the permissions needed for their specific task. The hardest part of IAM security is recognizing over-permissioned accounts.
Practice: When creating IAM policies, start with zero permissions and add only what's required. Never start with broad permissions and try to narrow down.
Tools: AWS IAM Access Analyzer identifies unused permissions. Azure's Access Review identifies over-permissioned accounts.
Use Roles, Not Long-Term Credentials
Avoid creating IAM users with access keys for applications. Instead, use:
- AWS: IAM Roles for EC2 instances and Lambda functions. Applications assume roles, never store credentials in code.
- Azure: Managed Identities for Azure services. No passwords, no secrets to manage.
If you must use access keys (for humans or legacy systems), rotate them every 90 days and never commit them to source code.
Privileged Access Management
For human administrators:
- Use AWS IAM Identity Center (SSO) with time-limited session credentials
- Implement break-glass accounts for emergency access
- Log all privileged access
Network Security
VPC/VNet Design
Segment your network from the start:
- Public subnets: Load balancers, NAT gateways — exposed to internet
- Private subnets: Application servers — no direct internet access
- Database subnets: Databases — no internet access, accessible only from application subnet
Never put databases in public subnets. Never assign public IPs to application servers.
Security Groups and Network ACLs
Security groups (AWS) and Network Security Groups (Azure) are your first line of defense:
- Default: deny all inbound, allow all outbound
- Only open the specific ports you need (443, 80 for web servers)
- Restrict SSH (22) and RDP (3389) to specific IPs only, or better, use bastion hosts / Session Manager
AWS best practice: Use AWS Systems Manager Session Manager instead of SSH. No inbound ports required, fully logged, no key management.
Web Application Firewall
Put WAF in front of public-facing applications:
- AWS WAF with managed rule groups (blocks OWASP Top 10, known bad IPs, bots)
- Azure Front Door or Application Gateway with WAF policy
Private Endpoints
Services like S3 and Azure Storage should be accessed via private endpoints — traffic stays on the private network backbone, never traverses the internet.
Data Protection
Encryption Everywhere
At rest: Enable encryption for all storage services. S3 default encryption, EBS encryption, RDS encryption, Azure Disk Encryption. Use customer-managed keys (CMK) for sensitive data — this means you control key rotation and revocation.
In transit: Enforce TLS 1.2+ for all APIs and services. Disable older TLS versions. AWS has resource policies that enforce this; Azure has transport security policies.
S3 / Blob Storage Hardening
Misconfigured object storage is the most common cloud data breach cause.
AWS S3 checklist:
- Enable "Block all public access" at the account level
- Enable S3 Access Logging
- Enable bucket versioning for critical data
- Enable MFA Delete on critical buckets
- Review bucket policies quarterly with Access Analyzer
Azure Blob Storage:
- Disable public anonymous access at the storage account level
- Enable soft delete
- Use SAS tokens with minimum permissions and expiry times
- Enable Azure Defender for Storage
Monitoring and Detection
Enable Cloud-Native Security Services
These services require minimal configuration and provide immediate value:
AWS:
- AWS CloudTrail: Log all API calls. Enable in all regions. Send to S3 and enable CloudWatch alarms for critical events (root login, IAM policy changes, failed console logins).
- AWS GuardDuty: ML-based threat detection. Detects compromised credentials, crypto mining, data exfiltration, unusual API calls. Enable and forget (it runs continuously).
- AWS Security Hub: Centralizes findings from GuardDuty, Inspector, Macie, and third-party tools.
- AWS Config: Tracks resource configuration changes and alerts on deviations from approved state.
Azure:
- Microsoft Defender for Cloud: Security posture management and threat protection across your Azure environment.
- Azure Monitor + Log Analytics: Centralize all logs.
- Microsoft Sentinel: Cloud-native SIEM — correlates across Azure AD, Azure, Microsoft 365, and custom sources.
Compliance and Governance
Implement Infrastructure as Code (IaC)
All cloud resources should be defined in code (Terraform, CloudFormation, Bicep). Benefits:
- Consistent, auditable configuration
- Security controls enforced at provisioning
- Drift detection (compare running config to IaC definition)
Continuous Compliance Scanning
Tools that continuously scan your cloud environment for misconfigurations:
- AWS: AWS Config Rules + Security Hub (CIS benchmark checks built in)
- Multi-cloud: Prisma Cloud, Lacework, Wiz
Key checks to automate: MFA not enabled, public S3 buckets, security groups allowing 0.0.0.0/0 on sensitive ports, unencrypted resources, root account activity.
Cloud security is a continuous practice, not a one-time project. Automate the checks, review the findings weekly, and improve your security posture incrementally. The cloud provides excellent security tools — using them is the work.
Related Articles
- Cyber Threat Intelligence Guide 2025: Tools, Sources & How to Use CTI
- Cybersecurity Basics for Beginners 2025: Protect Yourself Online
- How to Protect Your Phone from Hackers in 2025
- What Is Malware? Types, How It Spreads, and How to Remove It
- Best Dark Web Monitoring Tools 2025: Protect Your Data Before It's Too Late
Comments
Share your thoughts, questions or tips for other readers.
No comments yet — be the first!