← Back|CYBERSECURITY›Section 1/16

0 of 16 completed

Cloud security

Intermediate⏱ 14 min read📅 Updated: 2026-02-17

Introduction

Netflix, Uber, Airbnb, Swiggy — ella companies um cloud la run aaguranga. 92% of organizations cloud use pannuranga. But cloud la data store pannaa security enna aaagum? 🤔

Cloud security is different from traditional security. Un office la server iruntha nee physical ah lock pannalaam. Cloud la? Provider kitta infrastructure irukku, un kitta data and application irukku.

Indha article la cloud security fundamentals, shared responsibility, common mistakes, and best practices — ellam paapom! ☁️🔒

Shared Responsibility Model

Cloud security la most important concept — Shared Responsibility Model:

Layer	IaaS (EC2)	PaaS (RDS)	SaaS (Gmail)
Data	You 👤	You 👤	You 👤
Application	You 👤	You 👤	Provider ☁️
OS/Runtime	You 👤	Provider ☁️	Provider ☁️
Network	Shared 🤝	Provider ☁️	Provider ☁️
Infrastructure	Provider ☁️	Provider ☁️	Provider ☁️
Physical	Provider ☁️	Provider ☁️	Provider ☁️

Simple ah sonna:

☁️ Cloud Provider: Building security, hardware, network infrastructure
👤 You: Data, access control, application configuration, encryption

Analogy: Apartment la irukkura maari — building security apartment owner paapparu, but un flat lock pannuradhu un responsibility! 🏠

Top Cloud Security Threats

Cloud Security Alliance (CSA) top threats:

1. Misconfiguration 🔧 — #1 Threat!

Public S3 buckets, open security groups
Default credentials, unnecessary permissions
2023 la 65% of cloud breaches misconfiguration dhaan!

2. Insecure APIs 🔌

Weak authentication on APIs
No rate limiting
Sensitive data in API responses

3. Lack of Cloud Security Architecture 🏗️

Lift-and-shift without security redesign
No network segmentation
Missing monitoring and logging

4. Insufficient Identity Management 👤

Over-privileged IAM roles
No MFA for admin accounts
Shared credentials

5. Account Hijacking 🎭

Phishing for cloud console credentials
Stolen API keys in GitHub repos
Session hijacking

6. Insider Threats 🕵️

Disgruntled employees
Accidental data exposure
Shadow IT (unapproved cloud services)

Real Breach: S3 Misconfiguration

✅ Example

Capital One Breach (2019) — 106 million customers affected! 😱

What happened:

1. AWS WAF (Web Application Firewall) misconfigured

2. Attacker SSRF (Server-Side Request Forgery) exploit pannaru

3. EC2 instance metadata access pannaru

4. IAM role credentials steal pannaru

5. S3 buckets la irundhu massive data download

Root cause: Over-privileged IAM role + WAF misconfiguration

Lesson:

- ✅ Least privilege IAM roles

- ✅ IMDSv2 use pannunga (metadata protection)

- ✅ Regular security audits

- ✅ CSPM tools use panni misconfigurations detect pannunga

Cost: $300 million+ in fines and remediation! 💸

Cloud IAM — Identity & Access

Cloud la IAM (Identity and Access Management) is king! 👑

AWS IAM Best Practices:

🔐 Root account use pannaadheenga — IAM users create pannunga
🔑 MFA enable pannunga — especially admin accounts
📋 Least privilege — minimum permissions mattum
🔄 Key rotation — Access keys regularly rotate pannunga
📊 CloudTrail — All API calls log pannunga

IAM Policy Example:

json

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::my-bucket/*",
    "Condition": {
      "IpAddress": {
        "aws:SourceIp": "203.0.113.0/24"
      }
    }
  }]
}

Idhu specific IP range la irundhu mattum S3 read access allow pannum.

Service Accounts / Roles:

Applications ku long-term credentials venaam
IAM Roles use pannunga (temporary credentials)
Cross-account access ku Assume Role use pannunga

Cloud Network Security

Cloud la network security traditional la irundhu different:

VPC (Virtual Private Cloud) 🌐:

Un own isolated network in cloud
Subnets: Public (internet access) vs Private (internal only)
Route tables control traffic flow

Security Groups 🛡️:

Instance-level firewall
Stateful — return traffic automatic allow
Default: All outbound allow, all inbound deny

NACLs (Network ACLs) 📋:

Subnet-level firewall
Stateless — explicit allow/deny both directions
Additional layer of defense

Best Architecture:

code

Internet
    │
    ▼
┌──────────┐
│   WAF    │  ← Web Application Firewall
└────┬─────┘
     ▼
┌──────────┐
│  ALB     │  ← Public Subnet (Load Balancer)
└────┬─────┘
     ▼
┌──────────┐
│  App     │  ← Private Subnet (Application)
│  Servers │
└────┬─────┘
     ▼
┌──────────┐
│    DB    │  ← Private Subnet (Database)
│  (RDS)   │     No internet access!
└──────────┘

Cloud Security Tools

Cloud security ku essential tools:

CSPM (Cloud Security Posture Management) 📊:

Misconfigurations detect pannum
Compliance check pannum
Tools: Wiz, Prisma Cloud, AWS Security Hub

CWPP (Cloud Workload Protection) 💻:

Containers, VMs, serverless protect pannum
Runtime protection
Tools: Aqua Security, Sysdig, Lacework

CASB (Cloud Access Security Broker) 🔐:

Shadow IT detect pannum
Data loss prevention
Tools: Netskope, Zscaler, Microsoft Defender for Cloud Apps

CIEM (Cloud Infrastructure Entitlement Mgmt) 👤:

Over-privileged identities find pannum
Least privilege enforce pannum
Tools: CrowdStrike, Ermetic, Authomize

Category	Purpose	Top Tool
CSPM	Misconfiguration	Wiz
CWPP	Workload protection	Aqua
CASB	SaaS security	Netskope
CIEM	Identity management	CrowdStrike

Container & Kubernetes Security

Modern cloud apps containers la run aaguranga — security critical!

Container Security Checklist 📋:

✅ Base images scan pannunga (vulnerabilities)
✅ Minimal base images use pannunga (Alpine, distroless)
✅ Run as non-root user
✅ Read-only file systems
✅ Resource limits set pannunga
✅ Image signing and verification

Kubernetes Security ☸️:

RBAC (Role-Based Access Control) properly configure
Network Policies — pod-to-pod traffic restrict
Pod Security Standards — privileged containers avoid
Secrets management — External secrets operator use
Admission controllers — OPA/Gatekeeper

yaml

# Kubernetes Security Best Practice
apiVersion: v1
kind: Pod
spec:
  securityContext:
    runAsNonRoot: true
    readOnlyRootFilesystem: true
  containers:
  - name: app
    resources:
      limits:
        memory: "128Mi"
        cpu: "500m"

Cloud Logging & Monitoring

"You can't protect what you can't see!" 👁️

AWS Security Logging:

CloudTrail — All API calls log (who did what, when)
VPC Flow Logs — Network traffic metadata
GuardDuty — AI-powered threat detection
Config — Resource configuration history
SecurityHub — Centralized security findings

Azure Security Logging:

Activity Log — Subscription-level events
Diagnostic Settings — Resource logs
Microsoft Sentinel — Cloud SIEM
Defender for Cloud — Security recommendations

Must-Do Logging:

📝 Enable CloudTrail in ALL regions
📝 S3 access logging enable
📝 VPC Flow Logs enable
📝 Send all logs to central SIEM
📝 Set up real-time alerts for critical events
📝 Log retention — minimum 1 year for compliance

Secure Cloud Architecture

🏗️ Architecture Diagram

```
┌──────────────────────────────────────────────────┐
│            Secure Cloud Architecture              │
├──────────────────────────────────────────────────┤
│                                                    │
│  PERIMETER                                         │
│  ┌──────────────────────────────────────┐         │
│  │  CloudFlare/WAF → DDoS Protection    │         │
│  │  API Gateway → Rate Limiting, Auth   │         │
│  └───────────────────┬──────────────────┘         │
│                      ▼                             │
│  PUBLIC SUBNET                                     │
│  ┌──────────────────────────────────────┐         │
│  │  Load Balancer (ALB/NLB)             │         │
│  │  Bastion Host (SSH jump box)         │         │
│  └───────────────────┬──────────────────┘         │
│                      ▼                             │
│  PRIVATE SUBNET (App Tier)                        │
│  ┌──────────────────────────────────────┐         │
│  │  ECS/EKS Containers                   │         │
│  │  Security Groups: port 443 only       │         │
│  │  IAM Roles: least privilege           │         │
│  └───────────────────┬──────────────────┘         │
│                      ▼                             │
│  PRIVATE SUBNET (Data Tier)                       │
│  ┌──────────────────────────────────────┐         │
│  │  RDS (encrypted), ElastiCache         │         │
│  │  No internet access!                  │         │
│  │  Security Groups: app tier only       │         │
│  └──────────────────────────────────────┘         │
│                                                    │
│  MONITORING: CloudTrail + GuardDuty + SIEM        │
│  SECRETS: AWS Secrets Manager / Vault              │
│  BACKUP: Cross-region encrypted backups            │
└──────────────────────────────────────────────────┘
```

Cloud Compliance

⚠️ Warning

📋 Compliance Frameworks cloud la follow pannanum:

- SOC 2 — Security, availability, processing integrity

- ISO 27001 — Information security management

- PCI DSS — Credit card data handle pannaa mandatory

- HIPAA — Healthcare data (US)

- GDPR — European user data

- India DPDP Act — Indian personal data protection

⚠️ Remember: Cloud provider certifications un compliance guarantee aagaadhu! Provider infrastructure certified, but un application and data handling nee separately prove pannanum.

✅ Use AWS Artifact, Azure Compliance Manager for reports.

Cloud Security Best Practices

💡 Tip

🏆 Top 10 Cloud Security Best Practices:

1. 🔐 MFA enable for ALL accounts (especially root/admin)

2. 📋 Least privilege IAM policies

3. 🔒 Encrypt data at rest AND in transit

4. 🌐 Private subnets for sensitive workloads

5. 📊 Enable ALL logging (CloudTrail, Flow Logs)

6. 🔍 Use CSPM for continuous monitoring

7. 🔄 Automate security with IaC (Terraform + tfsec)

8. 📦 Scan container images before deployment

9. 🗝️ Use secrets management (no hardcoded keys!)

10. 🧪 Regular penetration testing

Start with #1 and #2 — maximum impact, minimum effort! 💪

Summary

Key Takeaways 🎯:

Shared Responsibility — Provider infra, you data + config
Misconfiguration = #1 cloud threat — automate checks!
IAM = Most critical — least privilege, MFA, role-based
Network = VPC, subnets, security groups layered defense
Logging = Enable everything, centralize in SIEM
Tools = CSPM + CWPP + CASB for comprehensive coverage
Compliance = Your responsibility, not just provider's

Cloud security is a journey, not a destination. Continuous monitoring and improvement venum! ☁️🔒

🏁 Mini Challenge

Challenge: Secure AWS/Azure Account Setup

2-3 weeks time la cloud security architecture setup pannunga:

Cloud Account Hardening — AWS free tier account create pannunga. Root account MFA enable pannunga, IAM users create pannunga (least privilege roles). Access keys rotate pannunga regularly.

S3 Bucket Security — S3 bucket create pannunga, public access block enable pannunga. Server-side encryption configure pannunga. Bucket policies restrict pannunga (specific IPs, roles mattum access).

VPC Configuration — VPC create pannunga, subnets (public/private) setup pannunga. Security groups configure pannunga (inbound/outbound rules). Network ACLs layer add pannunga.

CloudTrail & CloudWatch — CloudTrail enable pannunga (audit logging). CloudWatch dashboards setup pannunga. Suspicious activities detect panna alerts create pannunga.

Secrets Management — AWS Secrets Manager use panni database credentials, API keys store pannunga. Rotation policies configure pannunga.

Compliance Check — AWS Config enable pannunga. Misconfigurations detect panna rules setup pannunga. Compliance reports generate pannunga.

Certificate: Nee cloud security architect! ☁️🔐

Interview Questions

Q1: Shared responsibility model — AWS/Azure perspective la?

A: AWS = infrastructure security (physical, network, host). Customer = data security, application security, IAM, OS patching, encryption. Clear responsibility boundary. Customer misconception — AWS secure illanu think pannum, but misconfiguration risk high.

Q2: Cloud misconfiguration — most common issues?

A: Public S3 buckets, overly permissive IAM roles, unencrypted data, default credentials, missing MFA. Automated scanning tools (CSPM) identify panni fix pannunga important.

Q3: Multi-cloud strategy — security implications?

A: Each cloud platform different security tooling. Consistency maintain panna challenging. Centralized SIEM, unified IAM solution, compliance tracking across clouds — setup required. Cost increase possible.

Q4: Containers (Docker/Kubernetes) security?

A: Image scanning (vulnerabilities check), registry access control, runtime security (behavior monitoring), secrets management, network policies. Orchestration platform (Kubernetes) secure configuration critical.

Q5: Cloud cost optimization — security impact?

A: Cost-cutting = security compromise risk. Reserved instances, auto-scaling optimize panna dapat. But insufficient monitoring resources, security tools disable panna etc safety risk. Balance important.

Frequently Asked Questions

❓ Cloud secure ah irukka?

Cloud providers (AWS, Azure, GCP) infrastructure romba secure ah maintain pannuranga. But un application and data security un responsibility. Shared responsibility model follow pannunga.

❓ Most common cloud security mistake enna?

S3 buckets or storage ah publicly accessible ah viduradhu! Misconfiguration is #1 cloud security risk. Always check access permissions.

❓ Cloud security certifications enna irukku?

AWS Certified Security Specialty, Azure Security Engineer (AZ-500), CCSP (Certified Cloud Security Professional), Google Cloud Security Engineer.

❓ Multi-cloud use pannaa security epdhi manage pannum?

CSPM (Cloud Security Posture Management) tools use pannunga — Prisma Cloud, Wiz, Orca. They work across AWS, Azure, GCP. Centralized visibility provide pannuranga.

🧠Knowledge Check

Quiz 1 of 2

Shared Responsibility Model la data security yaaru responsibility?

0 of 2 answered

← Previous ByteEncryption basics Next Byte →Vulnerability scanning

Courses

Learning Paths

Exam Prep