Skip to main content
Course/Module 11/Topic 1 of 4Advanced

Cloud Security Fundamentals

Understand the shared responsibility model, identity management, and network security fundamentals for protecting cloud infrastructure.

55 minBy Priygop TeamLast updated: Feb 2026

Shared Responsibility Model

Cloud security follows a shared responsibility model between the cloud provider and the customer. The provider secures the cloud infrastructure (physical data centers, hypervisors, network backbone). The customer secures what they put IN the cloud (data, applications, IAM policies, network configurations, OS patches). The division differs by service type: IaaS (you manage OS, networking, data — provider manages hardware/virtualization), PaaS (you manage data and applications — provider manages OS and below), SaaS (you manage only data and access control — provider manages everything else). The #1 cause of cloud security breaches is misconfiguration — not provider vulnerabilities. Open S3 buckets, permissive IAM policies, and exposed databases account for the vast majority of cloud incidents.

Identity & Access Management (IAM)

  • Principle of Least Privilege: Grant only the minimum permissions needed for a task — review and revoke unused permissions quarterly
  • IAM Policies: Define who can do what on which resources — use conditions (IP range, MFA required, time-based) for additional security
  • Service Accounts: Use dedicated service accounts with minimal permissions for applications — never use personal credentials in code
  • MFA (Multi-Factor Authentication): Require MFA for all human users, especially for privileged access — reduces account compromise by 99%
  • Role-Based Access Control (RBAC): Group permissions into roles (Admin, Developer, Viewer) — assign roles to users, not individual permissions
  • Federation & SSO: Integrate with corporate identity providers (Okta, Azure AD, Google Workspace) — centralized user management and deprovisioning
  • Temporary Credentials: Use STS/AssumeRole for temporary access — avoid long-lived access keys. Rotate automatically every hour

Network Security

  • VPC/VNet: Isolate resources in private networks — only expose what must be public. Use private subnets for databases and internal services
  • Security Groups: Stateful firewalls at the instance level — allow only required ports (80/443 for web, 5432 for PostgreSQL). Default deny all inbound
  • NACLs: Stateless firewalls at the subnet level — additional defense layer for compliance. Use with security groups for defense in depth
  • Private Endpoints: Connect to cloud services (S3, RDS) over private network — traffic never leaves the cloud provider's backbone. Eliminates internet exposure
  • WAF (Web Application Firewall): Filter malicious web traffic — block SQL injection, XSS, DDoS. AWS WAF, Cloudflare, Azure Front Door
  • DDoS Protection: Use cloud-native DDoS protection (AWS Shield, Azure DDoS Protection, Cloud Armor) — absorbs volumetric attacks before they reach your application
Chat on WhatsAppPriygop - Leading Professional Development Platform | Expert Courses & Interview Prep