Cloud Security Fundamentals
Cloud security operates under a shared responsibility model — the cloud provider secures the infrastructure while the customer is responsible for securing everything they deploy on it. Misunderstanding this boundary is the root cause of most cloud breaches.
Shared Responsibility Model
# AWS Shared Responsibility Model
AWS is responsible for: Customer is responsible for:
┌─────────────────────────┐ ┌─────────────────────────────┐
│ Physical hardware │ │ Identity & Access (IAM) │
│ Global network │ │ Network config (VPC/SG) │
│ Hypervisor security │ │ Data encryption │
│ Availability zones │ │ OS patching (EC2) │
│ Managed service security │ │ Application security │
│ (RDS internally, S3 │ │ Firewall rules (SGs) │
│ encryption at rest) │ │ MFA configuration │
└─────────────────────────┘ └─────────────────────────────┘
# IaaS (EC2): Customer responsible for OS, middleware, runtime, application
# PaaS (RDS, Lambda): Customer responsible for application and data only
# SaaS (Salesforce): Customer responsible for data and user access only
# The most common cloud breaches map directly to customer responsibilities:
# - Capital One (2019): Misconfigured WAF + SSRF → IAM role credential theft
# - Twitch (2021): Exposed source code via misconfigured S3
# - Microsoft Exchange (2023): OAuth token forgery → customer tenant accessCloud Security Frameworks
- CIS Benchmarks: Center for Internet Security benchmarks for AWS, Azure, GCP — detailed configuration requirements (800+ controls for AWS). Automated assessment: ScoutSuite, Prowler
- CSA Cloud Controls Matrix (CCM): Framework mapping cloud security controls to compliance requirements (PCI DSS, HIPAA, GDPR, ISO 27001)
- AWS Well-Architected Framework Security Pillar: IAM, detective controls, infrastructure protection, data protection, incident response
- CSPM (Cloud Security Posture Management): Continuous automated scanning for misconfigurations and compliance violations. Products: Prisma Cloud, Wiz, Orca Security
Common Mistakes
- Assuming the cloud provider secures everything — 'cloud' means shared responsibility; the customer's IAM, networking, and application security are entirely their own responsibility
- Lifting and shifting on-premises security controls — cloud-native security patterns (IAM roles, security groups, VPC flow logs) replace traditional perimeter controls and should be embraced, not retrofitted
- No cloud asset inventory — shadow IT and unmanaged cloud resources are impossible to secure; implement automated discovery (AWS Config, GCP Asset Inventory)
Tip
Tip
Practice Cloud Security Fundamentals in small, isolated examples before integrating into larger projects. Breaking concepts into small experiments builds genuine understanding faster than reading alone.
The CIA Triad is the foundation of information security
Practice Task
Note
Practice Task — (1) Write a working example of Cloud Security Fundamentals from scratch without looking at notes. (2) Modify it to handle an edge case (empty input, null value, or error state). (3) Share your solution in the Priygop community for feedback.
Quick Quiz
Common Mistake
Warning
A common mistake with Cloud Security Fundamentals is skipping edge case testing — empty inputs, null values, and unexpected data types. Always validate boundary conditions to write robust, production-ready cybersecurity code.
Key Takeaways
- Cloud security operates under a shared responsibility model — the cloud provider secures the infrastructure while the customer is responsible for securing everything they deploy on it.
- CIS Benchmarks: Center for Internet Security benchmarks for AWS, Azure, GCP — detailed configuration requirements (800+ controls for AWS). Automated assessment: ScoutSuite, Prowler
- CSA Cloud Controls Matrix (CCM): Framework mapping cloud security controls to compliance requirements (PCI DSS, HIPAA, GDPR, ISO 27001)
- AWS Well-Architected Framework Security Pillar: IAM, detective controls, infrastructure protection, data protection, incident response