The most common cause of cloud data breaches is not a sophisticated attack on cloud provider infrastructure. It's misconfigured storage buckets, overly permissive IAM roles, unpatched virtual machines, and environments with no monitoring. The cloud provider secures the infrastructure. Everything running on it is your responsibility. Most organizations don't fully understand where that line is — and that gap is where breaches happen.
This guide covers the six pillars of cloud security that every CTO should have in place, with specific controls for each — applicable across AWS, Azure, and GCP.
The Shared Responsibility Model: Where Your Responsibility Starts
Every major cloud provider publishes a shared responsibility model that defines what the provider secures versus what the customer secures. The line varies slightly by service type, but the principle is consistent:
- The provider secures: physical data centers, network hardware, hypervisor layer, managed service availability. AWS, Azure, and GCP do this exceptionally well — physical breaches of cloud infrastructure are effectively unheard of.
- You secure: operating systems on virtual machines, application code, data, identity and access management, network configurations, encryption settings, and monitoring. Every publicly reported cloud breach has been in this layer.
The shared responsibility model is not an edge case — it's the default state. Provisioning a cloud resource does not mean it's secure. It means it's running.
Pillar 1: Identity and Access Management
IAM is the highest-leverage security control in any cloud environment. An attacker with valid credentials who operates within their granted permissions is invisible to most security controls. Getting IAM right prevents the majority of breach scenarios before they start.
Least Privilege, Enforced
Every IAM role, user, and service account should have exactly the permissions it needs and nothing more. In practice, this means starting with no permissions and adding what's required — not starting with broad permissions and restricting later. Use AWS IAM Access Analyzer, Azure's built-in unused permission reports, or GCP's Policy Analyzer to identify overly permissive roles already in your environment.
No Long-Lived Credentials
Static IAM access keys that never rotate are a persistent liability. Any credential that's been issued and not rotated is a credential that could have been compromised without your knowledge. For machine-to-machine access, use IAM roles with short-lived tokens rather than static access keys. For human access, use SSO with your identity provider (Okta, Azure AD, Google Workspace) rather than cloud-native IAM users.
MFA on Everything Human-Facing
MFA should be mandatory for all human accounts — especially those with administrative permissions. The root account or global administrator in any cloud environment should have MFA enforced, not optional, and should be used only for break-glass scenarios. Enforce MFA with Service Control Policies (AWS), Conditional Access (Azure), or Organization Policy constraints (GCP).
Pillar 2: Network Security
The default network configuration in most cloud environments is more permissive than it should be. Security groups and firewall rules that allow inbound traffic from 0.0.0.0/0 (anywhere on the internet) are a common finding in cloud security audits.
- Private subnets for everything that doesn't need direct internet access. Databases, application servers, internal services, and management interfaces should be in private subnets with no route to the internet. Only load balancers and bastion hosts (or a VPN) should be in public subnets.
- Security groups with explicit allow rules. The default should be deny. Allow only the specific ports and source IP ranges required for each service. A database security group should allow inbound traffic only from the application tier security group — not from
0.0.0.0/0, and not from the entire VPC. - No direct SSH or RDP from the internet. Use AWS Systems Manager Session Manager, Azure Bastion, or GCP's IAP-based tunneling for administrative access. These give you session logging and IAM-based access control without exposing port 22 or 3389 to the internet.
- VPC endpoints for cloud service traffic. Traffic to S3, DynamoDB, Secrets Manager, and other cloud services should traverse VPC endpoints rather than the public internet. This eliminates internet-facing exposure and reduces data transfer costs.
Pillar 3: Data Security
Data is why cloud environments are targeted. Encryption and access control for data at rest and in transit are non-negotiable baselines.
Encryption at Rest
Enable encryption at rest for every storage service — S3, EBS, RDS, DynamoDB, blob storage. All major cloud providers support this natively and for most services it's a single checkbox that should be on by default. Use customer-managed keys (KMS) for workloads with compliance requirements, so you maintain control over key lifecycle and can enforce key rotation.
Encryption in Transit
Enforce TLS for all service-to-service communication, not just external traffic. Internal services that communicate over unencrypted channels are vulnerable to lateral movement attacks once an attacker has a foothold in your environment. Use ACM (AWS), managed certificates (Azure), or Certificate Authority Service (GCP) to automate certificate provisioning and renewal.
S3 and Blob Storage Public Access
Block public access at the account or organization level for S3 and equivalent services — not just at the bucket level. Apply this control once, at the top of your organizational hierarchy, so it can't be accidentally overridden by an individual bucket policy. Audit existing buckets: any bucket with public access that isn't serving a specific, documented public-facing purpose is a misconfiguration.
Pillar 4: Logging and Monitoring
An environment without comprehensive logging has no forensic capability after an incident and no detection capability during one. Most organizations discover breaches weeks or months after they occurred — because there was no monitoring to detect anomalous activity in real time.
- Enable CloudTrail / Azure Activity Log / GCP Audit Logs everywhere, in every region. These logs record every API call made in your environment. They are the foundation of any cloud security investigation. Store them in a separate account or project where they can't be tampered with by a compromised primary account.
- Enable GuardDuty (AWS) or Microsoft Defender for Cloud (Azure). These services analyze CloudTrail, VPC flow logs, and DNS logs using threat intelligence and ML to detect compromised credentials, crypto mining, unusual API call patterns, and lateral movement. They're low-cost, require no infrastructure, and generate findings you couldn't produce manually.
- Set billing alerts. Unexpected cost spikes — especially for compute services — are often the first visible signal of a cryptocurrency mining attack. A billing alert at 150% of your normal spend is a security control, not just a budget tool.
- Aggregate logs in a SIEM. For organizations with compliance requirements or a dedicated security team, centralizing logs in Splunk, Elastic, Microsoft Sentinel, or a cloud-native equivalent enables cross-service correlation and persistent alerting.
Pillar 5: Vulnerability and Patch Management
Unpatched operating systems and container images are the most consistently exploited vulnerability class in cloud environments. Every day a known CVE is unpatched is a day an attacker can use it.
- Use managed services where patching is the provider's responsibility. RDS instead of self-managed databases, ECS or EKS for containers instead of self-managed Kubernetes, managed Elasticsearch instead of self-hosted. Every managed service shifts the patching burden to the provider.
- Automate OS patching with AWS Systems Manager Patch Manager, Azure Update Manager, or GCP's VM Manager. Define a patching schedule — critical patches within 72 hours, standard patches within 30 days. Automated patching on a schedule is consistently more reliable than manual processes.
- Scan container images for CVEs before deployment. Amazon ECR, Azure Container Registry, and GCP Artifact Registry all support native vulnerability scanning. Block deployment of images with critical CVEs via policy — don't just report them.
Pillar 6: Incident Response
Security controls reduce the probability of an incident. Incident response determines how bad it gets when one occurs. An organization with no IR plan that experiences a breach will spend 2–3x longer on containment and recovery than one with a documented, practiced playbook.
The minimum viable cloud IR capability:
- Document your response playbooks. For each credible incident scenario — compromised IAM credentials, data exfiltration from S3, crypto miner on EC2 — document the specific containment steps, who has authority to execute them, and how to verify the environment is clean.
- Practice isolation. Know how to isolate a compromised instance (change security group, detach from load balancer, revoke IAM role) without affecting the rest of the environment. Practice this in a test environment so it's not a first-time operation during an actual incident.
- Maintain forensic capability. Preserve CloudTrail logs, VPC flow logs, and instance memory snapshots before remediation. Cleaning up before preserving evidence destroys your ability to understand the scope of a breach.
The Bottom Line
Cloud security is not primarily a tooling problem. Every control described in this guide is available natively in AWS, Azure, and GCP, mostly at no additional cost. It's an implementation and ownership problem: someone has to make the decision that these controls will be in place, verify that they are, and ensure they stay in place as the environment evolves.
The organizations that avoid cloud security incidents are not the ones that spent the most on security tools. They're the ones that consistently applied the fundamentals — least privilege, network segmentation, encryption, monitoring, and patching — before an incident required them to.
Want an Expert Review of Your Cloud Security Posture?
Ez IT Expert runs cloud security assessments covering all six pillars — IAM, network, data, logging, patching, and incident response. We deliver a written findings report with prioritized remediation recommendations and hands-on implementation support. Book a free 30-minute call to get started. See our cloud security services.
Book a Free Security Assessment →