Cloud Computing Security

Explain Introduction.

Explain Cloud Service Models.

Explain Infrastructure as a Service (IaaS).

Explain Platform as a Service (PaaS).

Cloud computing has fundamentally transformed how organizations build, deploy, and manage information systems.

What once required months of procurement, physical hardware installation, and data center operations now takes minutes — and can be provisioned, scaled, or decommissioned through…

Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) collectively host the workloads of the world's most critical organizations: governments, hospitals,…

Cloud computing has fundamentally transformed how organizations build, deploy, and manage information systems.

What once required months of procurement, physical hardware installation, and data center operations now takes minutes — and can be provisioned, scaled, or decommissioned through…

Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) collectively host the workloads of the world's most critical organizations: governments, hospitals,…

This shift in infrastructure brings enormous operational benefits but also introduces new and subtle security risks.

Cloud services are typically classified into three models, which differ in what the cloud provider manages versus what the customer is responsible for:

Cloud Service Models connects to risk, controls, and evidence.

Cloud Service Models connects to risk, controls, and evidence.

IaaS provides virtualized computing infrastructure: virtual machines, block storage volumes, virtual networks, and load balancers.

The customer provisions and manages operating systems, middleware, applications, and data.

The provider manages the physical hardware, hypervisor, and data center infrastructure.

Examples: AWS EC2, Azure Virtual Machines, Google Compute Engine, AWS S3 (object storage), Azure Blob Storage.

PaaS provides a managed platform for deploying applications, abstracting away OS management, runtime maintenance, and infrastructure scaling.

The customer deploys their application code and data; the provider manages everything below: the OS, runtime, middleware, and infrastructure.

Examples: AWS Elastic Beanstalk, Azure App Service, Google App Engine, AWS RDS (managed database), Heroku.

PaaS shifts significant security responsibility to the provider — the customer no longer patches the OS or manages the runtime.

SaaS delivers complete applications over the internet.

The customer simply uses the application; the provider manages everything: infrastructure, platform, application, and runtime.

Examples: Microsoft 365, Google Workspace, Salesforce, Workday, Slack, Zoom.

In SaaS, the provider manages nearly all security.

The shared responsibility model is the most important concept in cloud security.

It defines the boundary between what the cloud provider secures and what the customer must secure.

This boundary shifts depending on the service model.

Key Concept — Shared Responsibility : The cloud provider is responsible for the security of the cloud (physical infrastructure, hardware, hypervisors, managed service platforms).

Organizations deploy cloud resources in several ways: Public Cloud : Resources are provisioned on infrastructure shared with other cloud tenants (logical isolation, not physical).

This is the model offered by AWS, Azure, and GCP.

Cost-efficient and highly scalable, but subject to the shared responsibility model.

Private Cloud : Cloud infrastructure dedicated exclusively to one organization, either hosted on-premises (using platforms like OpenStack or VMware vSphere) or dedicated-tenancy…

Misconfiguration is the leading cause of cloud data breaches.

The most notorious example is publicly accessible Amazon S3 buckets.

By default, S3 buckets are private, but a single misconfigured access control policy or a "Block Public Access" setting being disabled can expose all bucket contents to the entire…

Between 2017 and 2020, hundreds of organizations inadvertently exposed billions of records through misconfigured S3 buckets, including government agencies, major corporations, and…

Cloud management APIs (AWS API, Azure ARM, GCP API) are powerful attack surfaces.

Every action that can be performed in a cloud console can also be performed via API, with no security control beyond valid credentials.

API keys and access tokens that are leaked — in source code, in log files, in GitHub repositories — grant full access to cloud resources.

Cloud accounts represent the highest-value credential in modern attack campaigns.

Compromising cloud credentials (IAM user access keys, federated identity credentials, or management console passwords) can grant access to all resources in an account.

Phishing campaigns specifically targeting DevOps engineers and cloud administrators are common.

MFA is essential for all cloud console access.

Sensitive data stored in cloud environments — customer PII, intellectual property, regulated data — can be exfiltrated by external attackers who compromise access credentials or…

Encryption, data loss prevention (DLP) controls, and detailed access logging are essential countermeasures.

Data Breaches and Insider Threats connects to risk, controls, and evidence.

Shadow IT refers to cloud resources provisioned by employees or teams without the knowledge or approval of IT and security teams.

When individual developers spin up EC2 instances, S3 buckets, or SaaS subscriptions outside formal procurement processes, those resources may bypass security controls, not be…

Cloud Access Security Brokers (CASBs) and cloud security posture management (CSPM) tools help detect and govern shadow IT.

AWS Identity and Access Management (IAM) is the access control system for all AWS services.

Key components: - Users : Long-term identities for humans or applications.

Best practice: minimize IAM users; use roles instead.

- Groups : Collections of users sharing the same policies.

Azure Active Directory (Azure AD, now called Microsoft Entra ID) serves as the identity foundation for Azure, Microsoft 365, and integrated third-party SaaS applications.

Azure Active Directory connects to risk, controls, and evidence.

Azure Active Directory connects to risk, controls, and evidence.

Encryption at Rest : Data stored in cloud services (S3, RDS, EBS volumes, Azure Blob Storage) should be encrypted at rest.

AWS, Azure, and GCP all offer default encryption with provider-managed keys, but organizations requiring greater control use customer-managed keys (CMKs) via Key Management…

Encryption in Transit : All data transmitted between clients and cloud services, and between cloud services internally, should use TLS 1.2 or 1.3.

Most cloud services enforce this by default, but it must be explicitly required for legacy protocols and internal service communication.

A Virtual Private Cloud (VPC) is an isolated virtual network within a cloud provider's infrastructure.

Organizations deploy their cloud resources within VPCs, controlling IP address ranges (CIDR blocks), subnets, route tables, and network gateways.

Proper VPC design involves: - Public subnets : For resources that need direct internet access (load balancers, NAT gateways, bastion hosts).

- Private subnets : For resources that should not be directly accessible from the internet (application servers, databases, internal services).

Security Groups are stateful virtual firewalls attached to individual resources (EC2 instances, RDS databases, Lambda functions).

They filter traffic based on protocol, port, and source/destination IP or security group.

Because security groups are stateful, return traffic is automatically allowed for permitted inbound connections.

Network Access Control Lists (NACLs) are stateless firewall rules applied at the subnet level.

AWS CloudTrail records all API calls made in an AWS account — who made the call, from where, at what time, and what was the result.

CloudTrail is the essential audit log for AWS and must be enabled in all regions, with logs protected from tampering (S3 bucket with Object Lock or delivered to a separate…

CloudTrail enables detection of: unauthorized access attempts, privilege escalation, IAM changes, data exfiltration via unusual data transfer, and cryptomining via unauthorized…

Amazon CloudWatch monitors resource metrics and application logs, and can trigger alarms and automated responses.

Azure Monitor collects metrics and logs from Azure resources and applications.

Microsoft Defender for Cloud (formerly Azure Security Center) provides continuous security assessment, threat detection, and recommendations for Azure resources.

Azure Sentinel (Microsoft Sentinel) is a SIEM and SOAR platform natively integrated with Azure and Microsoft 365.

Cloud providers publish SOC 2 Type II reports; customers must also achieve their own SOC 2 compliance for their cloud-hosted services.

- FedRAMP (Federal Risk and Authorization Management Program) : A U.S.

government program standardizing security assessment and authorization for cloud services used by federal agencies.

AWS GovCloud, Azure Government, and GCP Government Cloud offer FedRAMP-authorized environments.

Introduction

Cloud Service Models

Infrastructure as a Service (IaaS)

Platform as a Service (PaaS)

Where Introduction applies.

Where Cloud Service Models applies.

How the difference changes the security decision.

Identify the asset or process at risk.

Choose a preventive, detective, or corrective control.

Explain what evidence would prove the control is working.

Define one core concept in plain language.

Compare two controls or threats from the week.

Apply one idea to a campus or business system.

Evaluate why a solution might fail in practice.

Collect evidence, not just screenshots.

Explain what the artifact proves.

Connect the proof back to risk and control selection.

Cloud Computing Security

Security is a decision process, not just a tool list.

Use the reading to justify practical choices.