Cloud & Infrastructure Security
Cloud Security Fundamentals
4 min read
Cloud security is a critical interview topic. This lesson covers the shared responsibility model, multi-cloud comparisons, and key security services.
Shared Responsibility Model
The most common cloud security interview question:
┌─────────────────────────────────────────────────────────────────┐
│ CUSTOMER RESPONSIBILITY │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Data, Identity, Applications, OS (IaaS), Configuration │ │
│ └──────────────────────────────────────────────────────────┘ │
├─────────────────────────────────────────────────────────────────┤
│ SHARED RESPONSIBILITY │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Network Controls, Identity Federation, Encryption Keys │ │
│ └──────────────────────────────────────────────────────────┘ │
├─────────────────────────────────────────────────────────────────┤
│ PROVIDER RESPONSIBILITY │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Physical, Network Infrastructure, Hypervisor, Hardware │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
Responsibility by Service Model
| Layer | IaaS | PaaS | SaaS |
|---|---|---|---|
| Data | Customer | Customer | Customer |
| Applications | Customer | Customer | Provider |
| Runtime | Customer | Provider | Provider |
| OS | Customer | Provider | Provider |
| Virtualization | Provider | Provider | Provider |
| Physical | Provider | Provider | Provider |
Cloud Provider Comparison
| Feature | AWS | Azure | GCP |
|---|---|---|---|
| Market Share | ~30% | ~20% | ~13% |
| IAM | IAM, Organizations | Entra ID, RBAC | Cloud IAM, Resource Manager |
| Threat Detection | GuardDuty | Defender for Cloud | Security Command Center |
| Secrets | Secrets Manager | Key Vault | Secret Manager |
| Logging | CloudTrail | Activity Log | Cloud Audit Logs |
| Network Security | Security Groups, NACLs | NSGs, Firewall | VPC Firewall Rules |
| Key Management | KMS | Azure Key Vault | Cloud KMS |
Interview Question
Q: "How would you secure a new AWS account from scratch?"
Answer:
- Root account: Enable MFA, create admin IAM user, never use root
- Organizations: Set up AWS Organizations with SCPs
- IAM: Enforce MFA, implement least privilege, use roles not users
- Logging: Enable CloudTrail in all regions, send to S3 with encryption
- Monitoring: Set up GuardDuty, Config Rules, Security Hub
- Network: Default VPC deletion, custom VPCs with private subnets
- Encryption: Enable default EBS/S3 encryption
IAM Best Practices
The Principle of Least Privilege
// BAD: Overly permissive
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
// GOOD: Specific permissions
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/uploads/*",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/Department": "Engineering"
}
}
}
IAM Policy Structure
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSpecificBucketAccess",
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": [
"arn:aws:s3:::company-data",
"arn:aws:s3:::company-data/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.0.0.0/8"
},
"Bool": {
"aws:SecureTransport": "true"
}
}
}
]
}
Cloud Security Services Deep Dive
AWS GuardDuty Findings
| Finding Type | Severity | What It Detects |
|---|---|---|
| UnauthorizedAccess:EC2 | High | Compromised instance contacting C2 |
| Recon:IAMUser | Medium | Suspicious API reconnaissance |
| CryptoCurrency:EC2 | High | Crypto mining activity |
| Backdoor:EC2 | High | Instance communicating with backdoor server |
| Impact:S3 | Medium | S3 bucket policy manipulation |
Azure Defender Alerts
{
"alertType": "ALERTS_FILELESS_ATTACK_TECH",
"severity": "High",
"description": "Suspicious PowerShell activity",
"remediationSteps": [
"Isolate the virtual machine",
"Run antimalware scan",
"Review process tree"
]
}
Multi-Cloud Security Challenges
| Challenge | Solution |
|---|---|
| Inconsistent IAM | Use identity federation (Okta, Azure AD) |
| Visibility gaps | Cloud-agnostic SIEM (Splunk, Chronicle) |
| Policy drift | Infrastructure as Code with compliance checks |
| Key management | Centralized KMS or Vault |
| Network complexity | Service mesh, consistent segmentation |
Interview Question
Q: "What are the biggest security challenges in multi-cloud environments?"
Answer:
- Identity sprawl: Different IAM models, need centralized identity provider
- Visibility: Unified logging and monitoring across providers
- Configuration drift: Each cloud has different security defaults
- Skill gaps: Teams need expertise across multiple platforms
- Compliance: Demonstrating compliance across different services
Interview Tip: When discussing cloud security, always reference the shared responsibility model and emphasize that cloud providers secure the cloud, but customers must secure what they put IN the cloud.
Next, we'll cover container and Kubernetes security. :::