Cloud Security & the Shared Responsibility Model¶

The cloud doesn't remove security responsibility — it splits it. Misunderstanding the split causes most cloud breaches.

The Shared Responsibility Model¶

│ IaaS │ PaaS │ SaaS │ Data │ YOU │ YOU │ YOU │ ← always yours App / config │ YOU │ YOU │ Prov │ Runtime / OS │ YOU │ Prov │ Prov │ Virtualization│ Prov │ Prov │ Prov │ Hardware/DC │ Prov │ Prov │ Prov │

The provider secures the cloud ("security OF the cloud"); you secure what you put in it ("security IN the cloud") — your data, identities, and configuration. Misconfiguration is your responsibility, and it's the #1 cause of cloud breaches.

The #1 Cloud Risk: Misconfiguration¶

• Public storage buckets (S3, blobs) exposing sensitive data.
• Over-permissive IAM roles and policies.
• Security groups open to 0.0.0.0/0 on admin ports.
• Unencrypted volumes/databases.
• Disabled or unmonitored audit logging.

Cloud IAM — Identity Is the Perimeter¶

In the cloud, identity replaces the network boundary:

• Enforce least privilege on every role and policy.
• MFA on all human accounts, especially root/admin.
• Avoid long-lived access keys; use roles and short-lived credentials.
• Never use the root account for daily work; lock it down.
• Regularly review permissions; remove unused ones.

Key Cloud Controls¶

Cloud-Native Threats¶

• Credential/key leakage (in code, repos) → instant cloud compromise.
• SSRF abused to reach the metadata service and steal instance credentials (use IMDSv2).
• Privilege escalation via misconfigured IAM trust policies.
• Account hijacking of the management console.

Practical Hardening Checklist¶

• MFA everywhere; root account locked away.
• Least-privilege IAM; no wildcard *:* policies.
• Block public access on storage by default.
• Encrypt all data at rest and in transit.
• Enable audit logging in every account/region; centralize it.
• Run a CSPM scan and fix critical misconfigurations.
• Use short-lived credentials and workload identity.