Cloud security is the set of technical controls, processes and policies that protect data, workloads and infrastructure hosted on providers such as AWS, Azure and GCP. The fundamental premise is that the cloud is neither inherently more secure nor more insecure than an on-premise data center — it is different, and attacks exploit precisely those who fail to understand that difference.
The Shared Responsibility Model
Every cloud provider operates under an implicit contract called the shared responsibility model. The provider ensures the security of the cloud: physical hardware, hypervisors, the global network, availability zones and managed services. The customer is responsible for security in the cloud: service configuration, identities and permissions, stored data, encryption, application code and, in the IaaS model, the operating system and installed dependencies.
In practice, this boundary shifts depending on the service model:
| Model | Provider Responsibility | Customer Responsibility |
|---|---|---|
| IaaS (EC2, Azure VM) | Physical infrastructure, hypervisor, network | OS, runtime, application, data, IAM, virtual network |
| PaaS (RDS, App Service) | + Managed OS and runtime | Application, data, IAM, service configuration |
| SaaS (Microsoft 365, Salesforce) | Almost everything technical | Configuration, user access, entered data |
Most incidents occur at the customer layer. According to the Cloud Security Alliance (CSA) Top Threats to Cloud Computing 2023, the categories that most often led to breaches were misconfiguration, inadequate identity control and insecure API interfaces — all the customer's exclusive responsibility.
Main Risks in Cloud Environments
1. Misconfiguration
Public storage buckets, security groups with unrestricted access (0.0.0.0/0 on sensitive ports), database instances without authentication and Lambda functions with administrator permissions are configuration errors that expose data even before any sophisticated attack. The average cost of a breach caused by misconfiguration, according to the IBM Cost of a Data Breach Report 2024, was US$ 4.5 million.
2. Excessive IAM and Compromised Credentials
Cloud environments accumulate permissions over time. A service account created for a one-off task retains administrator access for years. Programmatic access keys get exposed in Git repositories, CI/CD environment variables or debug logs. The concept of excessive permissions is central: in environments audited by Decripte, more than 70% of effective IAM permissions are never exercised — each one a latent attack surface.
3. Unencrypted Exposed Data
Databases without encryption at rest, public snapshots and backups stored in buckets without SSE represent a direct risk of silent exfiltration. Encryption must be applied at three layers: at rest (SSE/CMK), in transit (TLS 1.2+) and, where applicable, in use (confidential computing with Intel TDX or AMD SEV-SNP for PCI/health workloads).
4. Shadow Cloud and Account Sprawl
Shadow cloud occurs when teams create accounts, projects or subscriptions outside central IT governance — whether for speed or from unfamiliarity with policies. These accounts do not go through security reviews, do not have logging enabled and are often abandoned with valid credentials. A complete inventory of cloud assets is a prerequisite for any security program.
5. Insecure APIs and the Serverless Attack Surface
Serverless functions (AWS Lambda, Azure Functions) and APIs exposed without adequate authentication, without rate limiting and without input validation are a growing set of vectors. The ephemeral nature of functions makes post-incident forensics difficult if there is no structured logging from the outset.
Technical Pillars of Cloud Security
IAM and Least Privilege
Implement the principle of least privilege systematically: every identity — human or machine — receives only the permissions needed for its specific function, reviewed periodically. On AWS, use IAM Access Analyzer to detect permissions that cross account boundaries. On Azure, Privileged Identity Management (PIM) offers just-in-time access with approval. On GCP, IAM Recommender suggests downscoping based on actual usage over the last 90 days.
MFA is mandatory for all human identities. For phishing resistance, prioritize FIDO2/passkeys over TOTP. Never use the root/Owner account without MFA and never create programmatic credentials for it.
Encryption
Enable encryption at rest on all storage services with customer-managed keys (CMK) in AWS KMS, Azure Key Vault or Google Cloud KMS. Define an automatic rotation policy (at least annual). Remove hardcoded secrets with repository analysis tools (Gitleaks, Trufflehog). Manage dynamic credentials with AWS Secrets Manager or HashiCorp Vault — automatic rotation eliminates the exposure window of static credentials.
Network Segmentation
VPCs are the floor, not the ceiling. Segment subnets by layer (public, application, data), apply restrictive Security Groups (deny-all by default, explicit allow), enable VPC Flow Logs for forensic analysis and use Network Firewall or Azure Firewall for East-West traffic inspection. For workloads that need internet access, prefer a NAT Gateway over direct exposure. Private Endpoints/PrivateLink keep managed-service traffic off the public internet.
Logging, Monitoring and Response
Without logs, there is no detection and no forensics. The minimum trilogy: CloudTrail (API actions), Config (configuration changes) and VPC Flow Logs (network traffic) on AWS — with equivalents on Azure and GCP. Centralize logs in a SIEM external to the compromised account (S3 with Object Lock or a Log Analytics Workspace with immutable retention). Configure alerts for IAM user creation, CloudTrail being disabled, bucket policy changes and logins from atypical regions. The mean time to detect (MTTD) without automated alerts reaches 197 days — unacceptable.
Backup and Recovery
Backups must be tested. Enable AWS Backup with an immutable vault (vault lock), test restores quarterly, keep copies outside the main account (cross-account or cross-region) and verify that the Deletion Prevention Policy stops ransomware from deleting snapshots via a compromised API.
CSPM, CNAPP and CIEM
CSPM (Cloud Security Posture Management) continuously scans your accounts for configuration drift relative to benchmarks such as CIS AWS Foundations, NIST 800-53 and PCI-DSS. Native tools such as AWS Security Hub, Microsoft Defender for Cloud and Google Security Command Center provide posture scoring at no relevant additional cost — there is no excuse for not enabling them.
CNAPP (Cloud-Native Application Protection Platform) converges CSPM, CWPP (workload protection), CIEM and infrastructure code analysis (IaC scanning) into a single platform. Wiz, Orca Security and Prisma Cloud are the market leaders; they detect risks in context — a misconfiguration in a bucket is only critical if it is connected to an over-exposed identity and to sensitive data.
CIEM (Cloud Infrastructure Entitlement Management) focuses specifically on the problem of excessive permissions: it maps all effective permissions (not just the granted ones), identifies toxic combinations (e.g. ListBuckets + GetObject + DeleteObject on the same application role) and recommends or applies automatic downsizing. In multi-cloud environments, CIEM is essential because each provider has distinct permission models that are impossible to manage manually at scale.
Containers and Kubernetes
Container security starts with the image: use minimal base images (distroless or Alpine), scan with Trivy or Grype on every build, never run as root and sign images with Cosign (supply chain). In Kubernetes:
- Disable the automatic ServiceAccount token in Pods that do not need to access the cluster API.
- Implement Network Policies to isolate namespaces — by default, every Pod communicates with every other.
- Use OPA/Gatekeeper or Kyverno to enforce admission policies (block unsigned images, privileged containers, hostPath mounts).
- Protect etcd with TLS and restricted access — it holds all cluster secrets in base64 (not encrypted by default).
- Enable Kubernetes Audit Logs and integrate them with the central SIEM.
- Use Falco for runtime detection of anomalous behavior (e.g. a shell inside a production container, reading /etc/shadow).
Managed Kubernetes (EKS, AKS, GKE) reduces the control-plane attack surface, but it does not eliminate responsibility for node configuration, cluster RBAC and application images.
Multi-Cloud Security
Organizations with AWS + Azure + GCP face three unique challenges: fragmented visibility, incompatible IAM models and inconsistent controls. The best practices are:
- Unified inventory: use a multi-cloud CNAPP tool or each provider's Cloud Asset Inventory exporting to a central SIEM.
- Centralized identity federation: replace local accounts with federated SSO (Okta, Azure AD/Entra ID, Google Workspace) with consistent MFA policies.
- Per-provider benchmarks: CIS AWS Foundations Benchmark v3.0, CIS Azure Foundations v2.0, CIS GCP Foundations v2.0 — applied automatically via Security Hub, Defender and SCC respectively.
- Data policy as code: define where each data classification can reside (region, provider) and use SCPs (AWS), Azure Policy and Org Policies (GCP) to enforce this automatically.
Compliance: ISO 27017, ISO 27018 and LGPD
ISO 27017 extends ISO 27001 with controls specific to cloud providers and users — covering secure virtualization, environment segregation and security responsibilities in cloud services. ISO 27018 deals specifically with the protection of personal data (PII) in the public cloud: a ban on using data for marketing purposes without consent, the right to portability and transparency about subprocessors.
The LGPD (Law 13.709/2018) requires technical and administrative measures proportionate to the risk (Art. 46), mapping of processing operations, notification of incidents to the ANPD within 72 hours (Art. 48) and, for international transfers, guarantees of an equivalent level of protection. In practice, this means: encryption of personal data at rest and in transit, need-based access control, access logs for personal data, a documented incident response process and review of contracts with cloud subprocessors (DPA — Data Processing Agreement).
The CIS Benchmarks (Center for Internet Security) provide prescriptive configuration guides for AWS, Azure and GCP with two levels: Level 1 (basic controls with no operational impact) and Level 2 (in-depth hardening for high-security environments). They are the most widely adopted technical reference globally for cloud compliance audits.
Risks and Mitigations Table
| Risk | Typical Vector | Primary Mitigation | Reference Tool |
|---|---|---|---|
| Public bucket/blob | Misconfiguration | Block Public Access + continuous CSPM | AWS S3 Block Public Access, CSPM |
| Exposed credential | Git leak, CI log | Gitleaks in the pipeline + automatic rotation | AWS Secrets Manager, Vault |
| Over-exposed IAM | Over-provisioning | CIEM + 90-day review + SCPs | IAM Access Analyzer, Wiz CIEM |
| Unencrypted data | Public snapshot | Mandatory CMK + posture scan | AWS KMS, Azure Key Vault |
| Vulnerable container | Outdated image | CI/CD scan + admission policy | Trivy, Kyverno |
| No threat detection | No log/alert | CloudTrail + SIEM + automatic alerts | GuardDuty, Microsoft Sentinel |
| Shadow cloud | Unmanaged account | AWS Organizations + Landing Zone | AWS Control Tower, Azure Landing Zone |
Frequently Asked Questions
What is the shared responsibility model in the cloud?
It is the formal division between what the cloud provider (AWS, Azure, GCP) protects — physical infrastructure, hypervisor, global network — and what the customer must protect: data, identities, configurations, applications and the operating system on IaaS workloads. Most real incidents occur at the customer layer, not the provider's.
What is the most common risk in cloud environments?
Misconfiguration: public S3/Blob Storage buckets, security groups with 0.0.0.0/0, IAM permissions with administrator access distributed widely and hardcoded secrets in code. The 2023 CSA Report points to misconfiguration as the primary vector in more than 60% of cloud breaches.
What is CSPM and why do I need it?
Cloud Security Posture Management (CSPM) is a category of tools that continuously scans your cloud accounts for configuration drift relative to benchmarks such as CIS AWS Foundations. It detects, for example, MFA disabled on root users, CloudTrail turned off or KMS keys without automatic rotation — and alerts in real time.
How do I protect identities in multi-cloud environments?
Apply the principle of least privilege via CIEM: enumerate all effective permissions (not just the granted ones), revoke permissions unused in the last 90 days, implement phishing-resistant MFA (FIDO2/passkeys) and adopt identity federation with a central provider instead of local per-account credentials.
Are containers and Kubernetes more secure than VMs?
Not intrinsically — they simply change the attack surface. Specific risks include images with known vulnerabilities, excessive permissions on Kubernetes ServiceAccounts, exposed etcd or kubelet APIs, and a lack of Network Policies. Tools such as Falco (runtime) and Trivy (image scanning) are the minimum floor for production environments.
Does the LGPD impose specific technical requirements for the cloud?
The LGPD (Law 13.709/2018) requires appropriate technical and administrative measures to protect personal data (Art. 46), encryption of data at rest and in transit, need-based access control, a record of processing operations and, for international transfers, equivalent guarantees of protection. ISO 27017 and 27018 are the technical standards aligned with these requirements for cloud environments.
References
- Cloud Security Alliance — Top Threats to Cloud Computing 2023 (cloudsecurityalliance.org)
- NIST SP 800-144 — Guidelines on Security and Privacy in Public Cloud Computing
- NIST SP 800-190 — Application Container Security Guide
- CIS Benchmarks — AWS Foundations v3.0, Azure Foundations v2.0, GCP Foundations v2.0 (cisecurity.org)
- ISO/IEC 27017:2015 — Code of Practice for Cloud Services Security Controls
- ISO/IEC 27018:2019 — Protection of PII in Public Cloud
- ANPD — Information Security Guidance Note (gov.br/anpd)
How Decripte Works in Cloud Security
Decripte performs pentesting and hardening of cloud environments for organizations of every size — from the sole proprietor with one AWS account to the enterprise group with hundreds of multi-cloud accounts. The work includes posture review (manual + automated CSPM), analysis of IAM and effective permissions, external and internal penetration tests against the cloud infrastructure, review of container and Kubernetes configuration, and alignment with the LGPD, ISO 27017/27018 and CIS Benchmarks.
The first assessment is free: in less than 24 hours, your account receives a posture report with the critical risks identified. For organizations that need continuous coverage, Decripte's plans include posture monitoring, incident response and access to the team of specialists. Go to /planos or start with the free assessment at /start.
