Cloud Security Basics: Securing AWS, Azure, and GCP Environments for Beginners

by

Cloud computing has transformed how organizations run infrastructure — but it’s also introduced a new category of security risks. Misconfigurations in cloud environments exposed over 2.3 billion files in 2023 alone. This guide covers the foundational security practices that every cloud user needs to know.

The Shared Responsibility Model

The most important concept in cloud security is understanding who is responsible for what. Cloud providers and customers share security responsibility — but the split depends on the service type.

Provider handles: Physical data centers, hardware, network infrastructure, hypervisor layer
You handle: IAM, data encryption, OS patching (IaaS), network config, application security, monitoring

Common mistake: thinking the cloud provider secures everything.
Reality: The cloud is secure, but YOUR configuration might not be.

Identity and Access Management (IAM)

AWS IAM Best Practices

# Never use root account for daily operations
# Check if root has MFA enabled:
aws iam get-account-summary | grep RootMFAEnabled

# Create least-privilege policy (read-only S3 example):
aws iam create-policy --policy-name S3ReadOnly --policy-document '{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["s3:GetObject", "s3:ListBucket"],
    "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"]
  }]
}'

# Use IAM roles for EC2 instances, NOT hardcoded access keys
aws iam create-role --role-name MyAppRole --assume-role-policy-document file://trust-policy.json

Finding and Fixing Cloud Misconfigurations

Most Common AWS Mistakes

# 1. Public S3 Buckets (the #1 cloud security mistake)
# Block all public access on a bucket:
aws s3api put-public-access-block --bucket my-bucket   --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"

# 2. Security Groups open to 0.0.0.0/0
# Find security groups with SSH open to the world:
aws ec2 describe-security-groups   --query 'SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0`]&&(FromPort==`22`)]].[GroupId,GroupName]'   --output table

# 3. Unencrypted S3 buckets
aws s3api put-bucket-encryption --bucket my-bucket   --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"}}]}'

Cloud Security Posture Management (CSPM)

# Prowler — free open-source scanner for AWS/Azure/GCP:
pip install prowler

# Scan AWS for all misconfigurations:
prowler aws

# Specific checks:
prowler aws --checks s3_bucket_public_access_block_enabled

# Generate HTML report:
prowler aws -M html

# ScoutSuite — free multi-cloud auditing:
pip install scoutsuite
scout aws

Enable Cloud Logging

# AWS CloudTrail — logs all API calls:
aws cloudtrail create-trail --name security-audit-trail   --s3-bucket-name my-cloudtrail-logs   --include-global-service-events --is-multi-region-trail
aws cloudtrail start-logging --name security-audit-trail

# AWS GuardDuty — threat detection service:
aws guardduty create-detector --enable --finding-publishing-frequency FIFTEEN_MINUTES

# AWS Security Hub — centralized security findings:
aws securityhub enable-security-hub --enable-default-standards

Secrets Management

# NEVER hardcode credentials — attackers scan GitHub for exposed AWS keys

# BAD:
# AWS_ACCESS_KEY_ID = "AKIAIOSFODNN7EXAMPLE"

# GOOD: Use AWS Secrets Manager:
aws secretsmanager create-secret --name MyApp/DBPassword --secret-string "myPassword123"

# Retrieve in Python:
import boto3
secret = boto3.client('secretsmanager').get_secret_value(SecretId='MyApp/DBPassword')

# Scan your code for exposed secrets:
pip install git-secrets
git secrets --scan

Cloud Security Checklist

  • Root account MFA enabled, not used for daily work
  • All IAM uses least privilege (not AdministratorAccess)
  • No public S3 buckets unless intentionally public
  • S3 encryption at rest enabled
  • No security groups open to 0.0.0.0/0 on SSH/RDP
  • CloudTrail enabled in all regions
  • GuardDuty enabled
  • No hardcoded credentials in code — use IAM roles or Secrets Manager
  • Prowler run regularly

Wrap Up

Cloud security gives you powerful native tools — IAM, CloudTrail, GuardDuty, Security Hub. The challenge is using them. Start with IAM hygiene and S3 visibility, enable GuardDuty and CloudTrail, and run Prowler monthly to catch configuration drift before attackers do.