Cloud Security: How to Protect AWS, Azure and GCP Environments
Resposta direta
Cloud security is the set of controls that protects data, identities and workloads in AWS, Azure and GCP, operating under the shared responsibility model: the provider protects the infrastructure and the customer protects configurations, IAM and data. Most incidents come from misconfiguration, not from a provider failure. Decripte runs cloud pentests and implements CSPM, CNAPP and multi-cloud least privilege with a 1-hour containment SLA.
Principais conclusões
- ›Most cloud incidents come from the customer's half of the shared responsibility model — configuration, IAM and data — not from a provider failure.
- ›The five central risks are misconfiguration, excessive IAM, exposed buckets, hardcoded secrets and supply chain; misconfiguration is the most common root cause.
- ›CSPM handles configuration, CWPP handles workloads, CIEM handles identities and CNAPP unifies everything in one platform — a trend confirmed by Gartner in 2025.
- ›Least privilege is the highest-leverage control in the cloud: identity is the new perimeter, and long-lived credentials should give way to temporary roles.
- ›Containers and Kubernetes require Pod Security Standards, Network Policies, restricted RBAC and hardening against CIS Benchmarks and the NSA/CISA guide.
- ›CIS Benchmarks, NIST 800-53, ISO 27017 and Well-Architected reinforce one another: hardening against CIS already covers much of NIST and ISO simultaneously.
- ›Decripte runs cloud pentests and implements CSPM, CNAPP and multi-cloud least privilege, with an SLA to contain a critical incident within 1 hour.
What cloud security is and the shared responsibility model
Cloud security is the discipline that protects data, identities, applications and infrastructure hosted with providers such as AWS, Microsoft Azure and Google Cloud (GCP). Unlike traditional datacenter security, it operates over ephemeral resources, defined by software (infrastructure as code) and accessible via public API, which radically changes the attack surface: the perimeter is no longer the network but identity and configuration.
The shared responsibility model defines who protects what. The cloud provider is responsible for the security OF the cloud: hardware, virtualization, physical network and availability of managed services. The customer is responsible for security IN the cloud: service configuration, identity and access management (IAM), data encryption, network rules (security groups, NSGs, firewall rules) and the application code. The exact line varies by service type.
In IaaS (e.g., EC2, virtual machines), the customer manages the operating system, patches and everything above it. In PaaS (e.g., RDS, App Service), the provider covers the OS and runtime, but the customer still defines access and data. In SaaS, the customer is responsible essentially for identity, configuration and data. Most cloud incidents occur precisely on the customer's half: the provider delivers services that are secure by default, but the responsibility to configure them correctly is never transferred. The ISO/IEC 27017 standard formalizes this model, defining roles within SLAs and adding seven cloud-specific controls beyond ISO 27002.
Main cloud risks: misconfiguration, excessive IAM, exposed buckets, secrets and supply chain
Misconfiguration is the most common root cause of cloud exposure. Open storage buckets, databases without authentication, security groups with 0.0.0.0/0 on sensitive ports and disabled logging expose data without any software vulnerability being exploited. The IBM Cost of a Data Breach 2025 report attributes 26% of all breaches to human error, and Tenable found that 9% of publicly accessible cloud storage services contain sensitive data. The global average cost of a breach reached US$ 4.44 million in 2025.
Excessive IAM is the most underestimated risk. Identities (users, roles, service accounts) accumulate permissions they never use, and those idle permissions become a path for privilege escalation and lateral movement. In multi-cloud the problem multiplies: each provider has its own permissions model, and few teams can say precisely who can do what. That is why least privilege is the highest-leverage control in the cloud.
Exposed buckets and storage (S3, Azure Blob, Cloud Storage) keep leaking data through public ACLs, permissive policies and the absence of Block Public Access. Hardcoded secrets — access keys, tokens and passwords in code, environment variables, container images and Git repositories — are harvested by attackers who continuously scan GitHub. Supply chain risks round out the list: compromised base container images, malicious dependencies, third-party Terraform modules and CI/CD pipelines with long-lived credentials allow code injection even before deployment. Decripte maps these five vectors in every cloud pentest.
The modern pillars: CSPM, CWPP, CIEM and CNAPP
Modern cloud security is organized into complementary capabilities that, according to Gartner, have been converging into a single platform called CNAPP. Understanding each acronym is a prerequisite for choosing and operating the right tools.
CSPM (Cloud Security Posture Management) continuously checks whether the environment is securely configured: open buckets, weak IAM, missing encryption, disabled logging and deviations from benchmarks such as CIS. It is the layer that detects misconfiguration at scale. CWPP (Cloud Workload Protection Platform) protects running workloads — virtual machines, containers and serverless functions — by scanning for vulnerabilities, malware, exposed secrets and insecure configurations within the workload itself.
CIEM (Cloud Infrastructure Entitlement Management) governs identities and entitlements, measuring granted permissions against permissions actually used to enforce least privilege and remove idle access. It is the direct answer to the excessive IAM risk, especially in multi-cloud. CNAPP (Cloud-Native Application Protection Platform) is the unified platform that integrates CSPM, CWPP, CIEM and DSPM, correlating signals across the entire lifecycle — from infrastructure as code to production workloads. Gartner points to three adoption drivers: unifying risk visibility across IaaS and PaaS, reducing the complexity of overlapping tools and integrating security into the DevOps flow with low friction. Decripte implements these layers based on the real risk measured in the environment, not as a standalone tool purchase.
Container and Kubernetes security
Containers and Kubernetes add their own layers of risk that traditional CSPM does not fully cover. Security starts at the image: use minimal base images, scan for vulnerabilities and secrets before deploy, sign images and pull only from trusted registries. Containers should run as a non-root user, with a read-only filesystem where possible and capabilities reduced to the minimum necessary.
At the cluster level, the Kubernetes Pod Security Standards (baseline and restricted) prevent privileged pods, mounting of the host filesystem and privilege escalation. Network Policies segment east-west traffic between namespaces and pods — without them, the cluster is a flat network where a compromised pod reaches all the others. Kubernetes RBAC should follow least privilege, avoiding cluster-admin bindings and service accounts with long-lived tokens mounted automatically.
The NSA/CISA Kubernetes Hardening Guide and the CIS Kubernetes Benchmarks are the authoritative references, and tools such as kube-bench automate verification against CIS. The OWASP Kubernetes Top 10 (2025) confirms that insecure workload configuration (K01), overly permissive authorization (K02) and the absence of network segmentation (K05) account for most of the flaws found in production clusters. Decripte tests and hardens clusters against these three priority vectors.
Identity and least privilege in multi-cloud
In the cloud, identity is the new perimeter. Most successful attacks do not exploit a software flaw: they use a valid credential with excessive permissions. That is why least privilege — granting each identity only the access it strictly needs, for the shortest possible time — is the structurally most important control in a cloud environment.
Operationalizing it means eliminating long-lived credentials. Instead of static access keys, use roles and identity federation (AWS IAM Roles, Azure Managed Identities, GCP Workload Identity) so workloads obtain temporary credentials automatically. For human access, centralize in an identity provider with SSO and mandatory MFA, and grant access to sensitive resources just-in-time, not permanently.
In multi-cloud, complexity explodes because each provider has a distinct permissions model, and idle permissions accumulate invisibly. CIEM tools make it possible to measure the gap between granted and used permissions, identify over-privileged identities and orphan roles, and detect privilege-escalation paths across accounts and across clouds. The recommended practice is continuous review: any permission unused for a defined period is a candidate for removal. Decripte audits the IAM models of all three providers and implements measured least privilege, reducing the identity surface without breaking operations.
Compliance and benchmarks: CIS, NIST, ISO 27017 and Well-Architected
Benchmarks and frameworks provide the objective yardstick to measure and prove cloud security posture. The CIS Benchmarks are the de facto standard for secure configuration, with specific, prescriptive guides for AWS, Azure, GCP, Kubernetes and dozens of services — each control is verifiable and mappable to a CSPM tool. They are the practical starting point for hardening because they translate principles into concrete configurations.
At the governance level, NIST SP 800-53 and the NIST Cybersecurity Framework offer comprehensive catalogs of controls applicable to the cloud, widely adopted as the basis of security programs. ISO/IEC 27017 extends ISO 27002 with cloud-specific controls (including SLA roles, VM hardening and removal of customer assets), while ISO/IEC 27018 deals specifically with the protection of personal data (PII) in the public cloud. Important: 27017 and 27018 are not certifiable on their own — they rely on the ISO 27001 framework.
The AWS Well-Architected Framework (and its Azure Well-Architected and Google Cloud Architecture Framework counterparts) brings the security pillar as a practical implementation guide, complementing the formal standards with architectural recommendations. In practice, these frameworks overlap and reinforce one another: an environment hardened against CIS Benchmarks already satisfies much of the NIST and ISO 27017 controls simultaneously. Decripte uses these benchmarks as the basis for cloud audits, measuring the client's real environment against each control and prioritizing fixes by risk.
Passo a passo
- Map the shared responsibility model: document, per service (IaaS/PaaS/SaaS), exactly what the provider covers and what is your responsibility — configuration, IAM, encryption and data.
- Establish a baseline with CSPM: assess the entire environment against the CIS Benchmarks for AWS, Azure and GCP, fixing exposed buckets, missing encryption and disabled logging in order of risk.
- Implement least privilege and eliminate long-lived credentials: replace static access keys with temporary roles, require MFA, centralize identity in SSO and use CIEM to remove idle permissions.
- Protect the workloads: scan container images and functions for vulnerabilities and secrets, run containers as non-root and apply Pod Security Standards and Network Policies in Kubernetes.
- Manage secrets correctly: take keys and tokens out of code, images and environment variables, moving them to a vault (Secrets Manager, Key Vault, Secret Manager) with automatic rotation.
- Enable observability and detection: centralize logs (CloudTrail, Azure Monitor, Cloud Audit Logs), turn on native threat detection and integrate alerts into a SOC for fast response.
- Validate with a cloud pentest and continuous review: test IAM, configurations and privilege-escalation paths with an offensive team, and reassess the posture on a recurring cycle, not just once.
Perguntas frequentes
What is the shared responsibility model in the cloud?
It is the division of security responsibilities between the cloud provider and the customer. The provider (AWS, Azure, GCP) protects the underlying infrastructure — hardware, virtualization and physical network — while the customer protects what they put in the cloud: configurations, identities and access (IAM), data encryption, network rules and the application code. The exact line varies depending on whether the service is IaaS, PaaS or SaaS, but the responsibility to configure correctly and protect data is never transferred to the provider.
What is CSPM?
CSPM (Cloud Security Posture Management) is the category of tools that continuously checks whether the cloud environment is securely configured. It detects exposed storage buckets, weak IAM policies, missing encryption, disabled logging and deviations from benchmarks such as CIS. It is the layer that identifies misconfiguration at scale, before it becomes an incident. Today CSPM is usually delivered as part of a CNAPP platform.
What is the biggest cloud security risk?
Misconfiguration is the most common risk and the most frequent root cause of data exposure in the cloud — open buckets, databases without authentication and permissive network rules leak data without requiring any software vulnerability. In parallel, excessive IAM is the most underestimated risk: identities with idle permissions become a path for privilege escalation. The IBM Cost of a Data Breach 2025 attributes 26% of breaches to human error.
What is CNAPP and how does it differ from CSPM?
CNAPP (Cloud-Native Application Protection Platform) is a unified platform that integrates CSPM, CWPP (workload protection), CIEM (entitlement management) and DSPM (data security) in a single product, correlating risks from infrastructure as code through to production. CSPM is just one of its capabilities — focused on configuration. According to Gartner, CNAPP adoption is growing because it unifies risk visibility and reduces the number of overlapping tools.
How do I protect S3 buckets and cloud storage?
Enable Block Public Access at the account and bucket level, ensuring that no policy or ACL makes data public by mistake. Apply least privilege in access policies, enable encryption at rest (SSE-KMS), turn on access logging and versioning, and use CSPM to continuously detect exposed buckets. Avoid long-lived credentials by granting access via temporary roles. The same principles apply to Azure Blob Storage and Google Cloud Storage.
What is least privilege and why is it so important in the cloud?
Least privilege is the principle of granting each identity only the access strictly necessary for its function, for the shortest possible time. It is critical in the cloud because most successful attacks do not exploit software flaws: they use valid credentials with excessive permissions to escalate privilege and move laterally. CIEM tools measure the gap between granted and used permissions, making it possible to continuously remove idle access, including in multi-cloud environments.
Want a cloud pentest or to implement CSPM/CNAPP and least privilege?
Decripte tests and hardens AWS, Azure and GCP environments — configurations, IAM, containers and Kubernetes.
