Securing cloud infrastructure requires a fundamentally different approach than traditional on-premises security. With global cybersecurity spending reaching $213 billion in 2025 and CNAPP platforms consolidating CSPM, CWPP, CIEM, and DSPM into unified solutions, the architectural decisions you make today determine your security posture for years. This guide provides a comprehensive framework for designing security into cloud deployments across AWS, Azure, and Google Cloud Platform.
Core Principles
Assume Breach
Design your architecture assuming attackers will gain access to some component. This principle drives every other architectural decision.
Build in network segmentation and micro-segmentation between workloads. Apply least privilege access at every layer including identity, network, application, and data. Implement encryption for data at rest, in transit, and in use. Establish comprehensive logging and monitoring with automated alerting. Reduce blast radius through account isolation and service boundaries.
Defense in Depth
Layer multiple security controls so that failure of any single control doesn’t result in compromise:
| Layer | Controls | Cloud Services |
|---|---|---|
| Perimeter | WAF, DDoS protection, API gateway | AWS WAF, CloudFront; Azure Front Door; GCP Cloud Armor |
| Network | Security groups, NACLs, micro-segmentation | VPC/VNet, Security Groups, NSGs, Firewall rules |
| Identity | IAM, MFA, conditional access | Entra ID, AWS IAM Identity Center, Google Cloud Identity |
| Application | Input validation, secrets management, RASP | AWS Secrets Manager, Azure Key Vault, GCP Secret Manager |
| Data | Encryption, classification, DLP | AWS Macie, Azure Purview, GCP DLP API |
Shift Left
Integrate security into the development process rather than bolting it on after deployment.
Run Infrastructure as Code (IaC) security scanning with Checkov, tfsec, or Bridgecrew before terraform apply. Perform container image scanning in CI/CD pipelines with Trivy, Snyk Container, or ECR scanning. Implement secrets detection in source control with Gitleaks, TruffleHog, or GitHub Secret Scanning. Generate SBOMs at build time using CycloneDX or SPDX format. Enforce policy as code with Open Policy Agent (OPA) or HashiCorp Sentinel.
Identity and Access Management
Identity is the control plane of cloud security. Every API call, every resource access, and every administrative action is an identity-mediated operation.
Centralized Identity
Use a single identity provider for all cloud accounts and enforce federation. Microsoft Entra ID works well for Microsoft-centric environments (Azure, M365, and federated to AWS/GCP). AWS IAM Identity Center (formerly SSO) serves AWS-native identity needs. Google Cloud Identity fits GCP and Google Workspace environments. Okta or Ping Identity provide vendor-neutral, multi-cloud federation.
Role-Based Access Control
Define roles based on job functions, not individuals. Use cloud-native permission boundaries to prevent privilege escalation:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"securityhub:Get*",
"securityhub:List*",
"guardduty:Get*",
"guardduty:List*",
"inspector2:List*",
"inspector2:Get*"
],
"Resource": "*"
}
]
}Cross-cloud equivalents: AWS uses IAM Roles with Permission Boundaries, Azure uses RBAC with Management Groups and Deny Assignments, and GCP uses IAM Roles with Organization Policy Constraints.
Enforce Phishing-Resistant MFA
Require FIDO2/WebAuthn authentication for console and portal access for all users, CLI/API access for privileged operations, and break-glass emergency access accounts (with compensating controls).
Non-Human Identity Management
Service accounts, machine identities, and workload credentials represent the largest identity attack surface in cloud environments.
Replace long-lived access keys with workload identity federation (AWS IAM Roles Anywhere, Azure Managed Identity, GCP Workload Identity Federation). Use OIDC federation for CI/CD pipelines rather than storing cloud credentials in GitHub Actions, GitLab CI, or Jenkins. Rotate any remaining long-lived credentials automatically. Audit with AWS IAM Access Analyzer, Azure Entra Permissions Management, or GCP IAM Recommender to implement least privilege for all service accounts.
Network Security
Virtual Network Design
Segment your network into tiers using separate subnets with controlled routing:
- Public tier for load balancers, CDN endpoints, and bastion hosts / Session Manager
- Application tier for web servers, application servers, and API servers
- Data tier for databases, caches, and storage endpoints
- Management tier for monitoring, logging, security tools, and CI/CD runners
Cross-cloud equivalents: AWS uses VPC with public/private subnets, Security Groups, and NACLs. Azure uses VNet with subnets, NSGs, and ASGs. GCP uses VPC with subnets, Firewall Rules, and Hierarchical Firewalls.
Private Connectivity
Keep traffic off the public internet wherever possible.
Use VPC endpoints / Private Link for cloud service access (S3, DynamoDB, Azure Storage, GCP APIs). Deploy transit gateways for hub-and-spoke topology across accounts and regions. Use VPC peering or Private Service Connect for inter-VPC communication. AWS-GCP Multicloud Interconnect (launched late 2025) provides encrypted cross-cloud connectivity without public internet transit.
Egress Filtering
Control and inspect outbound traffic since unrestricted egress is how data exfiltration succeeds.
Deploy NAT gateways with VPC Flow Logs enabled. Use cloud-native or third-party proxy for internet-bound traffic inspection. Implement DNS filtering for malicious domains (Route 53 Resolver DNS Firewall, Azure DNS Private Resolver). Restrict egress to known-good destinations for production workloads.
Data Protection
Encryption
Encrypt everything. The question is not whether to encrypt but who controls the keys:
| Encryption Level | Implementation | Use Case |
|---|---|---|
| Service-managed keys | Default cloud encryption | Low-sensitivity data |
| Customer-managed keys (CMK) | AWS KMS, Azure Key Vault, GCP Cloud KMS | Confidential data, compliance requirements |
| Customer-provided keys (BYOK) | Customer generates and imports keys | Regulated industries, sovereignty requirements |
| Confidential computing | AWS Nitro Enclaves, Azure Confidential VMs, GCP Confidential VMs | Data in use protection, multi-party computation |
Enforce TLS 1.3 minimum for all in-transit encryption. Disable TLS 1.0/1.1 at load balancers and API gateways.
Data Classification and DSPM
Implement automated data classification since manual classification doesn’t scale:
| Level | Examples | Controls |
|---|---|---|
| Public | Marketing content, public APIs | Basic access controls |
| Internal | Business documents, internal wikis | Authentication required, access logging |
| Confidential | Customer PII, financial records | Encryption with CMK, access logging, DLP |
| Restricted | Credentials, encryption keys, PHI | HSM storage, strict access, audit trails |
Deploy Data Security Posture Management (DSPM) tools to discover, classify, and monitor sensitive data across cloud storage. AWS Macie handles S3 data discovery. Azure Purview provides cross-cloud data governance. GCP DLP API performs automated content inspection. Third-party DSPM solutions (Wiz DSPM, Varonis, Cyera) offer multi-cloud coverage.
Data Loss Prevention
Deploy DLP controls at multiple layers. Cloud-native DLP scans storage and databases (Macie, Purview, GCP DLP). Network DLP inspects egress traffic via proxy or CASB. Endpoint DLP handles downloads and local copies. SaaS DLP covers cloud collaboration tools (Google Workspace, Microsoft 365).
Workload Security
Compute Hardening
Secure your compute instances with defense in depth.
Use hardened, minimal base images (CIS-benchmarked AMIs, Azure Marketplace hardened images). Deploy EDR/XDR agents on all instances (CrowdStrike Falcon, SentinelOne, Defender for Cloud). Implement immutable infrastructure by replacing instances rather than patching in place. Enable host-based firewalls restricting traffic to only required ports. Use instance metadata service v2 (IMDSv2) on AWS to prevent SSRF-based credential theft.
Container Security
For containerized workloads, security must span the full lifecycle.
At build time, scan images in CI/CD with Trivy, Snyk Container, or ECR/ACR native scanning. Use distroless or minimal base images (gcr.io/distroless, Alpine, scratch). Generate SBOMs for every container image. Sign images with Cosign/Sigstore and enforce signature verification at admission.
At runtime, implement Pod Security Standards (Restricted, Baseline, Privileged) in Kubernetes. Deploy runtime protection with Falco, Sysdig, or cloud-native runtime monitoring. Use read-only root filesystems and drop all unnecessary Linux capabilities. Implement network policies restricting pod-to-pod communication to documented flows.
Serverless Security
For functions and managed services, minimize function permissions so each function gets its own IAM role with least privilege. Validate and sanitize all inputs since serverless functions are API endpoints. Use secrets management services rather than environment variables for sensitive values. Enable function-level logging and tracing (X-Ray, Application Insights, Cloud Trace). Set appropriate timeout and memory limits to prevent abuse.
AI Workload Security
As organizations deploy generative AI workloads, new security considerations emerge.
Implement AI Security Posture Management (AI-SPM) to discover and monitor AI models, training data, and inference endpoints. Apply guardrails for AI input/output validation to prevent prompt injection, data poisoning, and sensitive data exposure. Secure model artifacts with encryption, access controls, and integrity verification. Monitor AI API endpoints for adversarial inputs, unusual query patterns, and data extraction attempts. Ensure training data governance to prevent PII, credentials, or proprietary data from leaking into model weights.
Detection and Response
Security Monitoring
Centralize security telemetry across all cloud accounts, regions, and services.
Cloud-native SIEM and security services include AWS Security Hub + GuardDuty + CloudTrail + Security Lake (feed to Sentinel, Splunk, or Chronicle), Azure Defender for Cloud + Sentinel + Activity Logs + Entra ID logs, and GCP Security Command Center + Chronicle + Cloud Audit Logs.
Detection priorities include unauthorized API calls and permission changes, new IAM users/roles/policies created outside IaC, security group modifications allowing broader access, data access patterns deviating from baselines, and cloud resource creation in unusual regions.
Automated Containment
Pre-configure automated response actions.
Auto-isolate compromised instances by removing from security groups and adding deny-all rules. Auto-revoke compromised credentials by disabling access keys and revoking sessions. Auto-quarantine suspicious S3 buckets or storage accounts. Auto-block known-malicious IPs at WAF and security group level.
Use SOAR platforms (AWS Security Hub + Lambda, Azure Logic Apps, or dedicated SOAR) for orchestration.
Compliance and Governance
Multi-Account Strategy
Isolate workloads across cloud accounts to limit blast radius.
AWS uses Organizations with SCPs (Service Control Policies) enforcing guardrails. Azure uses Management Groups with Azure Policy inheritance. GCP uses Organization with Folders and Organization Policy Constraints.
Policy as Code
Enforce compliance automatically since manual compliance checks create gaps.
AWS Config Rules and Conformance Packs provide automated configuration assessment. Azure Policy offers built-in and custom policy definitions. GCP Organization Policies and Security Health Analytics handle GCP compliance. Open Policy Agent (OPA) manages Kubernetes admission control and infrastructure policy. Terraform Sentinel or Checkov enforce IaC policy pre-deployment.
Continuous Compliance
Monitor compliance posture continuously rather than through periodic audits.
Deploy CSPM (Cloud Security Posture Management) for ongoing configuration assessment. Enable automated remediation for configuration drift by auto-closing public S3 buckets, auto-enabling encryption, and auto-restricting security groups. Generate compliance reports mapped to frameworks (CIS Benchmarks, SOC 2, PCI DSS, HIPAA, ISO 27001). Integrate compliance findings into engineering workflows through Jira/ServiceNow ticket creation.
Getting Started
- Assess your current cloud security posture with a CNAPP or CSPM tool
- Prioritize gaps based on risk, starting with identity, encryption, and logging
- Implement foundational controls: centralized identity, MFA, encryption, audit logging
- Segment networks and workloads to reduce blast radius
- Automate compliance enforcement and remediation
- Monitor continuously and refine detection rules
- Test with regular cloud security assessments and purple team exercises