"Last year, over 80% of cloud breaches traced back to just three root causes: misconfigured services, excessive permissions, and exposed secrets. Not sophisticated zero-days. Not nation-state tooling. Mundane, preventable misconfigurations. The good news? A disciplined approach to cloud security fundamentals eliminates the vast majority of your real-world risk. Here's the playbook.".
1. Enforce Least-Privilege IAM — Ruthlessly
Identity is the new perimeter. The single highest-impact control you can implement is ensuring that every human, service, and machine identity operates with the minimum permissions necessary.
Avoid wildcard policies at all costs. Instead of granting broad access, scope permissions to specific resources and actions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:aws:s3:::my-app-data-bucket/uploads/*",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/Team": "backend-engineering"
}
}
}
]
}Actionable step: Run aws iam generate-service-last-accessed-details regularly to identify permissions that exist but are never used. If a role hasn't exercised a permission in 90 days, revoke it. Tools like AWS IAM Access Analyzer, GCP IAM Recommender, and open-source solutions like iamlive make this operationally feasible.
2. Eliminate Secrets from Code and Config
Hardcoded credentials remain a top attack vector. Every secret—API keys, database passwords, certificates—should live in a dedicated secrets manager and be injected at runtime, never baked into images or committed to repos.
# Kubernetes pod spec pulling secrets from AWS Secrets Manager via External Secrets Operator
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: db-credentials
spec:
refreshInterval: 1h
secretStoreRef:
name: aws-secrets-manager
kind: ClusterSecretStore
target:
name: db-credentials
data:
- secretKey: password
remoteRef:
key: prod/db/postgres
property: passwordActionable step: Integrate gitleaks or trufflehog into your CI pipeline as a pre-merge gate. A secret detected in a pull request should block the merge automatically. Retroactively scan your entire commit history—secrets removed in later commits still live in git history.
3. Shift Security Left with Infrastructure as Code Scanning
If your infrastructure is defined as code, your security review should happen at the code level. Static analysis catches misconfigurations before they reach production.
# Scan Terraform plans with Checkov before applying
checkov -d ./terraform/ --framework terraform --check CKV_AWS_18,CKV_AWS_19,CKV_AWS_145
# CKV_AWS_18: Ensure S3 bucket has logging enabled
# CKV_AWS_19: Ensure S3 bucket has encryption enabled
# CKV_AWS_145: Ensure S3 bucket uses customer-managed KMS keyEmbed these scans in your CI/CD pipeline as mandatory gates. Treat security policy violations with the same severity as failing unit tests.
4. Encrypt Everything — In Transit and At Rest
Enable encryption by default across all storage services and enforce TLS 1.2+ for all data in transit. Use customer-managed keys (CMKs) for sensitive workloads so you maintain control over the key lifecycle, including the ability to revoke access instantly.
Actionable step: Deploy AWS Config rules or Azure Policy assignments that automatically flag and remediate unencrypted resources. Make compliance continuous, not periodic.
5. Implement Runtime Detection and Monitoring
Prevention is essential, but detection closes the gap. Enable cloud-native threat detection services—GuardDuty, Microsoft Defender for Cloud, or GCP Security Command Center—and stream findings into a centralized SIEM.
Establish alerts for high-signal events: root account usage, API calls from unfamiliar geographies, disabled logging, and IAM policy changes. Low-noise, high-fidelity alerts prevent the fatigue that causes teams to ignore real incidents.
The Bottom Line
Cloud security isn't a single tool or a one-time audit. It's a set of layered controls woven into every stage of your development and deployment lifecycle. Start with identity, protect your secrets, scan your infrastructure code, encrypt by default, and monitor relentlessly.
The organizations that get breached rarely lack security budgets. They lack consistent execution of fundamentals. Don't be that organization.
Have questions about cloud security best practices? I'm always happy to talk shop — reach out or connect with me on LinkedIn.