The shared responsibility model, revisited
Every cloud provider publishes a Shared Responsibility Model diagram and every customer team thinks they understand it. Most don't, until something goes wrong. The short version:
- The provider secures the cloud — hypervisor, hardware, physical datacentre, the underlying APIs.
- You secure everything you build on top — IAM, network, data, applications, configurations, operating systems (in IaaS), and runtime workloads.
The 2024 IBM Cost of a Data Breach report found that cloud misconfiguration was the initial vector in 16% of analysed breaches, with an average cost of USD 4.50 million per incident. Every single one of those was a customer-side configuration failure, not a provider failure.
IAM: the first and largest battlefield
Identity-and-access misconfiguration is the single biggest source of cloud-security findings we see. The repeat patterns:
Over-permissive roles
The classic: a service account given AdministratorAccess "to get things working" and never tightened. On AWS, this often means arn:aws:iam::aws:policy/AdministratorAccess attached to roles that need maybe seven specific permissions. On Azure, the same pattern shows up as Owner or Contributor assignments at the subscription level. On GCP, it's roles/owner at project level.
Use the native policy-generation tooling each provider ships:
- AWS IAM Access Analyzer — generates a least-privilege policy from CloudTrail history.
- Azure PIM + Access Reviews — surfaces unused permissions, just-in-time elevation.
- GCP IAM Recommender (Policy Intelligence) — suggests role downgrades based on actual usage.
Confused-deputy and role-chaining
A role that can assume another role that can assume another role rapidly creates privilege-escalation paths your IAM team didn't intend. Tools that surface these: AWS IAM Access Analyzer's unused-access analyser, Azure PIM, open-source PMapper (AWS), CIEM tools (Sonrai, CloudKnox/Microsoft Entra Permissions Management).
Long-lived access keys
Static AWS access keys, Azure service-principal secrets, and GCP service-account JSON keys are the credential class most commonly leaked to GitHub and most commonly exploited. Replacements that don't require static keys:
- AWS: IAM Roles Anywhere, EKS Pod Identity, Lambda execution roles, IRSA, OIDC federation for GitHub Actions.
- Azure: Workload Identity (federation), Managed Identities.
- GCP: Workload Identity Federation, attached service accounts on Compute / GKE.
If you still have static keys in CI/CD in 2026, that's a 30-day project that pays back permanently.
Network architecture
The "shift to zero trust" rhetoric obscures a more practical point: most cloud networks have far too much east-west connectivity by default, and almost no one runs egress controls.
VPC design
The pattern that works: multiple accounts/subscriptions/projects per environment (prod/staging/dev as separate accounts), connected via Transit Gateway / Azure Virtual WAN / GCP VPC Network Peering. This gives you blast-radius separation and the ability to enforce policies at the account boundary, not just the subnet.
Egress controls
By default, your workloads can reach the entire internet. Most legitimate workloads need to reach maybe a dozen domains. Egress filtering — via NAT instance with allowlists, AWS Network Firewall, Azure Firewall, or GCP Cloud NAT + service controls — is a high-leverage control that's almost never deployed.
Private endpoints
Make data plane traffic to managed services (S3, RDS, Storage Accounts, Cloud Storage) flow over private endpoints, not the internet. This is the single biggest data-exfiltration control on a cloud network.
Data protection and KMS
Encryption at rest
All three providers now encrypt at rest by default with provider-managed keys. The question is whether you need customer-managed keys (CMKs). The argument for CMKs: you control rotation, you control deletion, you get fine-grained audit logging of key usage, you can deny the provider access via separate identity boundaries.
For most growing businesses, the cost-benefit favours CMKs for crown-jewel data (customer PII, payment data, secrets), provider-managed for everything else. Don't put yourself in a position where losing access to a KMS key locks you out of your own data — implement KMS multi-region replicas (AWS), Key Vault soft-delete and purge protection (Azure), or Cloud KMS automatic key versioning (GCP).
Public storage buckets
The most-clicked headline of every cloud security year is "company X exposed a public S3 bucket." Each provider now offers an account-level block public access setting:
- AWS: Block Public Access at the account level (introduced 2018).
- Azure: Storage Account "Allow Blob public access: false" + Subscription policy.
- GCP: Organization Policy
storage.publicAccessPrevention.
Set these at the organisation / management-group level and forbid override at the project level. It takes ten minutes and eliminates the most-recurring data-exposure class.
Kubernetes security
Three controls deliver outsize value on Kubernetes:
1. Pod Security Admission "restricted"
Kubernetes 1.25 deprecated PodSecurityPolicy and replaced it with the built-in Pod Security Admission controller. Enforcing the restricted tier on all production namespaces eliminates most container-escape attack paths in one configuration change:
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/enforce-version: latest
This blocks privileged containers, host-network access, root-user containers, dangerous capabilities, and unsafe volume types.
2. NetworkPolicy default-deny
By default, every pod can reach every other pod in the cluster. A default-deny NetworkPolicy followed by explicit allows for required traffic is the standard hardening:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes: [Ingress, Egress]
Requires a CNI plugin that supports NetworkPolicy enforcement (Calico, Cilium, AWS VPC CNI with policy enforcement). EKS, AKS, and GKE all support this now.
3. RBAC and ServiceAccount hygiene
Remove every cluster-admin ClusterRoleBinding that isn't strictly necessary. Audit ServiceAccount permissions per namespace. Avoid automountServiceAccountToken: true on pods that don't need API access.
Infrastructure as Code
The economic argument for IaC scanning: a misconfiguration caught in a Terraform plan costs minutes; the same misconfiguration applied to production and remediated reactively costs days, and risks an audit finding.
Open-source tools:
- Checkov — Terraform, CloudFormation, Kubernetes, ARM, Bicep, Helm. Wide coverage, low false-positive rate.
- tfsec / Trivy IaC — Terraform-focused, fast.
- KICS — Checkmarx-backed, multi-IaC.
- OPA / Conftest — write your own policies in Rego.
Run these in PR-time CI; fail builds on high/critical only. The same delta-only approach that works for SAST applies here.
CNAPP, CSPM, CIEM — when to buy
The acronym soup translates as:
- CSPM (Cloud Security Posture Management) — continuous config scanning across cloud accounts. Surfaces misconfigurations against benchmarks (CIS, NIST, PCI).
- CWPP (Cloud Workload Protection Platform) — runtime protection for VMs, containers, serverless.
- CIEM (Cloud Infrastructure Entitlement Management) — IAM analysis, least-privilege recommendations.
- DSPM (Data Security Posture Management) — data discovery and classification.
- CNAPP (Cloud-Native Application Protection Platform) — the convergence of all four into a single platform.
Mainstream CNAPP options in 2026: Wiz, Palo Alto Prisma Cloud, Lacework, Orca Security, Microsoft Defender for Cloud, Sysdig. Pricing scales with cloud spend; budget USD 20,000–80,000 per year for a 50-employee cloud-first business.
Don't buy a CNAPP until you've used the native provider tooling (AWS Security Hub, Azure Defender for Cloud, GCP Security Command Center) for at least three months and reached its limits. The native tools are improving fast and cover 60–80% of CNAPP value at much lower cost.
Continuous testing
Three motions to maintain over time:
- Quarterly CIS Benchmark scan against your cloud configurations. Free via Prowler (AWS), ScoutSuite (multi-cloud), or each provider's native posture tools.
- Annual cloud penetration test — see our penetration testing guide.
- Continuous IaC scanning in CI, blocking critical findings, surfacing the rest as PRs.
Provider-specific notes for 2026
AWS
- Migrate off long-lived access keys to IAM Roles Anywhere / OIDC federation / EKS Pod Identity.
- Enable Security Hub with the AWS Foundational Security Best Practices standard.
- Use SCPs (Service Control Policies) at the Organization level for guardrails — block IAM user creation in member accounts, block public S3 by default, deny region usage outside your operating regions.
Azure
- Enable Microsoft Defender for Cloud on all subscriptions; the standard tier is worth the cost for production environments.
- Use Azure Policy at the Management Group level for guardrails.
- Migrate service principals to Managed Identities or Workload Identity Federation.
GCP
- Enable Security Command Center Standard at the organisation level (free, covers most use cases).
- Apply Organization Policies as constraints:
storage.publicAccessPrevention,compute.requireOsLogin,iam.disableServiceAccountKeyCreation. - Migrate service-account JSON keys to Workload Identity Federation.