################################# 11.0.8 Cloud Security Essentials ################################# .. warning:: **Security First**: Moving to the cloud doesn't automatically make you secure. In fact, 95% of cloud security incidents are due to customer misconfigurations, not cloud provider failures. =============================== The Shared Responsibility Model =============================== **The Most Important Cloud Concept You Need to Understand:** .. code-block:: text ┌──────────────────────────────────────────────────────────────┐ │ SHARED RESPONSIBILITY │ ├──────────────────────────────────────────────────────────────┤ │ Cloud Provider Secures: │ You Secure: │ │ ├─ Physical data centers │ ├─ Your application code │ │ ├─ Network infrastructure │ ├─ User access & identity │ │ ├─ Hypervisor security │ ├─ Operating system │ │ ├─ Service availability │ ├─ Data encryption │ │ └─ Compliance certifications │ └─ Network configuration │ └──────────────────────────────────────────────────────────────┘ **Real-World Example - Container Security:** .. code-block:: text AWS EKS Cluster Security: AWS Manages: You Manage: ├─ Kubernetes control plane ├─ Node OS patching ├─ etcd encryption ├─ Pod security policies ├─ API server availability ├─ RBAC configuration └─ Network isolation ├─ Container image security └─ Application secrets ======================================= 1. Identity and Access Management (IAM) ======================================= **The Golden Rule: Principle of Least Privilege** .. code-block:: text Bad IAM (Security Nightmare): ├─ Everyone has admin access ├─ Shared service accounts ├─ Hard-coded API keys in code └─ No access review process Good IAM (Security Best Practice): ├─ Role-based access control (RBAC) ├─ Temporary credentials only ├─ Multi-factor authentication (MFA) └─ Regular access audits **Practical IAM for DevOps Teams:** .. code-block:: yaml # Kubernetes RBAC Example apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: production name: developer-role rules: - apiGroups: ["apps"] resources: ["deployments", "replicasets"] verbs: ["get", "list", "watch"] # Read-only in prod - apiGroups: [""] resources: ["pods", "services"] verbs: ["get", "list", "watch", "create", "update"] **Cloud-Native Identity Solutions:** .. code-block:: text Modern Identity Stack: ├─ AWS IAM Roles for Service Accounts (IRSA) ├─ Azure Active Directory with Workload Identity ├─ GCP Workload Identity Federation ├─ HashiCorp Vault for secrets management └─ OIDC integration with GitHub Actions =========================== 2. Data Encryption Strategy =========================== **Encryption Everywhere:** .. code-block:: text Data States and Encryption: Data at Rest (Stored): ├─ Database encryption (AES-256) ├─ File system encryption ├─ Backup encryption └─ Container image encryption Data in Transit (Moving): ├─ TLS 1.3 for all connections ├─ VPN for site-to-site ├─ Service mesh (mutual TLS) └─ API encryption Data in Use (Processing): ├─ Application-level encryption ├─ Confidential computing └─ Homomorphic encryption (advanced) **Practical Encryption for Containers:** .. code-block:: yaml # Kubernetes Secret with encryption at rest apiVersion: v1 kind: Secret metadata: name: database-credentials type: Opaque data: username: password: --- # Pod with encrypted volumes apiVersion: v1 kind: Pod spec: containers: - name: app image: myapp:latest volumeMounts: - name: encrypted-data mountPath: /data volumes: - name: encrypted-data csi: driver: secrets-store.csi.k8s.io readOnly: true =================== 3. Network Security =================== **Defense in Depth Strategy:** .. code-block:: text Network Security Layers: 1. Perimeter Security: ├─ Web Application Firewall (WAF) ├─ DDoS protection └─ CDN with security features 2. Network Segmentation: ├─ Virtual Private Clouds (VPC) ├─ Security groups/Network ACLs └─ Private subnets for databases 3. Internal Security: ├─ Service mesh (Istio/Linkerd) ├─ Network policies in Kubernetes └─ Zero-trust networking **Container Network Security:** .. code-block:: yaml # Kubernetes Network Policy Example apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all-ingress namespace: production spec: podSelector: {} policyTypes: - Ingress ingress: - from: - namespaceSelector: matchLabels: name: frontend ports: - protocol: TCP port: 8080 ============================ 4. Compliance and Governance ============================ **Common Compliance Frameworks:** .. code-block:: text Enterprise Compliance Requirements: GDPR (EU Data Protection): ├─ Data residency controls ├─ Right to be forgotten ├─ Consent management └─ Breach notification (72 hours) SOC 2 (Security Controls): ├─ Security monitoring ├─ Availability guarantees ├─ Processing integrity └─ Confidentiality measures HIPAA (Healthcare): ├─ PHI encryption ├─ Access controls ├─ Audit logging └─ Business associate agreements **Cloud Compliance Tools:** .. code-block:: text AWS Config + CloudTrail + GuardDuty Azure Security Center + Sentinel GCP Security Command Center + Cloud Audit Logs Third-party tools: ├─ Prisma Cloud (Palo Alto) ├─ Qualys VMDR ├─ Rapid7 InsightCloudSec └─ Fugue (policy as code) ==================================== 5. Container Security Best Practices ==================================== **Secure Container Pipeline:** .. code-block:: text Secure CI/CD Pipeline: 1. Source Code Security: ├─ Static analysis (SonarQube, CodeQL) ├─ Dependency scanning (Snyk, OWASP) └─ Secret detection (GitGuardian) 2. Container Image Security: ├─ Base image scanning (Trivy, Clair) ├─ Minimal base images (distroless, Alpine) ├─ Image signing (Cosign, Notary) └─ Vulnerability management 3. Runtime Security: ├─ Runtime threat detection (Falco) ├─ Pod security standards ├─ Admission controllers (OPA Gatekeeper) └─ Network monitoring **Practical Security Checklist:** .. code-block:: yaml # Secure Pod Security Standard apiVersion: v1 kind: Pod metadata: name: secure-app spec: securityContext: runAsNonRoot: true # Don't run as root runAsUser: 1000 # Specific user ID fsGroup: 2000 # File system group containers: - name: app image: myapp:latest securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: ["ALL"] # Drop all capabilities resources: limits: # Resource limits memory: "512Mi" cpu: "500m" ============================================ 6. Security Monitoring and Incident Response ============================================ **Security Observability Stack:** .. code-block:: text Modern Security Monitoring: Logs + Metrics + Traces + Events: ├─ Centralized logging (ELK, Splunk) ├─ Security metrics (Prometheus + custom) ├─ Distributed tracing (Jaeger, Zipkin) └─ Security events (SIEM integration) Cloud-Native Security Tools: ├─ Falco (runtime security) ├─ OPA/Gatekeeper (policy enforcement) ├─ cert-manager (certificate automation) └─ External Secrets Operator **Incident Response Playbook:** .. code-block:: text Security Incident Response (IR): Phase 1: Detection (1-5 minutes) ├─ Automated alerts trigger ├─ Security team notification └─ Initial triage Phase 2: Containment (5-30 minutes) ├─ Isolate affected workloads ├─ Network segmentation └─ Preserve evidence Phase 3: Investigation (30 minutes - hours) ├─ Forensic analysis ├─ Root cause analysis └─ Impact assessment Phase 4: Recovery (hours - days) ├─ System restoration ├─ Security improvements └─ Lessons learned .. note:: **Key Insight**: Cloud security is not a destination, it's a continuous journey. Implement security controls gradually, automate where possible, and always assume you will be breached - plan your defense accordingly. ================== Security Resources ================== **Essential Reading:** - NIST Cybersecurity Framework - CIS Controls for Cloud Security - OWASP Cloud Security Project - Kubernetes Security Best Practices **Tools to Explore:** - **Security Scanning**: Trivy, Grype, Clair - **Policy as Code**: Open Policy Agent, Falco - **Secret Management**: HashiCorp Vault, AWS Secrets Manager - **Security Monitoring**: Prometheus, Grafana, Falco