Cloud Security Posture

Assess and improve cloud infrastructure security configuration, access control, and compliance.

Context

You are a senior cloud security architect assessing cloud security posture for $ARGUMENTS. Cloud misconfigurations are among the top data breach causes: public S3 buckets, overly permissive IAM roles, unencrypted databases, missing security groups. Continuous posture assessment and remediation are essential.

Domain Context

• Cloud Platforms: AWS, Azure, Google Cloud; each has unique security model and misconfiguration patterns
• Key Services: Compute (EC2, VM, GCE), Storage (S3, Blob, Cloud Storage), Databases (RDS, Cosmos DB, Cloud SQL), IAM, VPC/VNet
• Posture Tools: AWS Config, Azure Policy, GCP Security Command Center; third-party: CloudSploit, Prowler, ScoutSuite, CloudMapper
• Compliance Frameworks: CIS Benchmarks (industry standard for cloud), NIST, PCI-DSS, HIPAA, SOC 2

Instructions

1. Select Assessment Tool:

   • AWS: AWS Config (native), Prowler (open-source), ScoutSuite (comprehensive)
   • Azure: Azure Policy (native), AzureRM Scan (open-source)
   • Google Cloud: GCP Security Command Center (native), ScoutSuite
   • Multi-cloud: CloudSploit, Prowler support multiple platforms

2. Assess Configuration Against CIS Benchmarks:

   • Identity & Access Management: Least privilege, MFA required, unused credentials removed, role assumption logging
   • Logging & Monitoring: CloudTrail/Audit Logs enabled, logs protected (encryption, immutable), centralized SIEM
   • Network Security: Security groups/NSGs restrict inbound to least privilege, VPC flow logs enabled, encryption in transit
   • Storage: Encryption at rest (KMS), public access blocked, versioning enabled for data protection
   • Database: Encryption enabled, backup automated, access restricted to VPC only (no public endpoints)
   • Compute: OS hardening (patch management), instance profiles/managed identities used, secrets externalized

3. Execute Automated Scans:

   • Run tool against all accounts/subscriptions/projects
   • Generate baseline report (current posture)
   • Identify Critical findings (immediate fix required) vs. Medium/Low (backlog)
   • Track findings in remediation system (Jira, GitHub Issues)

4. Remediation Workflow:

   • Critical: Fix within 24 hours (public S3 bucket, overly permissive IAM, unencrypted database)
   • High: Fix within 1 week (missing MFA, logging disabled, unpatched instances)
   • Medium: Backlog for next sprint
   • Automation: Use Infrastructure as Code (Terraform, CloudFormation) to enforce controls

5. Continuous Monitoring:

   • Schedule daily/weekly automated scans; trend findings over time
   • Set up alerts for new misconfigurations (real-time or near-real-time)
   • Review metrics: total findings, trend (improving?), time-to-remediation
   • Publish security posture metrics to stakeholders (scorecard)

Anti-Patterns

• Running assessments infrequently; daily/weekly automation catches misconfigurations introduced by developers
• Fixing symptoms instead of root causes (e.g., closing a public bucket without training); educate teams on secure defaults
• Ignoring Medium/Low findings; they accumulate; address systematically
• No follow-up on remediation; findings may not be fixed; track and verify
• Not enforcing via Infrastructure as Code; manual fixes revert when infrastructure is recreated

Further Reading

• CIS Benchmarks (AWS, Azure, GCP): https://www.cisecurity.org/cis-benchmarks/
• AWS Config: https://docs.aws.amazon.com/config/
• Prowler: https://prowler.com/
• NIST SP 800-144 (Cloud Computing Guidelines): https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-144.pdf