Cloud Computing Basics with AI
5/8
Lesson 5 12 min

Cloud Security Fundamentals

Master the security concepts every cloud user needs — from IAM and least privilege access to encryption, zero trust, and the most common misconfigurations that lead to data breaches.

🔄 Quick Recall: In the previous lesson, you deployed your first cloud resource — a virtual machine and a static website — using free-tier accounts with AI guidance. You learned the critical difference between stopping and terminating instances, and why billing alerts should be your very first step. Now you’ll learn the security fundamentals that protect everything you build in the cloud.

Why Cloud Security Is Everyone’s Job

Here’s a statistic that should keep every cloud user awake: the majority of cloud data breaches aren’t caused by sophisticated hackers breaking through cloud provider defenses. They’re caused by customers misconfiguring their own cloud settings — leaving storage buckets publicly accessible, using overly permissive IAM policies, or exposing credentials in code.

Cloud providers invest billions in security. AWS, Azure, and Google Cloud employ thousands of security engineers, maintain military-grade physical security, and hold every major compliance certification. The infrastructure is secure. The most common failure point is how people configure it.

That’s why cloud security literacy matters for everyone — not just security teams. Every person who creates an S3 bucket, sets an IAM permission, or pushes code with environment variables is making security decisions.

IAM: The Foundation of Cloud Security

IAM (Identity and Access Management) controls who can do what in your cloud environment. It’s the single most important security system in cloud computing.

Help me understand IAM by auditing a cloud setup.

I have:
- 5 team members with cloud access
- Each has a role: [admin, developer, data analyst,
  marketing, finance]
- Current state: everyone has the same admin-level access

Help me:
1. Define what each role actually needs access to
   (specific services and actions)
2. Create an IAM policy for each role following
   least privilege
3. Explain what "least privilege" means with a
   concrete example for each role
4. Identify what bad things could happen if the
   current admin-for-everyone setup isn't fixed

The Principle of Least Privilege

Least privilege means: every user gets only the minimum permissions needed to do their job. Nothing more.

RoleNeeds Access ToShould NOT Have
DeveloperDeploy code, read logs, manage dev environmentBilling, production databases, IAM admin
Data AnalystRead databases, run queries, export reportsWrite access to databases, infrastructure changes
FinanceBilling dashboard, cost reportsAny infrastructure or data access
MarketingAnalytics dashboards, content storageCode deployment, database access
AdminEverything — but uses it sparinglyAdmin should use a regular account for daily work and switch to admin only when needed

Quick Check: Why should even administrators use a regular (non-admin) account for daily work, only switching to admin when needed? Because most daily tasks don’t require admin permissions. Using a regular account for daily work limits the damage if the account is compromised, reduces the chance of accidental destructive actions, and creates an audit trail of when elevated permissions were actually used.

Encryption: Protecting Data at Every Layer

Cloud data needs encryption at two stages:

At rest: Data stored on disks, in databases, or in storage buckets. All major cloud providers offer this — often enabled by default.

In transit: Data moving between services, between regions, or between the cloud and users. Requires TLS/HTTPS.

Help me audit the encryption status of my cloud setup.

Services I use:
- [list your cloud storage, databases, etc.]

For each service, check:
1. Is encryption at rest enabled? (Is it on by default
   or do I need to turn it on?)
2. Is encryption in transit enforced? (Is HTTPS required
   or is HTTP also allowed?)
3. Who manages the encryption keys? (provider-managed
   or customer-managed?)
4. What's the recommended encryption configuration
   for my use case?

Zero Trust: Trust Nothing, Verify Everything

Traditional security assumed that anything inside the corporate network was safe. Zero trust assumes nothing is safe until verified:

  • Every request is authenticated, regardless of where it comes from
  • Every user gets minimum necessary access (least privilege)
  • Every session is monitored for anomalous behavior
  • Network location (inside or outside the firewall) is not a trust factor

For cloud environments, zero trust means: don’t assume that because a request comes from within your cloud network, it’s legitimate. Verify identity, check permissions, and log everything.

Quick Check: How does zero trust differ from traditional network security? Traditional security trusts everything inside the network perimeter (like a castle with walls — once you’re inside, you’re trusted). Zero trust verifies every request regardless of origin — like a building where every room requires a separate key card, even if you’re already inside. In cloud environments where there’s no clear “inside,” zero trust is the appropriate model.

The Most Common Cloud Security Mistakes

MistakeHow It HappensPrevention
Public S3 bucketsDefault settings changed to public, or misconfigured policiesEnable “Block Public Access” at the account level
Hardcoded credentialsAPI keys committed to Git repositoriesUse environment variables or secrets managers
Overly permissive IAM“Just give admin access” becomes permanentStart with zero permissions, add only what’s needed
No MFAMulti-factor authentication not enabled on cloud accountsEnable MFA on every account, especially admin
Unused resourcesOld instances, forgotten test environments still runningMonthly audit of active resources

Key Takeaways

  • Most cloud breaches come from misconfiguration, not sophisticated attacks — security is every cloud user’s responsibility
  • IAM (Identity and Access Management) is the foundation: apply least privilege to give each user only the minimum permissions their role requires
  • Encrypt data both at rest (on disk) and in transit (moving between services) — one without the other leaves gaps
  • Zero trust means verifying every request regardless of origin — in cloud environments with no clear perimeter, this is the correct security model
  • The most common mistakes (public storage, hardcoded credentials, overly permissive IAM, no MFA) are all preventable with basic security hygiene

Up Next: You’ll learn cloud cost management and FinOps — how to monitor spending, avoid bill surprises, and optimize your cloud costs using AI-powered analysis.

Knowledge Check

1. Your developer creates an AWS IAM user with full administrator access 'to make things easier during development.' They promise to restrict permissions later. What's the risk?

2. Your company stores customer data in the cloud. Your compliance officer asks: 'Is our data encrypted?' You check and confirm that the cloud provider encrypts data at rest. Is the data secure?

3. An employee's cloud credentials are exposed in a public GitHub repository. They committed code with their AWS access key and secret key in the file. What's the FIRST thing to do?

Answer all questions to check

Complete the quiz above first

Related Skills

AI Basics Explainer