Cloud security best practices roundup

Cloud security guidance this month is converging on one point: most Amazon Web Services failures still come from customer missteps, not Amazon’s underlying infrastructure. (blog.qualys.com) Qualys published a 12-step AWS checklist on April 9 that centers on least-privilege Identity and Access Management, encryption by default, continuous vulnerability management, and container security. Amazon’s own security checklist also tells customers to turn on CloudTrail, GuardDuty, Security Hub, and AWS Config across all accounts. (blog.qualys.com) (awsstatic.com) The basic split is the shared-responsibility model: AWS secures facilities, hardware, networking, and the virtualization layer, while customers secure identities, operating systems, network exposure, applications, data, and compliance controls. Qualys said the gap appears when teams treat that model as a handoff instead of an operating plan. (blog.qualys.com) In plain terms, Identity and Access Management is the permissions system for cloud accounts, and least privilege means each person, app, or service gets only the access it needs. AWS says customers should manage access with federated identities, users, and roles rather than relying on broad standing permissions. (docs.aws.amazon.com) (blog.qualys.com) Visibility is the second theme. AWS says VPC Flow Logs, Network Access Analyzer, Network Firewall, GuardDuty, and centralized logging help teams see traffic patterns, unintended access paths, and suspicious behavior before a misconfiguration turns into an exposed workload. (docs.aws.amazon.com) (awsstatic.com) The networking examples are concrete. AWS says an internet gateway makes a subnet public and allows inbound and outbound internet communication for resources with public IP addresses, while a NAT gateway lets instances in private subnets reach outside services without accepting unsolicited inbound connections. (docs.aws.amazon.com 1) (docs.aws.amazon.com 2) That distinction shapes security decisions. AWS says public NAT gateways sit in public subnets, use an Elastic IP address, and send traffic to an internet gateway, while private NAT gateways are for reaching other virtual private clouds or on-premises networks and cannot use an Elastic IP. (docs.aws.amazon.com) The architecture language is broader than networking. AWS Prescriptive Guidance describes hexagonal architecture, also called ports and adapters, as a way to keep core business logic separate from databases, cloud services, and other infrastructure so teams can change systems without rewriting the application’s center. (docs.aws.amazon.com) AWS published that hexagonal guidance in June 2022, and it frames the pattern as a way to make systems easier to maintain, extend, and test as organizations scale. In security terms, that separation can make governance controls and integrations less tangled with application code, though AWS presents it as a software design model rather than a security control by itself. (docs.aws.amazon.com) The immediate takeaway from the latest guidance is operational, not theoretical: lock down permissions, keep logs and detections on across every account, and make deliberate choices about which workloads are truly public. That is the line between AWS securing the cloud and customers securing what they build on it. (blog.qualys.com) (awsstatic.com)