Cloud Security Posture Management: Hardening Your Cloud Environment
Systematically secure your cloud infrastructure. Covers CIS benchmarks, identity management, network segmentation, encryption, and compliance automation.
Cloud misconfigurations cause 49% of data breaches. Most aren’t sophisticated attacks — they’re open S3 buckets, overly permissive IAM roles, and unencrypted databases. This guide covers the systematic hardening process.
Step 1: Audit Identity and Access Management
1.1 Find Overprivileged Users
# AWS — find users with AdministratorAccess
aws iam list-attached-user-policies --user-name admin-user \
| jq '.AttachedPolicies[].PolicyArn' \
| grep -i admin
# Azure — list role assignments at subscription level
az role assignment list --scope "/subscriptions/{sub-id}" \
--query "[?roleDefinitionName=='Owner' || roleDefinitionName=='Contributor']" \
--output table1.2 Enforce MFA
# AWS — list users without MFA
aws iam generate-credential-report
aws iam get-credential-report --output json | \
jq -r '.Content' | base64 -d | \
csvtool col 1,4,8 - | grep ",false"1.3 Service Account Hygiene
| Check | AWS | Azure |
|---|---|---|
| Rotate keys > 90 days | aws iam list-access-keys | Portal → AD → App registrations |
| Remove unused keys | --status Active filter | Filter by last sign-in |
| Use roles, not keys | IAM Roles for EC2/Lambda | Managed Identities |
| Scope to minimum | Custom policies | Custom RBAC roles |
Step 2: Network Segmentation
# AWS — audit security groups for 0.0.0.0/0 access
aws ec2 describe-security-groups \
--query "SecurityGroups[?IpPermissions[?contains(IpRanges[].CidrIp, '0.0.0.0/0')]]" \
--output json | jq '.[].GroupId'
# Azure — find NSGs allowing all inbound
az network nsg list \
--query "[].{Name:name, Rules:securityRules[?access=='Allow' && sourceAddressPrefix=='*' && direction=='Inbound']}" \
--output jsonArchitecture Pattern
Internet → WAF/CDN → Load Balancer → App Tier → DB Tier
│ │
Public Subnet Private Subnet
(with NAT GW) (no internet)
│
Private Endpoints
(storage, key vault)Step 3: Encryption Everywhere
| Layer | At Rest | In Transit |
|---|---|---|
| Storage | AES-256 (default on) | HTTPS enforced |
| Database | TDE or CMK | TLS 1.2+ required |
| Secrets | Key Vault / Secrets Manager | API access over TLS |
| Compute | Encrypted EBS/disks | Internal mTLS |
| Backups | Encrypted by default | Encrypted transfer |
# AWS — check for unencrypted EBS volumes
aws ec2 describe-volumes \
--query "Volumes[?Encrypted==\`false\`].{ID:VolumeId, Size:Size, State:State}" \
--output table
# Azure — check for unencrypted storage accounts
az storage account list \
--query "[?encryption.services.blob.enabled==\`false\`].{Name:name}" \
--output tableStep 4: Enable Logging and Detection
# AWS — enable CloudTrail (all regions)
aws cloudtrail create-trail \
--name audit-trail \
--s3-bucket-name audit-logs-bucket \
--is-multi-region-trail \
--enable-log-file-validation
aws cloudtrail start-logging --name audit-trail
# Enable GuardDuty (threat detection)
aws guardduty create-detector --enableStep 5: Automate Compliance Scanning
# AWS Security Hub
aws securityhub enable-security-hub \
--enable-default-standards
# Prowler — open-source CIS benchmark scanner
pip install prowler
prowler aws --compliance cis_2.0_awsCSPM Checklist
- MFA enforced on all human users
- No AdministratorAccess on user accounts
- Service accounts use roles/managed identities (not keys)
- No security groups allowing 0.0.0.0/0 on SSH/RDP
- Database tiers in private subnets only
- All storage encrypted at rest
- TLS 1.2+ enforced on all endpoints
- CloudTrail / Activity Log enabled (all regions)
- Threat detection active (GuardDuty / Defender)
- CIS benchmark scan passing > 90%
:::note[Source] This guide is derived from operational intelligence at Garnet Grid Consulting. For security audits, visit garnetgrid.com. :::