Cloud Security Series #3

Deny by Default, Allow by Exception

In the original post we defined steps to implement a bullet-proof Cloud Infrastructure Security Posture. Today we will look into specifics of the Administrative Tasks aimed to protect your cloud infrastructure from the external threats.

Cloud Infrastructure Security Series #3. 🛑 Deny All, Allow by Exception - Administrative Tasks.


❓ How would you approach the implementation of the following?
– Block Unused Services, Resources, Regions;
– Deny Public Access to Everything (Network, Hosts, Workloads, Storage, Databases), Allow by Exception;
– Create and Manage a Set of Encryption Keys.


💪 Here is how – a 7-step guide:

  1. If you maintain multiple cloud accounts, make sure they belong to the same Organization in your Cloud Service Provider. It is an important step for establishing governance across all of your cloud accounts.
  2. Open your cloud account’s management console, and use Organizational Settings to disable unused Geographic Regions.
    To get started:
    – AWS: Specify which AWS Regions your account can use ( https://lnkd.in/ej2Basbd )
    – MS Azure: Disable Unused Azure Regions Using and Azure Policy ( https://lnkd.in/eiPY5Wrd. )
    – GCP: Restricting Resource Locations ( https://lnkd.in/eqSg7DB4 )
  3. Leverage concept of Service Control Policies (or their analog) to restrict the use of certain Cloud Services. CSPs are offering hundreds of services, and it is important to make sure that you allow the usage of only the ones that you need.
    To get started:
    – Google Cloud: Enable and Disable Services ( https://lnkd.in/e_M-E6CM )
    – AWS Service Control Policies ( https://lnkd.in/eyTNS24M )
    – Medium: AWS Organization Policy and Azure Policy ( https://lnkd.in/eiGBcRb2 )
  4. Put firewall in front of your cloud network boundary, and configure firewall rules to be most restrictive, opening up only the SSL/TLS-protected ports.
  5. Move hosts, databases, and services to private networks. Set up VPN (or use VPN-less alternatives such as AWS Session Manager) for host connectivity. Use encrypted port forwarding to access Databases and internal applications.
  6. Preface public services with Load Balancers with attached SSL certificates and WAF / WAAP enabled. This will help decrease chances of a hacker attack.
  7. Create user group responsible for managing a set of Cloud account-wide encryption keys. This will lay out a foundation for data encryption in your cloud environment.

See anything missing or irrelevant?