Cloud Security Basics for AWS, Azure & GCP Engineers

Most cloud breaches in 2026 are not exotic — they are misconfigured storage, leaked access keys, and over-permissioned roles. Knowing the basics on all three major clouds is now a baseline expectation.

The shared responsibility model

The cloud provider secures the cloud; you secure what you put in it. They patch the hypervisor; you patch the VM. They run the database service; you set the IAM policies. Every cloud security failure starts with someone forgetting which side of that line they were on.

The four basics on every cloud

• Identity — least-privilege IAM, no long-lived root keys, prefer roles and short-lived tokens.
• Networking — VPCs, security groups, private subnets, no default open-to-world rules.
• Storage — default-encrypted, no public buckets unless explicitly intended, server-side encryption keys you control where it matters.
• Logging — CloudTrail, Azure Activity Log, Cloud Audit Logs — enabled, centralised, retained for at least 90 days.

Service-specific gotchas

AWS S3 buckets remain the famous misconfiguration; check Block Public Access. Azure Blob has its own public-access flag; treat it the same way. GCP Cloud Storage uses uniform bucket-level access — turn it on. Across all three, lock down management endpoints to specific IPs or VPN.

Tooling worth learning

Free open-source tools cover most needs: Prowler (AWS), Scout Suite (multi-cloud), Trivy (containers and IaC), tfsec or Checkov for Terraform scanning. Add one cloud-native posture management product when you hit serious scale.

How to upskill

One cloud certification (AWS Security Specialty is the strongest signal in India in 2026) plus a public GitHub repo with a hardened reference architecture is the combination that gets cloud-security candidates to final rounds.