Cloud Security Glossary
Cloud Governance - Steuerung und Kontrolle in der Cloud
Cloud governance is the framework of policies, processes, and technologies that ensures cloud resources are operated securely, in compliance with regulations, cost-effectively, and in alignment with business objectives. Key elements: landing zone architecture, policy-as-code (Azure Policy, AWS SCPs), cost management, tagging strategies, and cloud security posture management (CSPM).
Cloud Governance prevents cloud environments from evolving into "cloud sprawl" over time—uncontrolled, expensive, and insecure infrastructure without clear accountability. Without governance, enterprise environments can accumulate hundreds of accounts and thousands of resources within months, and no one knows which ones are critical.
Dimensions of Governance
1. Security Governance
- Who is allowed to do what in the cloud? (IAM, RBAC)
- Which configurations are prohibited? (Policy-as-Code)
- Monitoring and alerting (CSPM, CloudTrail/Monitor)
- Data protection: where can data be stored? (Data Residency)
2. Cost Governance
- Budgets and alerts (AWS Budgets, Azure Cost Management)
- Tagging for cost allocation (department, project, environment)
- Reserved Instances vs. on-demand optimization
- Identify and delete zombie resources
3. Compliance Governance
- Implementing regulatory requirements (GDPR, ISO 27001, NIS2)
- Compliance frameworks as code (CIS Benchmarks, NIST)
- Audit trails and evidence provision
4. Operations Governance
- Naming conventions (consistent resource names)
- Infrastructure-as-Code (no manual clickops!)
- Change management for cloud resources
- Disaster recovery and backup policies
5. Organizational Governance
- Responsibilities: Cloud Center of Excellence (CCoE)
- Account/subscription hierarchy
- Onboarding new teams to the cloud
- Self-service vs. centralized control
Landing Zone Architecture
> Landing Zone = preconfigured, secure cloud starting point: Instead of each team building its own cloud environment from scratch, teams receive "fresh" accounts/subscriptions with guardrails and can use self-service within defined limits.
AWS Landing Zone (AWS Control Tower)
Account Hierarchy (AWS Organizations):
Root Management Account
├── Security OU
│ ├── Security Tooling Account (SIEM, Config, GuardDuty)
│ └── Log Archive Account (CloudTrail, all logs centralized)
├── Sandbox OU (no production access, more relaxed rules)
│ └── Developer Sandbox Accounts
├── Workloads OU
│ ├── Production Accounts
│ └── Staging Accounts
└── Infrastructure OU
├── Network Account (Transit Gateway, VPNs)
└── Shared Services Account (AD, CI/CD)AWS Control Tower Guardrails:
Preventive Guardrails (SCPs - block):
- Disabling CloudTrail prohibited
- Root account usage prohibited
- Leaving the organization not allowed
- Enforce S3 Block Public Access
Detective Guardrails (Config Rules - alert):
- MFA enabled for root account?
- Open security groups (0.0.0.0/0) detected?
- Unencrypted EBS volumes?
Azure Landing Zone
Management Group Hierarchy:
Root (Tenant)
├── Platform Management Group
│ ├── Management Subscription (Monitor, Security Center)
│ ├── Identity Subscription (AD DS, PKI)
│ └── Connectivity Subscription (Hub vNet, ExpressRoute, VPN)
├── Landing Zones Management Group
│ ├── Corp (connected to Corp network)
│ └── Online (Internet-facing apps, no Corp-Connect)
└── Decommissioned (decommissioned subscriptions)Azure Policy (as a guardrail):
- Require TLS 1.2+ on App Services
- Restrict Locations to West Europe, North Europe
- Require Tags (environment, owner, costcenter)
- Deny Public IP on VMs (except explicitly allowed ones)
- Deploy if not exists: automatically remediate!
GCP Landing Zone
- Resource Hierarchy: Organization → Folders → Projects
- Org Policies: similar to AWS SCPs and Azure Policy
- VPC Service Controls: Restrict data access between projects
Policy-as-Code
Why Policy-as-Code
- Manual checks: error-prone, not scalable
- Policy-as-Code: versioned, testable, automatically enforced
- Changes traceable via Git (Who, What, When)
AWS Service Control Policies (SCPs)
- Applies to all accounts in an OU
- Overrides all other permissions (including Admin!)
- Restrictions only (never extensions!)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyRootUser",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::*:root"
}
}
}
]
}Azure Policy (declarative)
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
{
"field": "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly",
"notEquals": "true"
}
]
},
"then": {
"effect": "deny"
}
}Open Policy Agent (OPA / Rego)
- Universal policy engine, independent of cloud providers
- Use cases: Kubernetes (OPA Gatekeeper), Terraform (Conftest), CI/CD
- Kubernetes Admission Controller: Block pods with
privileged:true
deny[msg] {
input.spec.containers[_].securityContext.privileged == true
msg = "Privileged containers are not allowed"
}Terraform + Checkov (Infrastructure-as-Code Scanning)
checkov -d ./terraform --check CKV_AWS_18,CKV_AWS_54
# CKV_AWS_18: S3 Block Public Access
# CKV_AWS_54: S3 Bucket Policy MFA Delete- Checkov scans Terraform code before applying
- Detects: open S3 buckets, missing encryption, weak IAM policies
- CI/CD integration: pipeline fails on policy violations
Cloud Security Posture Management (CSPM)
CSPM = continuous assessment of cloud security configuration.
Features:
- Inventory of all cloud resources
- Comparison against security benchmarks (CIS, NIST, GDPR)
- Alerts for misconfigurations
- Remediation recommendations
AWS Security Hub
- Central dashboard for all AWS security findings
- Standards: CIS AWS Foundations Benchmark, NIST SP 800-53
- Integration: GuardDuty, Inspector, Macie, Config, Access Analyzer
- Multi-account: aggregates findings from all AWS accounts
Microsoft Defender for Cloud
- CSPM for Azure + multi-cloud (AWS, GCP!)
- Secure Score: 0–100 (higher = better configured)
- Regulatory Compliance: ISO 27001, NIST, GDPR mapping
- Defender CSPM: Enhanced with Attack Path Analysis
Wiz
- Multi-Cloud CSPM (AWS + Azure + GCP + OCI)
- Graph-based analysis: "Security Graph" identifies complex attack paths across multiple resources
- "Would this resource be publicly exposed?" - Context analysis
- Price: Enterprise, market leader among Fortune 500 companies
Orca Security
- Agentless: reads cloud storage directly (no agent required!)
- SideScanning: analyzes cloud storage snapshots
- Detects: secrets in EC2 images, vulnerabilities in AMIs
Prisma Cloud (Palo Alto)
- Complete CNAPP platform
- CSPM + CWPP + CIEM + IaC Security in a single platform
- Strengths: Kubernetes Security, Container Image Scanning
Custom CSPM foundation (free)
- AWS: AWS Config + AWS Security Hub + CIS Benchmark Standard
- Azure: Microsoft Defender for Cloud Free Tier + Azure Policy
- Basic coverage without an extra license!
Tagging Strategy
Required Tags (EVERY resource!)
| Tag | Values |
|---|---|
| environment | production | staging | development | sandbox |
| owner | team-name or email@firma.de |
| costcenter | 123456 (cost center for chargeback) |
| project | project-name |
| created-by | terraform | manual | ci-cd-pipeline |
Advanced Tags
| Tag | Values |
|---|---|
| data-classification | public | internal | confidential | restricted |
| backup | daily | weekly | none |
| compliance | iso27001 | nis2 | hipaa |
| expiry-date | 2026-12-31 (for temporary resources!) |
Tag Enforcement
- AWS: Resource Groups + Tag Policies via AWS Organizations
- Azure: Azure Policy "Require Tag" (deny if missing)
- GCP: Organization Policy + Resource Labels
Cost Allocation via Tags
- AWS Cost Explorer → "Group by Tag: costcenter"
- Precise cost allocation per team/project
- Chargeback model: Department A pays for its cloud usage
Automatic cleanup via tags
- Lambda function checks daily:
- Resources with an expiration date in the past → Alert or auto-delete
- Resources without an owner tag for 30 days → Alert to team
- Sandbox: Auto-shutdown after 72 hours (not for production use!)
