Practical Cloud Security Handbook (Shiv Kumar) (Z-Library)

Practical Cloud Security Handbook Secure cloud deployments with AWS, Azure, GCP, and IBM Cloud Shiv Kumar www.bpbonline.com

First Edition 2025 Copyright © BPB Publications, India eISBN: 978-93-65890-723 All Rights Reserved. No part of this publication may be reproduced, distributed or transmitted in any form or by any means or stored in a database or retrieval system, without the prior written permission of the publisher with the exception to the program listings which may be entered, stored and executed in a computer system, but they can not be reproduced by the means of publication, photocopy, recording, or by any electronic and mechanical means. LIMITS OF LIABILITY AND DISCLAIMER OF WARRANTY The information contained in this book is true and correct to the best of author’s and publisher’s knowledge. The author has made every effort to ensure the accuracy of these publications, but the publisher cannot be held responsible for any loss or damage arising from any information in this book. All trademarks referred to in the book are acknowledged as properties of their respective owners but BPB Publications cannot guarantee the accuracy of this information. www.bpbonline.com

Dedicated to My wife Shahana for your endless support, love, and belief in me. This journey would not have been possible without you

About the Author Shiv Kumar is a seasoned cloud infrastructure and data engineering expert, currently leading the infrastructure and data engineering division at VidvanConnect Software Solutions Private Limited. With over a decade of experience in designing and managing secure, scalable cloud architectures, Shiv works with clients across 33 countries, helping them implement resilient infrastructure and data platforms tailored to global business needs. He holds a master of science in general studies (mass media communication) and a master of technology in software systems, both from the prestigious Birla Institute of Technology and Science (BITS), Pilani. His unique combination of communication and technical expertise allows him to bridge complex technical concepts with practical, business-aligned solutions. Shiv is deeply passionate about cloud security, DevSecOps, and compliance-driven development. Through this book, Practical Cloud Security Handbook, he brings his vast hands-on experience and global insights to guide professionals in building secure, compliant, and efficient cloud systems.

About the Reviewer Sahil Dhir is an accomplished professional with more than 14 years of experience in the cyber security realm. As a recognized authority in governance, risk, and compliance (GRC), he leads product vision and strategy for information security solutions, specializing in cloud security architecture and emerging technologies. For multiple Fortune 500 companies, Sahil has spearheaded the development of enterprise-wide GRC tools and frameworks, demonstrating particular expertise in Identity and Access Management, cloud security, and data protection. His innovative work includes creating comprehensive risk frameworks for generative AI systems, addressing critical aspects such as algorithmic bias, privacy, transparency, and responsible deployment. His deep understanding of regulatory frameworks, including SOX, PCI, and GDPR, has helped organizations strengthen their compliance posture while enabling business growth. A thought leader in the cybersecurity space, Sahil regularly engages with senior stakeholders to communicate risk strategies and provides technical guidance on new finance technology systems. His expertise in building and scaling GRC programs has benefited multiple Fortune 500 companies, establishing him as a trusted voice in the industry. Sahil holds extensive experience in security assessments and operations management, with a particular focus on data-driven decision-making to address emerging security challenges. His commitment to staying current with offensive security strategies enables him to develop proactive risk management programs that serve as effective business enablers.

Acknowledgement Writing this book has been a transformative journey, and I am grateful to all those who made it possible. First and foremost, I extend my heartfelt thanks to my family for their unwavering support, patience, and encouragement throughout the writing process. Your belief in me has been my greatest strength. I am deeply appreciative of my colleagues, mentors, and peers in the cloud and cybersecurity space. Your guidance, feedback, and shared experiences have been instrumental in shaping the practical content of this book. A special thanks to BPB Publications for believing in the vision of this book and providing me the platform to share my insights with a broader audience. Your professionalism, editorial support, and commitment to quality have been invaluable throughout the publishing process. Finally, to the readers and professionals dedicated to building secure cloud systems—this book is for you. Last but not least, I want to express my gratitude to the readers who have shown interest in the book. Your support and encouragement have been deeply appreciated. Thank you to everyone who has played a part in making this book a reality.

Preface In today’s digital landscape, cloud computing has become the backbone of modern infrastructure, powering businesses of every scale with unmatched agility, scalability, and cost-efficiency. With this massive shift towards the cloud, the importance of robust and scalable cloud security has become paramount. Practical Cloud Security Handbook is a step-by-step guide designed for IT professionals, architects, developers, and security engineers who aim to understand and implement secure cloud environments across leading cloud service providers like Amazon Web Services (AWS), Microsoft Azure, IBM Cloud, and Google Cloud Platform (GCP). This book was born out of real-world challenges encountered while designing and securing cloud-native and hybrid systems in production environments. It aims to bridge the gap between theoretical security concepts and their practical implementations using infrastructure as code (IaC), DevSecOps pipelines, and native and third-party tools. The book covers a wide spectrum of essential topics, from shared responsibility models and identity access management to monitoring, encryption, compliance, and best practices for cloud-native and non-cloud-native deployments. Each chapter is structured to walk you through foundational concepts, platform-specific configurations, tools and libraries like Terraform, Jenkins, Ansible, and practical use cases. Whether you are securing data at rest, implementing Zero Trust architecture, automating security testing, or aligning with industry compliance standards like ISO, HIPAA, or CMMI, this book has been crafted to give you actionable insights and hands-on experience. My goal with this book is to help readers not just understand security principles but to implement them confidently and consistently in real-world cloud environments.

Chapter 1: Introduction to Cloud Security- This chapter sets the foundation for understanding cloud security by introducing the shared responsibility model. It explores the delineation between cloud provider and application owner responsibilities and emphasizes why cloud security is vital in today’s digital age. It provides clarity on ownership boundaries to help readers better plan their security posture. Chapter 2: Cloud-native Architectures- Focusing on modern system design, this chapter examines cloud-native architectures used in diverse industries such as BFSI, AI/ML, big data, and streaming applications. It contrasts traditional and distributed system designs while emphasizing the operational and security benefits of cloud-native solutions. Chapter 3: Understanding Top Workloads in the Cloud- This chapter walks readers through the most critical cloud workloads including IAM, VPC, Kubernetes, Docker, storage, and compute resources. It explains how these components interact in real deployments and highlights common security considerations for each. Chapter 4: Concepts of Security- Here, we delve into fundamental security principles like encryption, secure protocols, IAM, and single sign- on (SSO). It provides the theoretical grounding needed to understand how security mechanisms operate across the cloud ecosystem. Chapter 5: Securing Storage Services- Security configurations for storage services in AWS, Azure, IBM Cloud, and GCP are the focus of this chapter. It walks through native storage security features, encryption settings, and best practices for secure data storage across different platforms. Chapter 6: Securing Network Services- This chapter dives into network- level security using virtual private clouds (VPCs), route tables, and firewall configurations. Platform-specific details are covered, helping readers design secure, segmented, and scalable network architectures across major cloud providers. Chapter 7: Identity and Access Management- IAM and SSO are at the heart of this chapter, focusing on role-based access, multi-factor authentication, and secure user provisioning. Security configuration details for each cloud provider offer a comprehensive view of access control mechanisms.

Chapter 8: Monitoring, Applying Encryption, and Preparation/Testing- Readers are introduced to native and third-party tools used for monitoring cloud infrastructure security. It also covers encryption in transit and at rest, and testing methodologies to validate security configurations for production readiness. Chapter 9: Security as Code- Exploring the IaC approach, this chapter introduces tools like Terraform and Ansible. It focuses on integrating security configurations into code, enabling version control, automation, and repeatability in cloud deployments. Chapter 10: Best Practices for Cloud-native Implementations- This chapter shares proven practices for securing cloud-native applications, including implementing Zero Trust models, managing attack surfaces, and enforcing data protection policies. It emphasizes security embedded into every layer of architecture. Chapter 11: Best Practices for Non-cloud-native Implementations- Addressing legacy and hybrid environments, this chapter outlines strategies for securing non-cloud-native applications. Topics include patch management, vulnerability assessment and penetration testing (VAPT), and adapting Zero Trust to non-cloud setups. Chapter 12: DevSecOps- DevSecOps brings security into the development pipeline. This chapter explains how to integrate security checks into CI/CD pipelines using tools like Jenkins. It discusses components, planning, and implementation strategies for secure and agile delivery. Chapter 13: Compliance and Regulatory Considerations- The final chapter provides a comprehensive overview of key regulatory frameworks including ISO, HIPAA, and CMMI. It guides readers on aligning cloud practices with these standards and embedding compliance into their development and deployment lifecycles. Let us begin our journey into building resilient, secure, and compliant cloud systems.

Code Bundle and Coloured Images Please follow the link to download the Code Bundle and the Coloured Images of the book: https://rebrand.ly/69fcbaf The code bundle for the book is also hosted on GitHub at https://github.com/bpbpublications/Practical-Cloud-Security- Handbook. In case there’s an update to the code, it will be updated on the existing GitHub repository. We have code bundles from our rich catalogue of books and videos available at https://github.com/bpbpublications. Check them out! Errata We take immense pride in our work at BPB Publications and follow best practices to ensure the accuracy of our content to provide with an indulging reading experience to our subscribers. Our readers are our mirrors, and we use their inputs to reflect and improve upon human errors, if any, that may have occurred during the publishing processes involved. To let us maintain the quality and help us reach out to any readers who might be having difficulties due to any unforeseen errors, please write to us at : errata@bpbonline.com Your support, suggestions and feedbacks are highly appreciated by the BPB Publications’ Family. Did you know that BPB offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.bpbonline.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at : business@bpbonline.com for more details.

At www.bpbonline.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on BPB books and eBooks. Piracy If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at business@bpbonline.com with a link to the material. If you are interested in becoming an author If there is a topic that you have expertise in, and you are interested in either writing or contributing to a book, please visit www.bpbonline.com. We have worked with thousands of developers and tech professionals, just like you, to help them share their insights with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea. Reviews Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions. We at BPB can understand what you think about our products, and our authors can see your feedback on their book. Thank you! For more information about BPB, please visit www.bpbonline.com. Join our Discord space Join our Discord workspace for latest updates, offers, tech happenings around the world, new releases, and sessions with the authors: https://discord.bpbonline.com

Table of Contents 1. Introduction to Cloud Security Introduction Structure Objectives Importance of cloud security Cloud provider responsibilities Application provider responsibilities Illustration Case study Conclusion Key takeaways Key terms Solved exercises Unsolved exercises 2. Cloud-native Architectures Introduction Structure Objectives Traditional architectures Characteristics of traditional architectures Advantages of traditional architectures Limitations of traditional architectures

Transition to cloud-native Case study: Traditional banking system Typical BFSI architectures Key components of BFSI architectures Characteristics of BFSI architectures Traditional BFSI architectures Evolving trends in BFSI architectures Case study: Digital banking transformation Streaming architectures Key components of streaming architectures Characteristics of streaming architectures Traditional vs. streaming architectures Evolving trends in streaming architectures Case study: Real-time financial market analysis Big data architectures Key components of big data architectures Characteristics of big data architectures Traditional vs. big data architectures Evolving trends in big data architectures Case study: Retail industry analytics AI/ML architectures Key components of AI/ML architectures Characteristics of AI/ML architectures Traditional vs. AI/ML architectures Evolving trends in AI/ML architectures Case study: Healthcare diagnostics Illustration Case study Objective Implementation Case study conclusion

Conclusion Key takeaways Key terms Solved exercises Unsolved exercises 3. Understanding Top Workloads in the Cloud Introduction Structure Objectives Types of workloads Compute workloads Storage workloads Network workloads Real-world implementation examples Compute workload example of video rendering Storage workload example of e-commerce database Network workload example of content delivery Advantages and challenges Advantages Challenges Cloud workloads and security Identity and Access Management IAM components IAM concepts and implementation Real-world implementation example Virtual private cloud VPC key concepts VPC components VPC real-world implementation example

Artificial intelligence and machine learning AI/ML key concepts AI/ML applications and cloud services AI/ML real-world implementation example Storage in the cloud Cloud storage key characteristics Types of cloud storage Real-world implementation example Databases in the cloud Relational databases NoSQL databases Real-world implementation example Compute instances in the cloud Key attributes of compute instances Compute instances benefits Real-world implementation example Docker and Kubernetes Docker containers Kubernetes orchestration Real-world implementation example Data, ETL and analytics Data analytics in the cloud Data analytics key components Data analytics benefits Real-world implementation example Conclusion Key takeaways Key terms Solved exercises Unsolved exercises

4. Concepts of Security Introduction Structure Objectives Encryption Encryption fundamentals Data in transit encryption Data at rest encryption Key management Protocols Hypertext Transfer Protocol Secure Secure Shell Message Queuing Telemetry Transport Identity and Access Management IAM fundamentals Amazon Web Services Identity and Access Management Google Cloud Identity and Access Management Azure Identity and Access Management Security compliance in cloud technology Security compliance fundamentals Implementing compliance in AWS Implementing compliance in GCP Implementing compliance in Azure Logging and monitoring Logging and monitoring fundamentals AWS CloudWatch for logging and monitoring GCP Cloud Monitoring and Logging Azure Monitor and Azure Log Analytics Incident response Incident response fundamentals

Incident detection in AWS Incident analysis in GCP Incident containment and mitigation in Azure Incident recovery and lessons learned Incident response playbooks Security training and awareness Importance of security training and awareness Security training programs Security training implementation example Security awareness programs Security awareness implementation example Conclusion Key takeaways Key terms Solved exercises Unsolved exercises 5. Securing Storage Services Introduction Structure Objectives Storage security in AWS Encryption Access control Security monitoring and alerts Versioning and backup Storage security in Azure Encryption Access control Security monitoring and alerts

Data backup and replication Storage security in IBM Encryption Access control Security monitoring and alerts Data backup and replication Storage security in GCP Encryption Access control Security monitoring and alerts Data backup and replication Storage configurations in AWS Amazon S3 Steps to configure an S3 bucket Amazon Elastic Block Store Steps to configure EBS Storage configurations in Azure Azure Blob Storage Steps to configure Azure Blob Storage Azure Disk Storage Steps to configure Azure Disk Storage Storage configurations in IBM Steps to configure IBM Cloud Object Storage IBM Cloud Block Storage Steps to configure IBM Cloud Block Storage Storage configurations in GCP Google Cloud Storage Steps to configure Google Cloud Storage Google Cloud Persistent Disk Steps to configure Persistent Disk Illustration