Cloud Security Baseline
A comprehensive, multi-cloud security configuration kit covering AWS, Azure, and GCP. This baseline provides hardened IAM policies, encryption configurations, network security rules, and compliance control mappings that you can deploy immediately. Every configuration is annotated with the specific CIS Benchmark control it satisfies, making audit preparation straightforward. Stop building security from scratch — start from a hardened baseline and customize for your requirements.
Key Features
- Multi-Cloud Coverage — Security configurations for AWS, Azure, and GCP with equivalent controls across platforms
- IAM Policy Library — 25+ least-privilege IAM policies for common roles (developer, DBA, auditor, CI/CD pipeline)
- Encryption Standards — KMS key policies, TLS configurations, certificate management, and at-rest encryption for all storage services
- Network Security — Security group templates, NACLs, firewall rules, and WAF configurations with deny-by-default posture
- CIS Benchmark Mappings — Every control mapped to CIS AWS/Azure/GCP Foundations Benchmark sections
- Compliance Controls — SOC2, HIPAA, PCI-DSS, and GDPR control mappings with implementation evidence templates
- Security Scanning Scripts — Automated checks for common misconfigurations: public S3 buckets, open security groups, unencrypted volumes
- Incident Response Templates — Playbooks for compromised credentials, data exposure, and unauthorized access scenarios
Quick Start
# Deploy AWS security baseline
cd src/aws/
aws cloudformation deploy \
--template-file iam-baseline.yaml \
--stack-name security-baseline-iam \
--capabilities CAPABILITY_NAMED_IAM \
--parameter-overrides AdminEmail=security@example.com
# Run security audit scan
python3 scripts/security_scan.py \
--provider aws \
--profile production \
--output reports/security-audit.json
# Deploy network security
aws cloudformation deploy \
--template-file network-security.yaml \
--stack-name security-baseline-network \
--parameter-overrides VpcId=vpc-0123456789abcdef0
Architecture
┌──────────────────────────────────────────────────────────┐
│ Cloud Security Baseline Layers │
│ │
│ ┌────────────────────────────────────────────────────┐ │
│ │ Layer 1: Identity & Access Management │ │
│ │ ┌──────────┐ ┌───────────┐ ┌──────────────────┐ │ │
│ │ │ IAM Roles│ │ MFA │ │ Service Accounts │ │ │
│ │ │ Policies │ │ Enforce │ │ Least Privilege │ │ │
│ │ └──────────┘ └───────────┘ └──────────────────┘ │ │
│ └────────────────────────────────────────────────────┘ │
│ ┌────────────────────────────────────────────────────┐ │
│ │ Layer 2: Network Security │ │
│ │ ┌──────────┐ ┌───────────┐ ┌──────────────────┐ │ │
│ │ │ SG/NSG │ │ WAF Rules │ │ VPC Flow Logs │ │ │
│ │ │ NACLs │ │ DDoS Prot.│ │ DNS Firewall │ │ │
│ │ └──────────┘ └───────────┘ └──────────────────┘ │ │
│ └────────────────────────────────────────────────────┘ │
│ ┌────────────────────────────────────────────────────┐ │
│ │ Layer 3: Data Protection │ │
│ │ ┌──────────┐ ┌───────────┐ ┌──────────────────┐ │ │
│ │ │ KMS Keys │ │ TLS 1.2+ │ │ Backup Encrypt │ │ │
│ │ │ Rotation │ │ Cert Mgmt │ │ S3 Bucket Pol. │ │ │
│ │ └──────────┘ └───────────┘ └──────────────────┘ │ │
│ └────────────────────────────────────────────────────┘ │
│ ┌────────────────────────────────────────────────────┐ │
│ │ Layer 4: Detection & Response │ │
│ │ ┌──────────┐ ┌───────────┐ ┌──────────────────┐ │ │
│ │ │CloudTrail│ │ GuardDuty │ │ Alert Runbooks │ │ │
│ │ │ Config │ │ Sec Hub │ │ Incident Resp. │ │ │
│ │ └──────────┘ └───────────┘ └──────────────────┘ │ │
│ └────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────┘
Usage Examples
Least-Privilege Developer IAM Policy
# src/aws/iam-developer-policy.yaml
AWSTemplateFormatVersion: '2010-09-09'
Resources:
DeveloperPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: acme-developer-policy
Description: "CIS 1.16 — Least privilege for development role"
PolicyDocument:
Version: '2012-10-17'
Statement:
# Allow read access to most services
- Sid: ReadOnlyAccess
Effect: Allow
Action:
- 'ec2:Describe*'
- 's3:GetObject'
- 's3:ListBucket'
- 'logs:GetLogEvents'
- 'cloudwatch:GetMetricData'
Resource: '*'
# Deny all actions on production resources
- Sid: DenyProductionChanges
Effect: Deny
Action: '*'
Resource: '*'
Condition:
StringEquals:
'aws:ResourceTag/Environment': 'production'
# Deny IAM privilege escalation
- Sid: DenyPrivilegeEscalation
Effect: Deny
Action:
- 'iam:CreateUser'
- 'iam:AttachUserPolicy'
- 'iam:PutUserPolicy'
- 'iam:CreateAccessKey'
Resource: '*'
Security Group — Web Application
# src/aws/network-security.yaml
WebAppSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: "Web application — HTTPS only ingress"
VpcId: !Ref VpcId
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0 # Public HTTPS
Description: "HTTPS from internet"
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 0.0.0.0/0 # Allow outbound HTTPS
Description: "Outbound HTTPS for API calls"
- IpProtocol: tcp
FromPort: 5432
ToPort: 5432
DestinationSecurityGroupId: !Ref DatabaseSecurityGroup
Description: "PostgreSQL to database tier"
# No other egress — deny by default
Security Scan Script
# scripts/security_scan.py
"""Automated security misconfiguration scanner."""
import json
import logging
from dataclasses import dataclass
logger = logging.getLogger(__name__)
@dataclass
class Finding:
severity: str # CRITICAL, HIGH, MEDIUM, LOW
resource_type: str
resource_id: str
check: str
description: str
remediation: str
def check_public_s3_buckets(session) -> list[Finding]:
"""CIS 2.1.1 — Ensure S3 buckets are not publicly accessible."""
s3 = session.client("s3")
findings = []
for bucket in s3.list_buckets()["Buckets"]:
name = bucket["Name"]
try:
acl = s3.get_bucket_acl(Bucket=name)
for grant in acl["Grants"]:
uri = grant.get("Grantee", {}).get("URI", "")
if "AllUsers" in uri or "AuthenticatedUsers" in uri:
findings.append(Finding(
severity="CRITICAL",
resource_type="S3::Bucket",
resource_id=name,
check="CIS 2.1.1",
description=f"Bucket {name} has public ACL grant",
remediation="Remove public ACL; use bucket policy instead",
))
except Exception as e:
logger.warning("Could not check bucket %s: %s", name, e)
return findings
Configuration
# configs/security-baseline.yaml
provider: aws # aws, azure, or gcp
environment: production
iam:
require_mfa: true # CIS 1.10 — MFA for all IAM users
max_access_key_age_days: 90 # CIS 1.14 — Rotate access keys
password_min_length: 14 # CIS 1.8 — Password policy
deny_root_access_keys: true # CIS 1.4 — No root access keys
encryption:
kms_key_rotation: true # CIS 2.8 — Enable KMS key rotation
enforce_tls_1_2: true # Minimum TLS version
encrypt_ebs_by_default: true # CIS 2.2.1 — Default EBS encryption
network:
enable_flow_logs: true # CIS 3.9 — VPC flow logs
restrict_ssh_to_bastion: true # CIS 5.2 — No 0.0.0.0/0 SSH
enable_waf: true # Web Application Firewall
logging:
cloudtrail_enabled: true # CIS 3.1 — CloudTrail in all regions
cloudtrail_log_validation: true # CIS 3.2 — Log file validation
config_enabled: true # CIS 3.5 — AWS Config recording
Best Practices
- Start with deny-all, allow-specific — Default security group rules should block everything; add exceptions explicitly
- Never use inline IAM policies — Managed policies are reusable, version-trackable, and easier to audit
- Enable CloudTrail in all regions — Attackers target unused regions because logging is often disabled there
- Rotate credentials automatically — Use Secrets Manager rotation for service accounts; enforce key rotation for IAM users
-
Tag security groups with purpose —
"Purpose": "web-tier-https"makes audit reviews 10x faster - Run scans in CI/CD — Security checks should block deployments, not just generate reports
Troubleshooting
| Issue | Cause | Fix |
|---|---|---|
| IAM policy has no effect | Policy attached but conditions never match | Check condition keys — aws:ResourceTag is case-sensitive |
| Security group changes not applying | Instance using a different security group | Verify the SG ID is associated with the correct ENI |
| CloudTrail gaps in logs | Trail only configured in one region | Enable multi-region trail or create trails in all active regions |
| KMS key access denied | Key policy doesn't grant the IAM principal access | Update key policy to include the role ARN in the Principal block |
This is 1 of 11 resources in the Cloud Architecture Pro toolkit. Get the complete [Cloud Security Baseline] with all files, templates, and documentation for $49.
Or grab the entire Cloud Architecture Pro bundle (11 products) for $149 — save 30%.
Top comments (0)