Cloud security

Overview of Cloud Security

• Cloud security, also known as cloud
computing security, is a collection
of security measures designed to
protect cloud-based infrastructure,
applications, and data.
• These measures ensure user and
device authentication, data and
resource access control, and data
privacy protection.
• Cloud security mainly focuses on
how to implement policies,
processes, and technologies
together so they ensure data
protection, support regulatory
compliance, and provide control
over privacy, access, and
authentication for users and
devices.
Security In Cloud Computing :
Cloud computing security or cloud security is an important concern
which refers to the act of protecting cloud environments, data,
information and applications against unauthorized access, DDOS
attacks, malwares, hackers and other similar attacks.
Community Cloud : These allow to a limited set of organizations or
employees to access a shared cloud computing service environment.
Cloud service providers (CSPs) typically follow a shared responsibility model,
which means implementing cloud computing security is both the responsibility of the
cloud provider and you—the customer.
Security Boundaries
In Traditional IT frameworks businesses need to procure , install, maintain IT
devices on premises.
On front of security, you adapt a plan for your data security and decide what
security devices you are willing to buy , manage and monitor to defend your IT
infrastructure be it firewalls, Intrusion detection/ Intrusion prevention systems,
Antivirus etc.
Security Concerns in Traditional IT
• Physical Security: Traditional IT relies heavily on physical infrastructure (servers,
storage, networking devices), which must be kept secure in a controlled
environment to prevent unauthorized access, theft, or physical damage.
• System Vulnerabilities: On-premises systems require constant updates and
patching to mitigate vulnerabilities that could be exploited. Regular maintenance
and monitoring are essential to prevent outdated systems from becoming a
liability.
• Limited Scalability and Resource Allocation: Traditional IT infrastructures can
struggle with scaling resources on demand, leading to challenges in managing
capacity and preventing resource exhaustion, which can impact security.
• Data Management and Backup: Data storage and backup in traditional IT must
be securely managed to ensure data integrity and prevent unauthorized access,
while also adhering to data retention policies.
Challenges in Cloud Computing:
•Application Security: Ensuring secure software development practices and guarding
against vulnerabilities at the application layer.
•Server Security: Protecting server infrastructure from unauthorized access and attacks.
•Network Security: Safeguarding data in transit and defending against network-based
attacks.
Security Issues and Challenges in Cloud Computing

A program breaks out of the VM and

interacts with the host operating system
Posture management is a structured
approach to addressing cloud security risks
and vulnerabilities
Security Concepts in Virtual Machines (VMs)

Security for VMs relies on software, such as firewalls, intrusion detection systems and identity access
management tools. This is much like in the physical environment, but with one key difference: the
location of the security products.
Security Concepts in
Virtual Machines (VMs)
• Isolation of VMs: In
multi-tenant
environments, ensuring
isolation between VMs is
critical to prevent one
customer’s data or
processes from impacting
another’s. Weak isolation
can lead to “side-
channel” attacks where
an attacker in one VM can
infer information about a
neighboring VM.
• Hypervisor Security: The hypervisor, which is the software layer that enables
virtualization, can be a prime target. Compromise at the hypervisor level can
grant an attacker broad access to all VMs running on that host.
• Resource Allocation and Availability: Ensuring fair and secure resource
allocation to each VM is necessary to prevent denial-of-service attacks where
one VM hogs resources, potentially impacting other VMs hosted on the same
physical machine.
 Attacks in Cloud Computing
• Distributed Denial-of-Service (DDoS) Attacks: Attackers may attempt to overwhelm
cloud-hosted applications with excessive traffic, causing service outages. Cloud
providers often offer DDoS protection services, but configuring them properly is
essential for effective defense.
• Man-in-the-Middle (MitM) Attacks: Cloud-based communication is vulnerable to
MitM attacks where an attacker intercepts and possibly alters the data in transit. This
risk can be mitigated by enforcing strong encryption and using secure channels for all
communications.
• Advanced Persistent Threats (APTs): APTs are highly sophisticated, long-term attacks
where attackers gain persistent access to a system. APTs often involve extensive
planning and can target cloud systems for corporate espionage or data theft.
• Insider Threats: Insider threats are unique in cloud computing due to the involvement
of both the client’s and provider’s employees. Rigorous access control and monitoring
are crucial to mitigate insider risks.
• Phishing and Social Engineering: Attackers may use phishing campaigns to steal user
credentials for cloud applications, gaining unauthorized access. Security awareness
training and phishing prevention mechanisms help mitigate these risks.
• Ransomware: Ransomware attacks that target cloud storage or applications can lead
to significant data loss and operational disruption. Regular backups, encryption, and
access control are important for minimizing ransomware impacts.
 Abuse and Nefarious Use of Cloud Computing
Nefarious comes from the Latin adjective nefarius and the Latin noun nefas, which
means "crime." Nefas is a combination of ne- ("not") and fas, meaning "right" or "divine
law.“ Abuse and nefarious use of cloud computing occurs when malicious actors use cloud
resources for harmful activities, nefarious use refers to the malicious use of cloud
resources, especially when those resources are available for free. Nefarious actors can
use cloud computing for a variety of malicious activities
• Cryptojacking and Botnets: Attackers may
hijack cloud resources to mine
cryptocurrency or create botnets,
exploiting the cloud provider's computing
power without paying for it, which can lead
to increased costs for the victim and
performance issues.
• Malicious Hosting: Some may use cloud
infrastructure to host malicious content
(malware, phishing sites, illegal materials).
Cloud providers must have strict policies
and monitoring systems to identify and
remove such misuse.
• Launching Attacks: Cloud resources can
also be used to launch attacks on other
systems.
For example, attackers might use cloud
servers to initiate DDoS attacks or host
command-and-control (C2) infrastructure for
coordinating attacks.
 Insecure Interfaces and APIs
• Malicious Insiders: Individuals within an organization or cloud provider who
misuse their access for malicious purposes can lead to significant security
breaches, data loss, and reputational damage.
• Shared Technology Issues: Multi-tenancy in cloud environments means that
multiple customers share the same physical infrastructure. Vulnerabilities in this
shared infrastructure (e.g., CPUs or storage) can lead to cross-customer attacks,
known as “cross-tenant attacks.” Cloud providers need robust isolation
mechanisms to ensure that one tenant’s vulnerabilities do not expose another.
• Data Loss or Leakage: Improper API configurations or insecure data transfer
protocols can lead to accidental data leaks. Data stored in the cloud must be
encrypted, and access control policies should be strictly managed to prevent
unauthorized access. Regular audits and encryption practices should be enforced
to reduce the risk of accidental or malicious data exposure.
• Account or Service Hijacking: Attackers may gain control over cloud accounts
through phishing, stolen credentials, or insecure interfaces. Once compromised,
attackers could access or delete data, install malware, or use the account to
launch attacks. Implementing multi-factor authentication (MFA) and monitoring
for suspicious login activity are critical defenses against account hijacking.
• Unknown Risk Profile: Clients might not have full visibility into the security
practices or potential vulnerabilities of the cloud provider’s infrastructure. For
example, a client might not know what kind of physical security or threat
detection mechanisms the provider has in place. To address this, organizations
should request detailed documentation from providers and conduct risk
assessments to ensure compliance with internal and regulatory security
standards.
Why is the Cloud Security Services Important for Organizations?
Cloud security services are crucial for organizations due to the following reasons:
• Data Protection: Organizations store a vast amount of sensitive data in the cloud. Cloud
security services help protect this data from unauthorized access, breaches, and
cyberattacks.
• Compliance: Many industries have strict regulations regarding data protection and
privacy. Cloud security services ensure that organizations comply with these
regulations, avoiding legal penalties and reputational damage.
• Threat Mitigation: Cloud environments are often targeted by cybercriminals. Cloud
security services provide tools and measures to detect and mitigate threats, ensuring
the safety and integrity of the organization's data and operations.
• Business Continuity: In the event of a cyberattack or data breach, cloud security
services help ensure that business operations can continue with minimal disruption by
providing data backup, disaster recovery, and incident response solutions.
• Cost Efficiency: Implementing cloud security can be more cost-effective
than traditional on-premises security, as it reduces the need for expensive
hardware and maintenance while providing scalable security solutions.
• Scalability: As organizations grow, their security needs evolve. Cloud
security services offer scalability, allowing organizations to adjust their
security measures in line with their growth and changing requirements.
• Access Control: Cloud security services enable organizations to manage
and control who has access to their data and resources, ensuring that only
authorized individuals can access sensitive information.
• Security Automation: Automation of security tasks such as monitoring,
threat detection, and patch management helps organizations respond to
security incidents faster and more efficiently, reducing the risk of human
error.

Security - Basic Components
 Confidentiality
 Keeping data and resources
hidden
 Integrity
 Data integrity (integrity)
 Origin integrity (authentication)
 Availability
 Enabling access to data and
resources
The CIA triad is a model that helps
organizations develop security systems and
maintain information security:
•Confidentiality: Keeping data private and
secure by controlling access to it
•Integrity: Ensuring data is accurate,
authentic, and reliable, and hasn't been
tampered with
•Availability: Making data available when
needed by having a secure digital
infrastructure with built-in redundancy
The CIA triad is a common model that's
used to find vulnerabilities and create
solutions. It's also a checklist for evaluating
an organization's security.
Identification, Authentication, Authorization,
Auditing, Accountability in cloud security
 1. Identification
• This involves claiming an identity when attempting to access a secure
area or system. Without an identity, authentication, authorization,
and accountability processes cannot proceed.

Real-World Example:
Imagine going to an airport and showing your passport to check in. In the digital world, this is like
entering your username when logging into your email account.
 CONT…
Authentication, Authorization, and
Accounting (AAA) is a three-process
framework used to manage user access,
enforce user policies and privileges, and
measure the consumption of network
resources. The AAA system works in
three chronological and dependent
steps, where one must take place before
the next can begin.
2. Authentication
• Definition: The process of verifying
the identity of a user, device, or
system trying to access cloud
resources.
• Implementation: Common methods
include passwords, biometrics, tokens,
and multi-factor authentication (MFA).
In cloud environments, federated
identity management is often used to
authenticate users across multiple
platforms.
 3. Authorization
• Authorization is a process by which a
server determines if the client has
permission to use a resource or
access a file.
• Authorization is usually coupled with
authentication so that the server has
some concept of who the client is
that is requesting access.
 Authentication Authorization

In the authentication process, the identity of users are checked for While in authorization process, a the person’s or user’s authorities are
providing the access to the system. checked for accessing the resources.

In the authentication process, users or persons are verified. While in this process, users or persons are validated.

It is done before the authorization process. While this process is done after the authentication process.

It needs usually the user’s login details. While it needs the user’s privilege or security levels.

Authentication determines whether the person is user or not. While it determines What permission does the user have?

Generally, transmit information through an ID Token. Generally, transmit information through an Access Token.

The OpenID Connect (OIDC) protocol is an authentication protocol that The OAuth 2.0 protocol governs the overall system of user authorization
is generally in charge of user authentication process. process.

Popular Authentication Techniques- Popular Authorization Techniques-

•Password-Based Authentication •Role-Based Access Controls (RBAC)
•Passwordless Authentication •JSON web token (JWT) Authorization
•2FA/MFA (Two-Factor Authentication / Multi-Factor Authentication) •SAML Authorization
•Single sign-on (SSO) •OpenID Authorization
•Social authentication •OAuth 2.0 Authorization

The authorization permissions cannot be changed by user as these are

The authentication credentials can be changed in part as and when
granted by the owner of the system and only he/she has the access to
required by the user.
change it.
 Auditing
A cloud security audit is the process of
methodically evaluating and testing the
effectiveness of security measures
implemented within cloud computing
environments to identify potential weaknesses,
gaps, misconfigurations, or compliance
violations that could lead to threats exploiting
vulnerabilities.
Accountability
• Cloud accountability refers
to the obligation of
organizations to ensure
responsible use of cloud
resources, including
maintaining transparency,
adherence to policies, and
proper management of
data and services.

The principle that an individual is entrusted to safeguard and

control equipment, keying material, and information and is
answerable to proper authority for the loss or misuse of that
equipment or information. Sources: CNSSI 4009-2015 from
NSA/CSS Manual Number 3-16 (COMSEC)
Cloud computing service model
Infrastructure as a service
(IaaS)
Platform as a service (PaaS)
Software as a service (SaaS)
Your responsibility
You secure your data,
applications, virtual network
controls, operating system, and
user access.
You secure your data, user
access, and applications.
You are responsible for securing
your data and user access.
CSP responsibility
The cloud provider secures
compute, storage, and physical
network, including all patching
and configuration.
The cloud provider secures
compute, storage, physical
network, virtual network
controls, and operating system.
The cloud provider secures
compute, storage, physical
network, virtual network
controls, operating system,
applications, and middleware.
• Data and storage security - protecting storage resources and the data stored on
them from accidental or deliberate damage.
• Identity and access management (IAM) - defining and managing the roles and
access privileges of individual network entities.
• Governance - defining policies to control costs and minimize security risks.
• Disaster recovery and business continuity planning - preventive measures
during a disaster and streamline the flow of operations after any damage or
disaster.
• Compliance - following industry guidelines and local, national, and international
laws.
 Key component of cloud security
• Compliance: Using cloud services may be subject to legal compliance regulations, depending on the
industry. Organizations must make sure their cloud provider complies with these specifications and
has access to the required paperwork.

• Data Loss: Data loss is the most common cloud security risk of cloud computing. It is also known as
data leakage. Data loss is the process in which data is deleted, corrupted, and unreadable by a user,
software, or application. In a cloud computing environment, data loss occurs when our sensitive
data is in somebody else's hands, one or more data elements can not be utilized by the data owner,
the hard disk is not working properly, and the software is not updated.

• Data Breach: It is the process in which confidential data is viewed, accessed, or stolen by a third
party without any authorization, so the organization's data is hacked by hackers.
• Account Hijacking: It is a serious security risk in cloud computing. It is the process in which
individual users' or organizations' cloud account (bank account, e-mail account, and social media
account) is stolen by hackers. The hackers use the stolen account to perform unauthorized
activities.
•Increased Complexity Strains IT Staff: Migrating, integrating, and operating the cloud services is
complex for the IT staff. IT staff must require the extra capability and skills to manage, integrate, and
maintain the data in the cloud.
•Data Security and Privacy: The security of sensitive data is one of the main issues with cloud
computing. Access controls must be in place to restrict who can access the data, and organizations must
make sure that their data is encrypted both in transit and at rest.
•DDoS: Cloud service companies are a prime target for distributed denial of service (DDoS) attacks,
which can cause downtime and data loss. Organizations should verify that the cloud provider has
sufficient defenses against DDoS assaults in place.
•Identity and Access Management: The security of cloud computing environments depends on
effective identity and access management. To prevent unauthorized access to their data, organizations
must make sure that they have robust authentication and authorization mechanisms in place.
•Monitoring and Logging: Monitoring and logging services are frequently offered by cloud providers.
These services can assist organizations in identifying and addressing security concerns. However,
businesses must make sure they have the systems and procedures in place to analyze the data and take
appropriate action.
•Shared Infrastructure: Cloud service providers frequently employ this type of setup, which allows
several businesses to use the same hardware and software resources. Organizations should make sure
their cloud provider has proper isolation mechanisms in place because this could result in security issues
like cross-tenant attacks.
Data Privacy, Compliance, and Regulatory Considerations
Significant issues in cloud computing include data privacy, compliance, and regulatory constraints.
Here are some crucial details:
• Regulations: The laws and regulations governing data privacy, data security. Businesses must make
sure they are adhering to all pertinent rules and regulations.
• Security Measures Adopted by Cloud Service Providers: To safeguard client data, cloud companies
are required to implement a number of security measures, including encryption, access limits, and
intrusion detection. Customers must assess these actions to make sure they satisfy their needs.
• Data Privacy: Transferring data to a third party supplier is necessary for cloud computing.
Customers must confirm that the handling of their data complies with all relevant data privacy laws
and regulations.
• Compliance: Depending on the type of data they process, cloud service providers may need to
adhere to a variety of legal regulations, including HIPAA, PCI DSS, GDPR, and others.
• Shared Responsibility Model: Both the customer and the cloud service provider share
responsibilities for cloud security. Customers must be aware of the shared responsibility model and
make sure they are protecting their data in accordance with the necessary standards.
• Disaster Recovery and Business Continuity Planning: In order to be able to recover from a security
incident or outage in the cloud, customers must have disaster recovery and business continuity
plans in place.
• Security Audits: To find vulnerabilities and confirm compliance with rules and security best
practices, customers must regularly audit the security of their cloud infrastructure.
A framework for secure Cloud Computing environments
Types of Cloud Computing Security Controls
• Preventive Controls : Preventive controls make the system resilient to
attacks by eliminating vulnerabilities in it.
• Detective Controls : It identifies and reacts to security threats and
control. Some examples of detective control software are Intrusion
detection software and network security monitoring tools.
• Corrective Controls : In the event of a security attack these controls
are activated. They limit the damage caused by the attack.
Scenario 1: Transition from Traditional IT to Cloud
A retail company with an on-premises IT infrastructure decides to move its customer
management system to a cloud provider. The IT team raises concerns about:
• Loss of control over physical infrastructure.
• Compliance with data protection regulations.
• Ensuring data availability during migration.
Questions:
• What are the main security concerns the company faces in this transition?
• How can they ensure data compliance and availability in the cloud?
Solution:
Addressing Security Concerns:
• Use encryption for data in transit and at rest to prevent unauthorized access.
• Choose a cloud provider that complies with relevant standards (e.g., GDPR, ISO 27001).
• Implement a shared responsibility model, ensuring the company configures its part securely.
Ensuring Compliance and Availability:
• Utilize backup solutions to safeguard against accidental data loss during migration.
• Set up geo-redundant storage to ensure data remains available in case of regional outages.
• Review the cloud provider’s SLAs for uptime and compliance guarantees.
 Scenario 2: Challenges in Cloud Security Across Layers
A healthcare SaaS provider experienced the following challenges:
• API vulnerabilities exposed sensitive patient data.
• A server misconfiguration allowed unauthorized access.
• DDoS attacks disrupted service availability.
Questions:
• How can the company secure applications, servers, and networks in the cloud?
• What strategies can mitigate these specific challenges?
Solution:
Securing Applications, Servers, and Networks:
• Applications: Conduct regular API security testing and enforce input validation to prevent injection attacks.
• Servers: Follow hardening procedures, such as disabling unnecessary ports/services and using strong
configurations.
• Networks: Implement a Web Application Firewall (WAF) and intrusion prevention systems (IPS) to detect
and block threats.
Mitigating Specific Challenges:
• Use rate limiting and authentication tokens to secure APIs.
• Enable role-based access control (RBAC) and encrypt server logs.
• Leverage DDoS protection services provided by cloud vendors.
Scenario 3: Abuse and Nefarious Use of Cloud Resources
A gaming company discovers that one of its unused cloud instances was hijacked by
attackers to mine cryptocurrency. This led to unexpected costs and compromised
security.
Questions:
• What could have allowed attackers to exploit the cloud instance?
• What preventive measures should the company implement to avoid similar incidents?
Solution:
Causes of Exploitation:
• Unused instances left running without proper monitoring.
• Weak IAM policies allowing unauthorized access.
• Lack of auditing and alert mechanisms to detect unusual activity.
Preventive Measures:
• Regularly audit cloud resources and terminate unused instances.
• Implement strong IAM policies with least privilege principles.
• Use cloud monitoring tools to set alerts for unusual resource utilization.
Scenario 4: Data Loss or Leakage
A finance company uses cloud storage for customer financial records. Due to a
misconfigured storage bucket, sensitive data was publicly exposed.
Questions:
• What steps should the company take to secure cloud storage?
• How can it detect and respond to such incidents effectively?
Solution:
Securing Cloud Storage:
• Use access control policies to ensure only authorized users can access data.
• Enable encryption for data at rest and in transit.
• Regularly scan storage configurations using CSPM tools to detect vulnerabilities.
Incident Detection and Response:
• Set up real-time alerts for unusual data access patterns.
• Conduct forensic analysis to identify the extent of the leak.
• Notify affected stakeholders and implement stricter configuration policies.
Scenario 5: Attacks in Cloud Computing
An e-commerce company hosted on a cloud platform faced a service hijacking
attack, where attackers gained unauthorized access to its account, made
configuration changes, and deployed malicious instances.
Questions:
• How could the attackers have hijacked the service?
• What steps can the company take to recover and secure its environment?
Solution:
Causes of Service Hijacking:
• Use of weak or reused passwords.
• Lack of multi-factor authentication (MFA) for administrator accounts.
• No monitoring of account activity.
Recovery and Security:
• Regain control by changing passwords and revoking unauthorized access keys.
• Implement MFA and monitor login activity for anomalies.
• Regularly audit access permissions and rotate credentials.
Scenario: VM Escape Vulnerability in a Multi-Tenant Environment
A cloud service provider hosts virtual machines for multiple customers on the
same physical server. During a routine security review, it is discovered that one
VM has been compromised, and the attacker is attempting a VM escape attack
to gain access to the hypervisor. If successful, this could allow the attacker to
compromise all other VMs on the server, including those belonging to other
customers.
Questions:
• What steps should the cloud service provider take immediately to contain the
threat?
• What measures could have been implemented beforehand to prevent the VM
escape attack?
• How can the provider ensure ongoing security for the hypervisor and other
hosted VMs?
Solution
Immediate Actions to Contain the Threat:
• Isolate the Compromised VM:
• Disconnect the affected VM from the network to prevent further lateral movement or data
exfiltration.
• Suspend or shut down the compromised VM, if feasible, to halt the attack.
• Investigate the Hypervisor:
• Check the hypervisor for signs of compromise.
• Verify the integrity of other VMs on the same host using forensic tools.
• Patch and Update:
• Apply the latest security patches to the hypervisor immediately, addressing any
vulnerabilities being exploited.
• Alert Affected Customers:
• Notify all customers hosted on the affected server about the incident, following regulatory
and contractual obligations.
Preventative Measures:
• Regular Patching and Updates:
• Maintain an aggressive patch management process for hypervisors and host systems.
• Use automated vulnerability scanners to detect outdated versions or vulnerabilities.
• Enable Hypervisor Security Features:
• Implement hardware-assisted virtualization features (e.g., Intel VT-d or AMD-V) to strengthen isolation
between VMs.
• Use nested page tables to enhance memory isolation.
• VM Isolation:
• Enforce strict logical separation between VMs using network segmentation and VLANs.
• Utilize hypervisor settings to ensure resource allocation is isolated for each VM.
• Monitor and Audit:
• Deploy Intrusion Detection and Prevention Systems (IDPS) to monitor VM and hypervisor activities for
suspicious behavior.
• Conduct regular audits of VM configurations and permissions.
• Secure VM Images:
• Only use hardened and verified VM images to minimize vulnerabilities.
• Scan all VM images for malware or backdoors before deployment.
• Restrict Administrative Access:
• Implement role-based access controls (RBAC) to limit who can manage VMs and the hypervisor.
• Use multi-factor authentication (MFA) for all administrative accounts.
Ensuring Ongoing Security:
• Automated Threat Detection:
• Implement real-time security tools that analyze VM behavior and alert on anomalies.
• Use machine learning-based monitoring to detect potential VM escape attempts.
• Incident Response Plans:
• Maintain and regularly test a robust incident response plan specific to virtualized
environments.
• Train staff to respond quickly and effectively to hypervisor-related attacks.
• Backup and Recovery:
• Keep secure backups of all VM data and configurations.
• Test disaster recovery procedures to ensure quick restoration of VMs in case of an attack.
 IAM User, Groups and their Roles
In Identity and Access Management (IAM), users, groups, and their associated
roles are fundamental components for managing access and permissions to cloud
resources.
IAM Users
An IAM user represents a single
entity (a person, service, or
application) with access to cloud
resources.
Key Characteristics:
• Uniqueness: Each user has a
unique name within the account.
• Credentials: They may have
credentials like passwords (for
console access) or access keys
(for programmatic access).
• Permissions: IAM users don’t
have permissions by default;
permissions must be assigned
explicitly.
Common Use Cases:
• Assigning specific roles to
developers or admins.
• Providing API access for
applications.
IAM Groups
An IAM group is a collection of
users with the same set of
permissions.
Key Characteristics:
• Policy Assignment: You can
attach a permissions policy to a
group, and all users in that
group inherit those permissions.
• Simplified Management:
Instead of assigning permissions
individually, you manage access
at the group level.
Examples:
• A Developers group with access
to development resources.
• A Support group with read-only
access to logs and data.
Roles
An IAM role is an identity that you can
assume to gain temporary access to
permissions.
Key Characteristics:
• No Credentials: Unlike users, roles do
not have long-term credentials like Policies
passwords or access keys. Every request to AWS goes through an enforcement check to
• Temporary Access: Roles grant determine if the requesting principal is authenticated and
temporary security credentials that authorized for the targeted action. The decision is based on the
allow access for a limited period. assigned policies either directly to the IAM user or the role that is
• Assumable: Users, services, or currently assumed.
applications assume roles to perform
specific tasks.
Common Use Cases:
• Allowing a service (like EC2) to access
other AWS services using an IAM role.
• Enabling cross-account access.
• Granting external applications access
without exposing user credentials.
Question:
A company hires a new team of developers. They need access to the AWS Management Console
to work on development resources like EC2 instances and S3 buckets. How would you set this
up efficiently?
Solution:
1.Create IAM Group:
•Create a group called Developers.
2.Attach Policies to the Group:
•Attach policies like AmazonEC2FullAccess and AmazonS3ReadWriteAccess to the group.
3.Create IAM Users:
•Create individual IAM users for each developer, e.g., DevUser1, DevUser2.
4.Add Users to the Group:
•Add all developers to the Developers group.
5.Provide Console Access:
•Enable a password for each user and share credentials securely.
Benefit:
•Centralized permission management. If the policy changes, all group members automatically
inherit the updated permissions.
 Billing & Accounting in Cloud Computing
Cloud billing is a fundamental aspect of cloud adoption, focusing on tracking, managing, and
optimizing costs.
Key Concepts:
• Pay-As-You-Go Model: Pay only for what you use (compute, storage, network).
• Cost Categories:
• Compute Costs: Usage of instances or virtual machines (e.g., EC2, Azure VMs).
• Storage Costs: Data stored in cloud systems like S3 or Azure Blob.
• Networking Costs: Data transfer across regions or internet.
• Billing Tools:
• AWS Cost Explorer, Azure Cost Management, or Google Cloud Billing for tracking and forecasting.
• Tagging Resources:
• Tag resources for accountability by project, team, or environment (e.g., production vs. development).
 Comparing Scaling Hardware: Traditional vs. Cloud
Traditional Hardware Scaling:
• Vertical Scaling (Scaling Up):
• Adding more resources (CPU, RAM) to existing servers.
• Challenges: Limited scalability, higher cost for high-capacity hardware.
• Horizontal Scaling (Scaling Out):
• Adding more servers to distribute load.
• Challenges: Requires additional infrastructure, manual intervention, and higher upfront costs.
Cloud Hardware Scaling:
• Elastic Scaling:
• Auto-Scaling: Automatically scales instances based on demand.
• Serverless: Dynamically allocates resources (e.g., AWS Lambda, Azure Functions).
• Cost Efficiency:
• No upfront investment; scales down during low demand to save costs.
• Supports global scalability with minimal latency.
 Economics of Scaling: Benefiting Enormously
Cloud computing unlocks economic benefits by optimizing costs and providing
flexibility.
Benefits:
• Cost Predictability:
• Use reserved or spot instances to reduce costs for predictable workloads.
• Flexibility:
• Test environments can be spun up and shut down as needed.
• Global Reach:
• Easily deploy services in multiple regions.
Managing Data in the Cloud
Data Lifecycle Management:
• Automate tiering (e.g., frequently accessed data in SSDs, archived data in cheaper storage).
Backup and Recovery:
• Use managed services like AWS Backup or Azure Recovery Services.
Data Governance:
• Implement policies for encryption, retention, and access control.
 Scalability & Cloud Services
Cloud services are inherently designed for scalability, accommodating growth in data,
users, and processing.
Examples of Scalable Services:
Compute:
• Auto-scaling groups in AWS.
• Kubernetes for container orchestration.
Storage:
• S3 with lifecycle policies for storage cost optimization.
Databases:
• Amazon Aurora (serverless RDS), Google BigQuery for analytics.
 Database & Data Stores in Cloud
Cloud offers diverse database and storage solutions to meet various use cases.
Types:
Relational Databases:
• Examples: Amazon RDS, Azure SQL, Google Cloud SQL.
• Use Case: Structured data, transactional workloads.
NoSQL Databases:
• Examples: DynamoDB, MongoDB Atlas.
• Use Case: Flexible schemas, real-time applications.
Object Storage:
• Examples: Amazon S3, Azure Blob.
• Use Case: Large unstructured datasets, backups.
 Large-Scale Data Processing in Cloud
Cloud platforms provide tools and frameworks for efficient big data processing.
Batch Processing:
• Hadoop on EMR (AWS), Dataproc (Google Cloud).
Stream Processing:
• AWS Kinesis, Azure Stream Analytics.
ETL (Extract, Transform, Load):
• AWS Glue, Google Dataflow.
Machine Learning & Analytics:
• SageMaker (AWS), AI/ML offerings from Azure or GCP.
Comparing Traditional vs. Cloud for Data Processing