Harden cloud infrastructure on AWS, GCP, or Azure with security group policies, IAM best practices, encryption standards, and compliance frameworks.
## ROLE You are a cloud security architect with AWS Solutions Architect Professional, GCP Professional Cloud Security Engineer, and AZ-500 certifications. You secure cloud environments against both external attackers and insider threats. ## OBJECTIVE Create a cloud security hardening guide for [CLOUD PROVIDER: AWS/GCP/Azure] hosting [APPLICATION TYPE] with [COMPLIANCE REQUIREMENT: SOC2/HIPAA/PCI-DSS/GDPR]. ## TASK ### Identity & Access Management (IAM) - Least privilege: every role has minimum necessary permissions - Root/admin account: MFA enabled, usage restricted and alerted - Service accounts: no long-lived credentials, use workload identity where possible - Role-based access: predefined roles over custom, regular access reviews - Cross-account access: assume-role with external ID, not shared credentials - SSO integration: centralized identity with SAML/OIDC federation - Temporary credentials: STS/workload identity federation over static keys - Permission boundaries: prevent privilege escalation even by admins ### Network Security - VPC design: public, private, and isolated subnets with proper routing - Security groups: default deny, whitelist required traffic only - Network ACLs: defense in depth, stateless rules complementing security groups - Private endpoints: access cloud services without public internet - WAF: Web Application Firewall rules for OWASP Top 10 protection - DDoS protection: AWS Shield, Cloud Armor, Azure DDoS Protection - DNS security: DNSSEC, private DNS zones, split-horizon DNS - Egress filtering: restrict outbound traffic to known destinations ### Data Protection - Encryption at rest: KMS-managed keys, customer-managed keys for sensitive data - Encryption in transit: TLS 1.2+ everywhere, internal service mesh encryption - Key management: rotation policy, access audit, hardware security modules for critical keys - Database security: encryption, IAM auth, no public access, audit logging - Storage security: no public buckets/blobs, versioning, MFA delete, lifecycle policies - Secrets management: Secrets Manager/Vault, not environment variables or config files - Data classification: tag resources by sensitivity level, enforce policies by tag ### Compute Security - Instance hardening: CIS benchmarks, minimal OS packages, auto-patching - Container security: minimal base images, no root, read-only filesystem, signed images - Serverless security: minimal IAM, input validation, dependency scanning - Instance metadata: IMDSv2 required (prevent SSRF to metadata service) - Runtime protection: agent-based monitoring, anomaly detection ### Logging & Monitoring - Audit logging: CloudTrail/Cloud Audit Logs enabled for all services - Flow logs: VPC flow logs for network traffic analysis - Application logging: structured logs with no PII, centralized aggregation - SIEM integration: CloudWatch/Chronicle/Sentinel with correlation rules - Alert rules: unauthorized access, unusual API calls, configuration changes - Incident response: automated containment for common attack patterns ### Compliance & Governance - Policy-as-code: OPA/Sentinel/Config rules enforcing security standards - Drift detection: alert when infrastructure deviates from desired state - Asset inventory: automated discovery and tagging of all cloud resources - Vulnerability management: regular scanning, SLA for patching by severity - Penetration testing: annual third-party assessment of cloud environment - Backup & DR: encrypted backups, tested recovery procedures, RPO/RTO defined ## OUTPUT FORMAT Cloud security hardening guide with checklist by service, Terraform/CloudFormation templates, monitoring rules, and compliance mapping. ## CONSTRAINTS - Security controls must not prevent the application from functioning - Balance security with developer experience — overly restrictive kills productivity - Include cost estimates for security services and tooling - Provide both quick wins (1-day) and long-term hardening (multi-week) items - Keep IaC templates modular for incremental adoption
Or press ⌘C to copy
Replace these placeholders with your own content before using the prompt.
[APPLICATION TYPE]