Executive Summary

This hands-on field guide shows cloud engineers how to design, deploy, and operate Zero Trust on the Big-3 clouds—then wire in CNAPP/XDR for continuous assurance. You’ll get a decision matrix, reference architectures, copy-paste checklists, and IaC snippets to move from “secure by default” marketing to secure in production reality.

What you’ll stand up:

• Identity-first guardrails (MFA, least-privilege, JIT admin, workload identities).

• Private-by-default networking (central egress inspection, service endpoints/PE, DDoS/WAF).

• Data protection & governance (KMS/Key Vault/Cloud KMS, secrets, classification/DLP).

• CNAPP + XDR stacks (GuardDuty/Security Hub • Defender for Cloud + Sentinel • SCC Premium + Chronicle).

• Compliance as code (SCP/Config Conformance Packs • Azure Policy • Org Policy/Policy Controller).

• SOC analytics with ready KQL/Logs Insights/Chronicle queries & SOAR playbooks.

 Decision Matrix 

One-line verdict:

• If your identity anchor is Microsoft & you want JIT admin + Conditional Access everywhere → Azure.

• If you need breadth and deep customization knobs across every control plane → AWS.

• If data boundaries (VPC SC) and analytics-heavy workloads dominate → Google Cloud.

1) Zero Trust in the Cloud 

Zero Trust = assume breach, authenticate & authorize every connection, minimize blast radius, and continuously verify posture with telemetry. On cloud, that becomes:

• Strong identity for humans & workloads (MFA, JIT admin, service identities without long-lived secrets).

• Private service access by default; inspect egress; no directly-public data plane.

• Encrypt & classify data, enforce least-priv access paths, and immutability for audit/forensics.

• Measure continuously with CNAPP/XDR + SIEM and auto-remediate drift.

2) Identity & Access — Zero-Trust Core

AWS — minimal viable baseline (MVB)

• Organizations + SCPs: deny legacy auth, prevent disabling CloudTrail/GuardDuty/Config, restrict regions.

• Identity Center for SSO; enforce MFA; map business roles → permission sets.

• IAM: least-priv policies, conditional keys (aws:PrincipalTag, aws:ResourceTag), session duration ≤ 1h.

• Break-glass account isolated; no API keys on humans; rotate service creds; prefer roles (STS).

• Access analyzer + IAM last-used to prune.

Starter SCP (deny dangerous moves):

{
  "Version":"2012-10-17",
  "Statement":[
    {"Sid":"DenyDisableSecurity",
     "Effect":"Deny",
     "Action":["cloudtrail:StopLogging","config:StopConfigurationRecorder",
               "guardduty:Delete*","guardduty:Update*","iam:DeleteAccountPasswordPolicy"],
     "Resource":"*",
     "Condition":{"StringNotEquals":{"aws:PrincipalArn":"arn:aws:iam::<ROOTACCT>:role/OrgSecurityAdmin"}}}
  ]
}

Azure — minimal viable baseline

• Entra ID: Conditional Access (MFA all, block legacy), device/compliant checks for admins.

• PIM: make all privileged roles eligible (JIT), with approval + MFA + reason; short activation.

• Access Reviews quarterly (Global Admin, App Admin, Subscription Owner).

• Managed identities for workloads; CI via OIDC federated credentials (no secrets).

• Role design: reader/contributor → custom roles; deny assignment for mission-critical resources.

Google Cloud — minimal viable baseline

• Folders + org policies to standardize controls; IAM roles on folders/projects; avoid primitive roles.

• Workload Identity Federation for CI and cross-cloud; no long-lived JSON keys.

• Conditional role bindings when feasible; IAM Recommender to downscope.

• Organization Policy constraints: restrict services, public IPs, external IPs, CMEK required, allowed locations.

3) Network Security — Private-by-Default

AWS

• Multi-account hub-and-spoke (TGW).

• Egress via Network Firewall; block uncataloged destinations; S3/Dynamo via Gateway Endpoints; PaaS via PrivateLink.

• Route53 split-horizon + Resolver rules; WAF on CloudFront/ALB; Shield Advanced + ALB/NLB best practices.

Egress allowlist (Network Firewall rule example):

{
  "RuleVariables":{"IPSets":{"AllowCIDR":{"Definition":["<trusted-egress-ips>/32"]}}},
  "RulesSource":{"RulesString":"pass tls any any -> $AllowCIDR 443 (sid:1;)"}
}

Azure

• Hub/Spoke or vWAN with Azure Firewall Premium, DDoS Standard, DNS Private Resolver.

• Force UDR to firewall; Private Link for PaaS; disable public network access on data services.

• App Gateway (WAF v2) or Front Door (WAF) for public entry; TLS 1.2+ only.

# Example: disable public access on Azure SQL
az sql server update -g rg-app -n sql-srv --public-network-access Disabled

Google Cloud

• Shared VPC with Central Egress; Cloud Armor for WAF; Cloud IDS for inspection.

• Private Service Connect for PaaS; VPC Service Controls to perimeterize data exfil (BigQuery, GCS, APIs).

• DNS policy to block known bad domains; Serverless VPC Access for private egress.

4) Data Protection & Governance

Golden rules:

• Encrypt everywhere (CSE/Server-side w/ CMEK).

• No public buckets, ever.

• Immutability for logs/backups; lifecycle policies to shrink blast radius.

• Tag/label data, align IAM to data classification.

• Broker access through service-to-service identities; never embed creds.

5) CNAPP & XDR — What to Turn On (and Why)

AWS Stack

• GuardDuty (threat intel + anomaly) across accounts.

• Inspector for vuln/agent scanning; Detective for investigation graphs.

• Security Hub as the posture aggregator (CIS, Foundational).

• EKS: enable GuardDuty EKS Protection; integrate with CloudWatch & OpenSearch or third-party.

Azure Stack

• Defender for Cloud plans (Servers, Containers, Databases, AppService, Key Vault, Storage).

• Microsoft Sentinel for SIEM/UEBA + SOAR (Logic Apps).

• Defender for Endpoint on hosts/clients; Defender for Containers on AKS.

Google Stack

• Security Command Center Premium (vuln, misconfig, web risks); Event Threat Detection for logs.

• Chronicle for planet-scale SIEM + retained context; GKE binary auth & posture policies.

6) Compliance & Policy-as-Code

• AWS: SCP guardrails + Config Conformance Packs (CIS/NIST) + Audit Manager for evidence.

• Azure: Azure Policy initiatives at management group scope; Regulatory Compliance score.

• Google: Org Policy Constraints + Policy Controller (OPA/Gatekeeper) for K8s + Assured Workloads.

Tip: Treat policy as versioned code (Git). Exempt by justification + expiry, not permanent waivers.

7) Reference Architectures (at a glance)

AWS Zero-Trust Blueprint

• Org → security hub account + log archive.

• Hub: TGW + Network Firewall + central egress; Shared Services (AD Connector if needed).

• Spokes: app accounts with VPCs; PaaS via PrivateLink; S3 endpoints; CloudFront+WAF at edge.

• Observability: Org CloudTrail → S3 (Object Lock), GuardDuty org, Config aggregator, Security Hub aggregator.

Azure Zero-Trust Blueprint

• Management Groups → Platform / Landing Zones.

• Hub: Azure Firewall Premium, DDoS, DNS PR, Bastion.

• Spokes: per app; Private Link everywhere; disable public network access.

• Identity: Entra CA + PIM; workload identities; CI OIDC.

• Observability: Log Analytics + Sentinel; Defender for Cloud (all relevant plans).

Google Cloud Zero-Trust Blueprint

• Org/Folders → Projects in Shared VPC model.

• Perimeters: VPC Service Controls around data services (BQ/GCS/APIs).

• Ingress/Egress: Cloud Armor + Central egress; PSC for private PaaS; Cloud NAT with deny-by-default.

• Observability: Cloud Logging → Chronicle; SCC Premium + ETD.

8) IaC Starters 

AWS – enable GuardDuty org + Security Hub (Terraform snippets)

module "guardduty_org" {
  source = "terraform-aws-modules/guardduty/aws"
  enable_organization_admin_account = true
  administrator_account_id = var.security_account_id
}

resource "aws_securityhub_account" "this" {}
resource "aws_securityhub_standards_subscription" "cis" {
  standards_arn = "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0"
}

Azure – deny public PaaS + require diagnostics (Bicep)

resource denyPublic 'Microsoft.Authorization/policyAssignments@2022-06-01' = {
  name: 'deny-public-paas'
  scope: managementGroupResourceId('landing-zones')
  properties: {
    policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/Deny-Public-PaaS'
    enforcementMode: 'Default'
  }
}
resource diagAll 'Microsoft.Authorization/policyAssignments@2022-06-01' = {
  name: 'require-diagnostics'
  scope: managementGroupResourceId('landing-zones')
  properties: {
    policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-LogAnalytics-Diagnostics'
  }
}

Google Cloud – org policies & SCC (gcloud)

# Require CMEK
gcloud org-policies set-policy cmek-policy.yaml --organization $ORG_ID
# Enable SCC Premium
gcloud scc settings update --organization $ORG_ID --audit-log-config=ALL
# Create VPC SC perimeter (example)
gcloud access-context-manager perimeters create data-perimeter \
  --policy=$ACCESS_POLICY_ID --resources=projects/$PROJECT --restricted-services=bigquery.googleapis.com,storage.googleapis.com

9) SOC Analytics & Automation 

Azure Sentinel — privileged impossible travel (KQL)

SigninLogs
| where ResultType == 0
| where ConditionalAccessStatus == "success" or isempty(ConditionalAccessStatus)
| summarize locs = makeset(Location) by UserPrincipalName, bin(TimeGenerated, 1h)
| where array_length(locs) > 1
| join kind=inner (IdentityInfo | where AssignedRoles has "Privileged") on $left.UserPrincipalName == $right.AccountUPN

AWS CloudWatch Logs Insights — public S3 writes (finding drift)

fields @timestamp, eventName, userIdentity.type, requestParameters.bucketName
| filter eventSource="s3.amazonaws.com" and eventName="PutBucketAcl"
| filter requestParameters.acl like /public-read|public-read-write/
| sort @timestamp desc

Chronicle YARA-L — suspicious exfil domains (toy)

rule suspicious_exfil_domains {
  strings:
    $a = /dropbox|mega|anonfiles|temp\.sh/i
  condition:
    $a
}

SOAR (playbook ideas)

• On high-risk sign-in → revoke tokens, disable user, open ticket, notify SecOps.

• On storage public-ACL change → auto-revert, quarantine account, page owner.

• On malware in object storage → block hash org-wide, notify data owners, kick off IR checklist.

10) Hardening Checklists (20-point quick wins)

AWS (20)

1. MFA for all users; ban root usage; SCP to block dangerous actions.

2. Identity Center SSO; permission sets by job function.

3. Org CloudTrail to S3 with Object Lock.

4. GuardDuty org-wide; Detective for triage; Security Hub standards.

5. Config + Conformance Packs; auto-remediate common drift.

6. VPC endpoints (S3/Dynamo) + PrivateLink for PaaS.

7. Network Firewall central egress; ALB/WAF at edge; Shield Advanced.

8. Block public S3; Macie for discovery.

9. KMS CMKs; rotate; IAM conditions on keys.

10. Secrets Manager; ban hard-coded creds.

11. EKS: restrict public API, OPA/Gatekeeper, image scanning.

12. RDS/ElastiCache private only; disable public snapshots.

13. ECR scan on push; sign images.

14. CloudWatch alarms for config drift, auth anomalies.

15. Backup vault locks; DR tests.

16. Tag schema enforced; cost allocation; owner contact.

17. Limit regions; disable unused services.

18. SSM Session Manager for shells (no SSH).

19. Access Analyzer; IAM last-used pruning.

20. Run tabletop: key leak, S3 exposure, lateral movement.

Azure (20)

1. Entra Conditional Access (MFA all), block legacy.

2. PIM for all privileged roles (JIT).

3. Access Reviews on admin groups.

4. Azure Policy initiatives → deny public, require diagnostics, enforce locations.

5. Defender for Cloud plans on; auto-provision agents.

6. Hub/Spoke with Azure Firewall Premium; DDoS Standard; DNS PR.

7. Private Link everywhere; disable public network access.

8. Log Analytics + Sentinel; UEBA enabled; alert tuning.

9. Key Vault RBAC-only; purge protection; private endpoint.

10. Purview scans; sensitivity labels.

11. Azure AD Workload IDs + CI OIDC (no secrets).

12. AKS: Azure CNI, Network Policies, Defender, image signing.

13. App Gateway WAF_v2 or Front Door WAF for HTTP(S).

14. Storage immutability; CMK for data services.

15. Resource locks on KV/Networking.

16. Backup (Vault/Site Recovery); immutable backups.

17. Tag policy (Owner, DataClass, Env).

18. Disable SSH/RDP from internet; Bastion/Just-in-Time.

19. Cost alerts for Defender/Sentinel ingestion.

20. Tabletop: identity compromise, KV secret leak, PE bypass.

Google Cloud (20)

1. Org Policies: restrict external IPs, enforce CMEK, allowed regions.

2. Folders + least-priv roles; IAM Recommender to shrink.

3. Workload Identity Federation for CI; no JSON keys.

4. SCC Premium + Event Threat Detection; Chronicle.

5. Shared VPC; central egress; Cloud Armor + WAF.

6. Private Service Connect; block direct public endpoints.

7. VPC Service Controls perimeters for BQ/GCS/APIs.

8. Cloud IDS; packet mirroring where needed.

9. Cloud KMS CMKs; rotate; per-service KMS IAM.

10. Secret Manager; forbid secrets in code.

11. DLP scans for buckets/tables.

12. GKE: private control plane, Binary Auth, Pod Security Standards.

13. Cloud Logging retention; sinks to secured buckets (holds).

14. Audit logs: Admin, Data access enabled on key services.

15. Storage retention policies/holds; uniform bucket-level.

16. Organization-wide SSH/Sudo via OS Login.

17. Shielded VM; VTPM; integrity monitoring.

18. Assured Workloads for regulated data.

19. Budget alerts for SCC/Chronicle usage.

20. Tabletop: token leak, BQ exfil attempt, perimeter escape.

11) Cost & Ops Reality 

• SIEM ingestion is the silent budget killer—tier logs (hot/warm/cold), summarize high-cardinality data, ship raw to cheap storage.

• CNAPP/XDR licensing: know per-resource or per-GB models.

• Firewall/WAF/DDoS egress inspection costs; simulate traffic first.

• Automation saves: policy auto-fixers, drift bots, IaC guardrails.

12) Multi-Cloud Play: Unify the Mess

• Identity broker (Entra/Okta) for SSO & JIT admin everywhere.

• Control plane: Terraform/OPA/Conftest + pre-commit hooks; shared policy packs with per-cloud adapters.

• Data security: consistent classification taxonomy and CMEK policy.

• SOC: single pane (Sentinel or Chronicle) + normalizers for CloudTrail/Activity/Cloud Logging.

• Drift watch: scanners (Prowler/Azure Policy/ Forseti-like) on a schedule; create tickets automatically.

13) FAQs 

Which cloud is “most secure”?
None by default. The one you operate with strong identity, private access, and continuous verification is the most secure for you.

Do I still need third-party tools?
Often yes—for deep detection, asset inventory, DSPM, IaC scanning, and attack surface. Use native first; fill gaps where needed.

How do I do Zero Trust for serverless?
Private egress, identity-based access to data (no network trust), least-priv roles, and event-driven monitoring.

Can I run a single SIEM?
Yes. Normalize logs and pick Sentinel or Chronicle (or Splunk) as your anchor; stream AWS/Azure/GCP in.

14) CTA — Practical Extras for You

• Downloadable decision matrix (PDF),

• IaC Starter Kits (one per cloud),

• Sentinel/Chronicle rule bundles and SOAR playbooks.
  Say the word and I’ll package these to your brand spec.

#CyberDudeBivash #CloudSecurity #AWS #Azure #GoogleCloud #ZeroTrust #CNAPP #XDR #KeyManagement #Compliance #DevSecOps #SIEM #Sentinel #Chronicle #GuardDuty