AWS vs Azure vs Google Cloud Security — The Practitioner’s Playbook (Zero Trust, CNAPP, XDR) By CyberDudeBivash • Date: September 20, 2025 (IST)

-

 


Executive Summary

This hands-on field guide shows cloud engineers how to design, deploy, and operate Zero Trust on the Big-3 clouds—then wire in CNAPP/XDR for continuous assurance. You’ll get a decision matrix, reference architectures, copy-paste checklists, and IaC snippets to move from “secure by default” marketing to secure in production reality.

What you’ll stand up:

  • Identity-first guardrails (MFA, least-privilege, JIT admin, workload identities).

  • Private-by-default networking (central egress inspection, service endpoints/PE, DDoS/WAF).

  • Data protection & governance (KMS/Key Vault/Cloud KMS, secrets, classification/DLP).

  • CNAPP + XDR stacks (GuardDuty/Security Hub • Defender for Cloud + Sentinel • SCC Premium + Chronicle).

  • Compliance as code (SCP/Config Conformance Packs • Azure Policy • Org Policy/Policy Controller).

  • SOC analytics with ready KQL/Logs Insights/Chronicle queries & SOAR playbooks.

 Decision Matrix 

AreaAWSAzureGoogle Cloud
Identity & AdminIAM, Organizations, SCPs, Identity Center; strong blast-radius controls; granular but complex.Entra ID (best-in-class enterprise identity), PIM (JIT), Conditional Access—identity-first powerhouse.Cloud IAM, Workload Identity Federation, org policies; clean least-priv model; dev-friendly.
Network Zero TrustVPC, Network Firewall, PrivateLink, TGW; mature patterns, many knobs.VNet, Azure Firewall, Private Link, vWAN/VNM; great private-first PaaS story.VPC, Cloud Armor, Private Service Connect, VPC Service Controls (data perimeters).
Data & SecretsKMS, Secrets Manager, Macie (S3 discover/classify), S3 Object Lock.Key Vault, Purview (scan/classify), Blob immutability, DKE/HYOK options.Cloud KMS, Secret Manager, DLP (table/file), GCS retention holds.
CNAPP/XDRGuardDuty, Inspector, Detective, Security Hub (hub-and-spoke).Defender for Cloud (+ Defender for Endpoint/Server) + Microsoft Sentinel SIEM/SOAR.Security Command Center Premium + Chronicle SIEM; Event Threat Detection.
Compliance & PolicySCPs + AWS Config & Conformance Packs; Audit Manager/Artifact.Azure Policy/Initiatives, Regulatory Compliance dashboard.Org Policies + Policy Controller/Gatekeeper; Assured Workloads.
Best ForBroad ecosystem, custom controls, multi-account mastery.Microsoft-centric enterprises, identity-first Zero Trust, compliance governance.Data analytics & perimeterized data with VPC SC; low-noise logging.

One-line verdict:

  • If your identity anchor is Microsoft & you want JIT admin + Conditional Access everywhere → Azure.

  • If you need breadth and deep customization knobs across every control plane → AWS.

  • If data boundaries (VPC SC) and analytics-heavy workloads dominate → Google Cloud.

1) Zero Trust in the Cloud 

Zero Trust = assume breach, authenticate & authorize every connection, minimize blast radius, and continuously verify posture with telemetry. On cloud, that becomes:

  • Strong identity for humans & workloads (MFA, JIT admin, service identities without long-lived secrets).

  • Private service access by default; inspect egress; no directly-public data plane.

  • Encrypt & classify data, enforce least-priv access paths, and immutability for audit/forensics.

  • Measure continuously with CNAPP/XDR + SIEM and auto-remediate drift.

2) Identity & Access — Zero-Trust Core

AWS — minimal viable baseline (MVB)

  • Organizations + SCPs: deny legacy auth, prevent disabling CloudTrail/GuardDuty/Config, restrict regions.

  • Identity Center for SSO; enforce MFA; map business roles → permission sets.

  • IAM: least-priv policies, conditional keys (aws:PrincipalTag, aws:ResourceTag), session duration ≤ 1h.

  • Break-glass account isolated; no API keys on humans; rotate service creds; prefer roles (STS).

  • Access analyzer + IAM last-used to prune.

Starter SCP (deny dangerous moves):

{
  "Version":"2012-10-17",
  "Statement":[
    {"Sid":"DenyDisableSecurity",
     "Effect":"Deny",
     "Action":["cloudtrail:StopLogging","config:StopConfigurationRecorder",
               "guardduty:Delete*","guardduty:Update*","iam:DeleteAccountPasswordPolicy"],
     "Resource":"*",
     "Condition":{"StringNotEquals":{"aws:PrincipalArn":"arn:aws:iam::<ROOTACCT>:role/OrgSecurityAdmin"}}}
  ]
}

Azure — minimal viable baseline

  • Entra ID: Conditional Access (MFA all, block legacy), device/compliant checks for admins.

  • PIM: make all privileged roles eligible (JIT), with approval + MFA + reason; short activation.

  • Access Reviews quarterly (Global Admin, App Admin, Subscription Owner).

  • Managed identities for workloads; CI via OIDC federated credentials (no secrets).

  • Role design: reader/contributor → custom roles; deny assignment for mission-critical resources.

Google Cloud — minimal viable baseline

  • Folders + org policies to standardize controls; IAM roles on folders/projects; avoid primitive roles.

  • Workload Identity Federation for CI and cross-cloud; no long-lived JSON keys.

  • Conditional role bindings when feasible; IAM Recommender to downscope.

  • Organization Policy constraints: restrict services, public IPs, external IPs, CMEK required, allowed locations.

3) Network Security — Private-by-Default

AWS

  • Multi-account hub-and-spoke (TGW).

  • Egress via Network Firewall; block uncataloged destinations; S3/Dynamo via Gateway Endpoints; PaaS via PrivateLink.

  • Route53 split-horizon + Resolver rules; WAF on CloudFront/ALB; Shield Advanced + ALB/NLB best practices.

Egress allowlist (Network Firewall rule example):

{
  "RuleVariables":{"IPSets":{"AllowCIDR":{"Definition":["<trusted-egress-ips>/32"]}}},
  "RulesSource":{"RulesString":"pass tls any any -> $AllowCIDR 443 (sid:1;)"}
}

Azure

  • Hub/Spoke or vWAN with Azure Firewall Premium, DDoS Standard, DNS Private Resolver.

  • Force UDR to firewall; Private Link for PaaS; disable public network access on data services.

  • App Gateway (WAF v2) or Front Door (WAF) for public entry; TLS 1.2+ only.

# Example: disable public access on Azure SQL
az sql server update -g rg-app -n sql-srv --public-network-access Disabled

Google Cloud

  • Shared VPC with Central Egress; Cloud Armor for WAF; Cloud IDS for inspection.

  • Private Service Connect for PaaS; VPC Service Controls to perimeterize data exfil (BigQuery, GCS, APIs).

  • DNS policy to block known bad domains; Serverless VPC Access for private egress.

4) Data Protection & Governance

CapabilityAWSAzureGoogle Cloud
Key MgmtKMS, CloudHSMKey Vault, HSM/DKE/HYOKCloud KMS, Cloud HSM
SecretsSecrets Manager, Parameter StoreKey Vault (secrets/keys/certs)Secret Manager
Discovery/DLPMacie (S3)Purview (catalog/classify), AIP labelsDLP (files/tables), Data Catalog
ImmutabilityS3 Object LockBlob immutability policiesGCS retention policies/holds

Golden rules:

  • Encrypt everywhere (CSE/Server-side w/ CMEK).

  • No public buckets, ever.

  • Immutability for logs/backups; lifecycle policies to shrink blast radius.

  • Tag/label data, align IAM to data classification.

  • Broker access through service-to-service identities; never embed creds.

5) CNAPP & XDR — What to Turn On (and Why)

AWS Stack

  • GuardDuty (threat intel + anomaly) across accounts.

  • Inspector for vuln/agent scanning; Detective for investigation graphs.

  • Security Hub as the posture aggregator (CIS, Foundational).

  • EKS: enable GuardDuty EKS Protection; integrate with CloudWatch & OpenSearch or third-party.

Azure Stack

  • Defender for Cloud plans (Servers, Containers, Databases, AppService, Key Vault, Storage).

  • Microsoft Sentinel for SIEM/UEBA + SOAR (Logic Apps).

  • Defender for Endpoint on hosts/clients; Defender for Containers on AKS.

Google Stack

  • Security Command Center Premium (vuln, misconfig, web risks); Event Threat Detection for logs.

  • Chronicle for planet-scale SIEM + retained context; GKE binary auth & posture policies.

6) Compliance & Policy-as-Code

  • AWS: SCP guardrails + Config Conformance Packs (CIS/NIST) + Audit Manager for evidence.

  • Azure: Azure Policy initiatives at management group scope; Regulatory Compliance score.

  • Google: Org Policy Constraints + Policy Controller (OPA/Gatekeeper) for K8s + Assured Workloads.

Tip: Treat policy as versioned code (Git). Exempt by justification + expiry, not permanent waivers.

7) Reference Architectures (at a glance)

AWS Zero-Trust Blueprint

  • Org → security hub account + log archive.

  • Hub: TGW + Network Firewall + central egress; Shared Services (AD Connector if needed).

  • Spokes: app accounts with VPCs; PaaS via PrivateLink; S3 endpoints; CloudFront+WAF at edge.

  • Observability: Org CloudTrail → S3 (Object Lock), GuardDuty org, Config aggregator, Security Hub aggregator.

Azure Zero-Trust Blueprint

  • Management Groups → Platform / Landing Zones.

  • Hub: Azure Firewall Premium, DDoS, DNS PR, Bastion.

  • Spokes: per app; Private Link everywhere; disable public network access.

  • Identity: Entra CA + PIM; workload identities; CI OIDC.

  • Observability: Log Analytics + Sentinel; Defender for Cloud (all relevant plans).

Google Cloud Zero-Trust Blueprint

  • Org/Folders → Projects in Shared VPC model.

  • Perimeters: VPC Service Controls around data services (BQ/GCS/APIs).

  • Ingress/Egress: Cloud Armor + Central egress; PSC for private PaaS; Cloud NAT with deny-by-default.

  • Observability: Cloud Logging → Chronicle; SCC Premium + ETD.

8) IaC Starters 

AWS – enable GuardDuty org + Security Hub (Terraform snippets)

module "guardduty_org" {
  source = "terraform-aws-modules/guardduty/aws"
  enable_organization_admin_account = true
  administrator_account_id = var.security_account_id
}

resource "aws_securityhub_account" "this" {}
resource "aws_securityhub_standards_subscription" "cis" {
  standards_arn = "arn:aws:securityhub:::standards/cis-aws-foundations-benchmark/v/1.4.0"
}

Azure – deny public PaaS + require diagnostics (Bicep)

resource denyPublic 'Microsoft.Authorization/policyAssignments@2022-06-01' = {
  name: 'deny-public-paas'
  scope: managementGroupResourceId('landing-zones')
  properties: {
    policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/Deny-Public-PaaS'
    enforcementMode: 'Default'
  }
}
resource diagAll 'Microsoft.Authorization/policyAssignments@2022-06-01' = {
  name: 'require-diagnostics'
  scope: managementGroupResourceId('landing-zones')
  properties: {
    policyDefinitionId: '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-LogAnalytics-Diagnostics'
  }
}

Google Cloud – org policies & SCC (gcloud)

# Require CMEK
gcloud org-policies set-policy cmek-policy.yaml --organization $ORG_ID
# Enable SCC Premium
gcloud scc settings update --organization $ORG_ID --audit-log-config=ALL
# Create VPC SC perimeter (example)
gcloud access-context-manager perimeters create data-perimeter \
  --policy=$ACCESS_POLICY_ID --resources=projects/$PROJECT --restricted-services=bigquery.googleapis.com,storage.googleapis.com

9) SOC Analytics & Automation 

Azure Sentinel — privileged impossible travel (KQL)

SigninLogs
| where ResultType == 0
| where ConditionalAccessStatus == "success" or isempty(ConditionalAccessStatus)
| summarize locs = makeset(Location) by UserPrincipalName, bin(TimeGenerated, 1h)
| where array_length(locs) > 1
| join kind=inner (IdentityInfo | where AssignedRoles has "Privileged") on $left.UserPrincipalName == $right.AccountUPN

AWS CloudWatch Logs Insights — public S3 writes (finding drift)

fields @timestamp, eventName, userIdentity.type, requestParameters.bucketName
| filter eventSource="s3.amazonaws.com" and eventName="PutBucketAcl"
| filter requestParameters.acl like /public-read|public-read-write/
| sort @timestamp desc

Chronicle YARA-L — suspicious exfil domains (toy)

rule suspicious_exfil_domains {
  strings:
    $a = /dropbox|mega|anonfiles|temp\.sh/i
  condition:
    $a
}

SOAR (playbook ideas)

  • On high-risk sign-in → revoke tokens, disable user, open ticket, notify SecOps.

  • On storage public-ACL change → auto-revert, quarantine account, page owner.

  • On malware in object storage → block hash org-wide, notify data owners, kick off IR checklist.

10) Hardening Checklists (20-point quick wins)

AWS (20)

  1. MFA for all users; ban root usage; SCP to block dangerous actions.

  2. Identity Center SSO; permission sets by job function.

  3. Org CloudTrail to S3 with Object Lock.

  4. GuardDuty org-wide; Detective for triage; Security Hub standards.

  5. Config + Conformance Packs; auto-remediate common drift.

  6. VPC endpoints (S3/Dynamo) + PrivateLink for PaaS.

  7. Network Firewall central egress; ALB/WAF at edge; Shield Advanced.

  8. Block public S3; Macie for discovery.

  9. KMS CMKs; rotate; IAM conditions on keys.

  10. Secrets Manager; ban hard-coded creds.

  11. EKS: restrict public API, OPA/Gatekeeper, image scanning.

  12. RDS/ElastiCache private only; disable public snapshots.

  13. ECR scan on push; sign images.

  14. CloudWatch alarms for config drift, auth anomalies.

  15. Backup vault locks; DR tests.

  16. Tag schema enforced; cost allocation; owner contact.

  17. Limit regions; disable unused services.

  18. SSM Session Manager for shells (no SSH).

  19. Access Analyzer; IAM last-used pruning.

  20. Run tabletop: key leak, S3 exposure, lateral movement.

Azure (20)

  1. Entra Conditional Access (MFA all), block legacy.

  2. PIM for all privileged roles (JIT).

  3. Access Reviews on admin groups.

  4. Azure Policy initiatives → deny public, require diagnostics, enforce locations.

  5. Defender for Cloud plans on; auto-provision agents.

  6. Hub/Spoke with Azure Firewall Premium; DDoS Standard; DNS PR.

  7. Private Link everywhere; disable public network access.

  8. Log Analytics + Sentinel; UEBA enabled; alert tuning.

  9. Key Vault RBAC-only; purge protection; private endpoint.

  10. Purview scans; sensitivity labels.

  11. Azure AD Workload IDs + CI OIDC (no secrets).

  12. AKS: Azure CNI, Network Policies, Defender, image signing.

  13. App Gateway WAF_v2 or Front Door WAF for HTTP(S).

  14. Storage immutability; CMK for data services.

  15. Resource locks on KV/Networking.

  16. Backup (Vault/Site Recovery); immutable backups.

  17. Tag policy (Owner, DataClass, Env).

  18. Disable SSH/RDP from internet; Bastion/Just-in-Time.

  19. Cost alerts for Defender/Sentinel ingestion.

  20. Tabletop: identity compromise, KV secret leak, PE bypass.

Google Cloud (20)

  1. Org Policies: restrict external IPs, enforce CMEK, allowed regions.

  2. Folders + least-priv roles; IAM Recommender to shrink.

  3. Workload Identity Federation for CI; no JSON keys.

  4. SCC Premium + Event Threat Detection; Chronicle.

  5. Shared VPC; central egress; Cloud Armor + WAF.

  6. Private Service Connect; block direct public endpoints.

  7. VPC Service Controls perimeters for BQ/GCS/APIs.

  8. Cloud IDS; packet mirroring where needed.

  9. Cloud KMS CMKs; rotate; per-service KMS IAM.

  10. Secret Manager; forbid secrets in code.

  11. DLP scans for buckets/tables.

  12. GKE: private control plane, Binary Auth, Pod Security Standards.

  13. Cloud Logging retention; sinks to secured buckets (holds).

  14. Audit logs: Admin, Data access enabled on key services.

  15. Storage retention policies/holds; uniform bucket-level.

  16. Organization-wide SSH/Sudo via OS Login.

  17. Shielded VM; VTPM; integrity monitoring.

  18. Assured Workloads for regulated data.

  19. Budget alerts for SCC/Chronicle usage.

  20. Tabletop: token leak, BQ exfil attempt, perimeter escape.

11) Cost & Ops Reality 

  • SIEM ingestion is the silent budget killer—tier logs (hot/warm/cold), summarize high-cardinality data, ship raw to cheap storage.

  • CNAPP/XDR licensing: know per-resource or per-GB models.

  • Firewall/WAF/DDoS egress inspection costs; simulate traffic first.

  • Automation saves: policy auto-fixers, drift bots, IaC guardrails.

12) Multi-Cloud Play: Unify the Mess

  • Identity broker (Entra/Okta) for SSO & JIT admin everywhere.

  • Control plane: Terraform/OPA/Conftest + pre-commit hooks; shared policy packs with per-cloud adapters.

  • Data security: consistent classification taxonomy and CMEK policy.

  • SOC: single pane (Sentinel or Chronicle) + normalizers for CloudTrail/Activity/Cloud Logging.

  • Drift watch: scanners (Prowler/Azure Policy/ Forseti-like) on a schedule; create tickets automatically.

13) FAQs 

Which cloud is “most secure”?
None by default. The one you operate with strong identity, private access, and continuous verification is the most secure for you.

Do I still need third-party tools?
Often yes—for deep detection, asset inventory, DSPM, IaC scanning, and attack surface. Use native first; fill gaps where needed.

How do I do Zero Trust for serverless?
Private egress, identity-based access to data (no network trust), least-priv roles, and event-driven monitoring.

Can I run a single SIEM?
Yes. Normalize logs and pick Sentinel or Chronicle (or Splunk) as your anchor; stream AWS/Azure/GCP in.

14) CTA — Practical Extras for You

  • Downloadable decision matrix (PDF),

  • IaC Starter Kits (one per cloud),

  • Sentinel/Chronicle rule bundles and SOAR playbooks.
    Say the word and I’ll package these to your brand spec.

#CyberDudeBivash #CloudSecurity #AWS #Azure #GoogleCloud #ZeroTrust #CNAPP #XDR #KeyManagement #Compliance #DevSecOps #SIEM #Sentinel #Chronicle #GuardDuty

Comments

Post a Comment

Popular posts from this blog

CyberDudeBivash Rapid Advisory — WordPress Plugin: Social-Login Authentication Bypass (Threat Summary & Emergency Playbook)

-
Image
  TL;DR: A class of vulnerabilities in WordPress social-login / OAuth plugins can let attackers bypass normal authentication flows and obtain an administrative session (or create admin users) by manipulating OAuth callback parameters, reusing stale tokens, or exploiting improper validation of the identity assertions returned by providers. If you run a site that accepts social logins (Google, Facebook, Apple, GitHub, etc.), treat this as high priority : audit, patch, or temporarily disable social login until you confirm your plugin is safe. This advisory gives you immediate actions, detection steps, mitigation, and recovery guidance. Why this matters (short) Social-login plugins often accept externally-issued assertions (OAuth ID tokens, authorization codes, user info). If the plugin fails to validate provider signatures, nonce/state values, redirect URIs, or maps identities to local accounts incorrectly , attackers can craft requests that the site accepts as authenticated. ...
Read more

Hackers Injecting Malicious Code into GitHub Actions to Steal PyPI Tokens CyberDudeBivash — Threat Brief & Defensive Playbook

-
Image
  SUMMARY  Attackers are modifying GitHub Actions workflows (via compromised accounts, malicious PRs, or forged commits) to add steps that exfiltrate PyPI (or other package registry) publishing tokens. With those tokens they publish backdoored packages or download private packages — a supply-chain multiplier. Defend by eliminating long-lived secrets, switching to OIDC/ephemeral credentials, hardening workflow controls, monitoring workflow changes and secret usage, and rotating tokens immediately if you suspect compromise. How attackers typically operate  Gain write access to repo or CI/CD config (via compromised developer account, stolen token, privilege abuse, or merge of malicious PR). Modify or add a workflow file that runs in the repo’s runner context (self-hosted or GitHub-hosted). Add steps that read repository secrets (e.g., PYPI_TOKEN ) or create credentials files ( ~/.pypirc ), then send the token to attacker-controlled endpoints or push a malicious p...
Read more

Exchange Hybrid Warning: CVE-2025-53786 can cascade into domain compromise (on-prem ↔ M365) By CyberDudeBivash — Cybersecurity & AI

-
Image
  Executive summary CVE-2025-53786 is a post-authentication elevation of privilege in Microsoft Exchange hybrid deployments . If an attacker first gains admin on an on-prem Exchange server , they can abuse the legacy “shared service principal” trust used by Hybrid Configuration to escalate into Exchange Online —potentially leading to full cloud+on-prem domain compromise . CISA issued Emergency Directive ED-25-02 with a deadline of 9:00 a.m. EDT on August 11, 2025 for U.S. federal agencies; Microsoft urges all hybrid customers to take the same steps: apply the April 2025 Hotfix Updates , migrate to the dedicated Exchange Hybrid app , and reset/clean up service principal credentials . cisa.gov +1 TECHCOMMUNITY.MICROSOFT.COM +1 Why this is dangerous: actions initiated from the on-prem Exchange side may not show up as obviously malicious in M365 audit trails, making cloud abuse harder to spot if you’ve not modernized the trust. TechRadar What is actually vulnerable? (trust...
Read more