Cesa Yazılım
TR EN DE

AMP • TR

Cloud Security 2025: AWS, Azure, GCP Güvenlik Rehberi

Cloud güvenliği en iyi uygulamaları, AWS/Azure/GCP security, IAM, data encryption ve compliance rehberi 2025.

Ana sürüm (canonical)

Cloud Security Best Practices 2025

Cloud adoption hızlanırken, güvenlik kritik önem kazanıyor. AWS, Azure ve GCP için kapsamlı güvenlik rehberi.

Cloud Security Challenges

Top 5 Risks:

  1. Misconfiguration (65% veri ihlallerinin nedeni)
  2. Insufficient IAM
  3. Insecure APIs
  4. Data breaches
  5. Shared responsibility misunderstanding

Shared Responsibility Model

┌─────────────────────────────────┐
│ Customer Responsibility         │
│ - Data                          │
│ - Applications                  │
│ - Identity & Access            │
│ - OS, Network, Firewall        │
├─────────────────────────────────┤
│ Cloud Provider Responsibility   │
│ - Physical security             │
│ - Infrastructure                │
│ - Network infrastructure        │
│ - Hypervisor                    │
└─────────────────────────────────┘

Identity & Access Management (IAM)

AWS IAM Best Practices

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}

Least Privilege Principle:

Multi-Factor Authentication

# Enable MFA for all users
aws iam enable-mfa-device \
  --user-name john \
  --serial-number arn:aws:iam::123456789012:mfa/john \
  --authentication-code-1 123456 \
  --authentication-code-2 789012

Data Encryption

Encryption at Rest

AWS:

# S3 bucket encryption
aws s3api put-bucket-encryption \
  --bucket my-bucket \
  --server-side-encryption-configuration '{
    "Rules": [{
      "ApplyServerSideEncryptionByDefault": {
        "SSEAlgorithm": "AES256"
      }
    }]
  }'

# EBS volume encryption
aws ec2 create-volume \
  --encrypted \
  --kms-key-id alias/my-key \
  --size 100

Azure:

# Storage account encryption
Set-AzStorageAccount -ResourceGroupName "MyRG" `
  -Name "mystorageaccount" `
  -EnableHttpsTrafficOnly $true `
  -EnableBlobEncryption $true

Encryption in Transit

# Force HTTPS
server {
    listen 80;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
}

Network Security

VPC Configuration

# AWS VPC with private/public subnets
resource "aws_vpc" "main" {
  cidr_block           = "10.0.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support   = true
  
  tags = {
    Name = "production-vpc"
  }
}

# Private subnet
resource "aws_subnet" "private" {
  vpc_id            = aws_vpc.main.id
  cidr_block        = "10.0.1.0/24"
  availability_zone = "us-east-1a"
  
  tags = {
    Name = "private-subnet"
  }
}

# Security group
resource "aws_security_group" "web" {
  name        = "web-sg"
  description = "Allow HTTP/HTTPS"
  vpc_id      = aws_vpc.main.id
  
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }
  
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Web Application Firewall (WAF)

{
  "Name": "RateLimitRule",
  "Priority": 1,
  "Statement": {
    "RateBasedStatement": {
      "Limit": 2000,
      "AggregateKeyType": "IP"
    }
  },
  "Action": {
    "Block": {}
  }
}

Logging & Monitoring

CloudTrail / Azure Monitor / GCP Cloud Audit

# AWS CloudTrail analysis
import boto3

cloudtrail = boto3.client('cloudtrail')

# Find suspicious activities
response = cloudtrail.lookup_events(
    LookupAttributes=[
        {
            'AttributeKey': 'EventName',
            'AttributeValue': 'DeleteBucket'
        }
    ],
    MaxResults=50
)

for event in response['Events']:
    print(f"User: {event['Username']}")
    print(f"Time: {event['EventTime']}")
    print(f"IP: {event.get('SourceIPAddress')}")

Compliance & Governance

AWS Config Rules

# S3 bucket public access check
AWSConfigRule:
  Type: AWS::Config::ConfigRule
  Properties:
    ConfigRuleName: s3-bucket-public-read-prohibited
    Description: Checks that S3 buckets do not allow public read access
    Source:
      Owner: AWS
      SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED

Azure Policy

{
  "policyRule": {
    "if": {
      "field": "type",
      "equals": "Microsoft.Storage/storageAccounts"
    },
    "then": {
      "effect": "deny",
      "details": {
        "type": "Microsoft.Storage/storageAccounts/networkAcls",
        "existenceCondition": {
          "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
          "equals": "Deny"
        }
      }
    }
  }
}

Container Security

Docker Security

# Secure Dockerfile
FROM alpine:3.18

# Don't run as root
RUN adduser -D appuser
USER appuser

# Read-only filesystem
RUN chmod -R 555 /app

# Health check
HEALTHCHECK CMD wget --no-verbose --tries=1 --spider http://localhost:8080/health || exit 1

Kubernetes Security

# Pod Security Policy
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted
spec:
  privileged: false
  allowPrivilegeEscalation: false
  requiredDropCapabilities:
    - ALL
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  readOnlyRootFilesystem: true

Security Checklist

Identity:

Data:

Network:

Monitoring:

Compliance:

Cloud security danışmanlığı: iletisim@cesayazilim.com ☁️🔒