Cloud Security Best Practices 2025
Cloud adoption hızlanırken, güvenlik kritik önem kazanıyor. AWS, Azure ve GCP için kapsamlı güvenlik rehberi.
Cloud Security Challenges
Top 5 Risks:
- Misconfiguration (65% veri ihlallerinin nedeni)
- Insufficient IAM
- Insecure APIs
- Data breaches
- Shared responsibility misunderstanding
Shared Responsibility Model
┌─────────────────────────────────┐
│ Customer Responsibility │
│ - Data │
│ - Applications │
│ - Identity & Access │
│ - OS, Network, Firewall │
├─────────────────────────────────┤
│ Cloud Provider Responsibility │
│ - Physical security │
│ - Infrastructure │
│ - Network infrastructure │
│ - Hypervisor │
└─────────────────────────────────┘
Identity & Access Management (IAM)
AWS IAM Best Practices
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
}
]
}
Least Privilege Principle:
- Grant minimum permissions
- Use groups, not individual users
- Regular access reviews
- Temporary credentials (STS)
Multi-Factor Authentication
# Enable MFA for all users
aws iam enable-mfa-device \
--user-name john \
--serial-number arn:aws:iam::123456789012:mfa/john \
--authentication-code-1 123456 \
--authentication-code-2 789012
Data Encryption
Encryption at Rest
AWS:
# S3 bucket encryption
aws s3api put-bucket-encryption \
--bucket my-bucket \
--server-side-encryption-configuration '{
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}]
}'
# EBS volume encryption
aws ec2 create-volume \
--encrypted \
--kms-key-id alias/my-key \
--size 100
Azure:
# Storage account encryption
Set-AzStorageAccount -ResourceGroupName "MyRG" `
-Name "mystorageaccount" `
-EnableHttpsTrafficOnly $true `
-EnableBlobEncryption $true
Encryption in Transit
# Force HTTPS
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}
Network Security
VPC Configuration
# AWS VPC with private/public subnets
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
tags = {
Name = "production-vpc"
}
}
# Private subnet
resource "aws_subnet" "private" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.1.0/24"
availability_zone = "us-east-1a"
tags = {
Name = "private-subnet"
}
}
# Security group
resource "aws_security_group" "web" {
name = "web-sg"
description = "Allow HTTP/HTTPS"
vpc_id = aws_vpc.main.id
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
Web Application Firewall (WAF)
{
"Name": "RateLimitRule",
"Priority": 1,
"Statement": {
"RateBasedStatement": {
"Limit": 2000,
"AggregateKeyType": "IP"
}
},
"Action": {
"Block": {}
}
}
Logging & Monitoring
CloudTrail / Azure Monitor / GCP Cloud Audit
# AWS CloudTrail analysis
import boto3
cloudtrail = boto3.client('cloudtrail')
# Find suspicious activities
response = cloudtrail.lookup_events(
LookupAttributes=[
{
'AttributeKey': 'EventName',
'AttributeValue': 'DeleteBucket'
}
],
MaxResults=50
)
for event in response['Events']:
print(f"User: {event['Username']}")
print(f"Time: {event['EventTime']}")
print(f"IP: {event.get('SourceIPAddress')}")
Compliance & Governance
AWS Config Rules
# S3 bucket public access check
AWSConfigRule:
Type: AWS::Config::ConfigRule
Properties:
ConfigRuleName: s3-bucket-public-read-prohibited
Description: Checks that S3 buckets do not allow public read access
Source:
Owner: AWS
SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED
Azure Policy
{
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
"then": {
"effect": "deny",
"details": {
"type": "Microsoft.Storage/storageAccounts/networkAcls",
"existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction",
"equals": "Deny"
}
}
}
}
}
Container Security
Docker Security
# Secure Dockerfile
FROM alpine:3.18
# Don't run as root
RUN adduser -D appuser
USER appuser
# Read-only filesystem
RUN chmod -R 555 /app
# Health check
HEALTHCHECK CMD wget --no-verbose --tries=1 --spider http://localhost:8080/health || exit 1
Kubernetes Security
# Pod Security Policy
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
fsGroup:
rule: RunAsAny
readOnlyRootFilesystem: true
Security Checklist
✅ Identity:
- [ ] MFA enabled for all users
- [ ] Least privilege IAM policies
- [ ] Service accounts with limited scope
- [ ] Regular access reviews
✅ Data:
- [ ] Encryption at rest
- [ ] Encryption in transit
- [ ] Data classification
- [ ] Backup and recovery
✅ Network:
- [ ] VPC/VNet properly configured
- [ ] Security groups restrictive
- [ ] WAF enabled
- [ ] DDoS protection
✅ Monitoring:
- [ ] CloudTrail/Audit logs enabled
- [ ] SIEM integration
- [ ] Alerting configured
- [ ] Regular log reviews
✅ Compliance:
- [ ] Config/Policy rules
- [ ] Automated compliance checks
- [ ] Regular audits
- [ ] Documentation
Cloud security danışmanlığı: iletisim@cesayazilim.com ☁️🔒
