Further Reading: Cloud Security

Curated, annotated resources to deepen this chapter. Each entry notes which learning path it serves most (🛡️ SOC, 🏗️ Engineer, 📋 GRC, 📜 Cert) and its citation tier. Start with the suggested order; you do not need to read everything before Chapter 16.

Suggested order

  1. Read your primary provider's shared-responsibility model page (AWS, Azure, or GCP — whichever you use) to nail down §15.1–15.2 in your own environment's terms.
  2. Skim the CIS Benchmark for that provider to see, concretely, what "secure configuration" means as a checklist — this is what a CSPM tool evaluates against.
  3. Read the relevant provider's Well-Architected security pillar for the design principles behind the checklist.
  4. Keep NIST SP 800-144 and 800-210 nearby as the vendor-neutral, authoritative framing for governance and access-control discussions (especially for GRC and cert readers).

Standards & primary documents (Tier 1)

  • AWS, Shared Responsibility Model (docs.aws.amazon.com). 🏗️📋📜 The canonical "security of vs. in the cloud" framing this chapter is built on; the single most important page to read for §15.2. Azure and GCP publish near-identical models — read the one for your provider.
  • CIS, AWS / Azure / GCP Foundations Benchmarks (Center for Internet Security). 🏗️📋 The industry-standard, prescriptive secure-configuration baselines; this is what CSPM tools score you against. Read the identity, logging, and storage sections first — they cover this chapter's top misconfigurations.
  • AWS, Well-Architected Framework — Security Pillar (and Azure's & GCP's equivalents). 🏗️📜 The design principles behind the checklist: identity foundation, traceability, least privilege, protecting data. Best read after the benchmark so the rules have a rationale.
  • NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing. 📋📜 The vendor-neutral authority on cloud security governance and the shared-responsibility division of duties; ideal for GRC and for grounding the chapter's concepts outside any one provider's marketing.
  • NIST SP 800-210, General Access Control Guidance for Cloud Systems. 🏗️📋 The standards-body treatment of access control in the cloud — directly reinforces §15.3 (cloud IAM and least privilege) in a provider-neutral way.
  • NIST SP 800-53, Security and Privacy Controls (the control catalog). 📋📜 The master control set many cloud baselines map back to; use it to connect a cloud finding to a named control for audit and crosswalk purposes (full treatment in Chapter 28).
  • CISA, cloud security guidance and Secure Cloud Business Applications (SCuBA) project. 🛡️📋 Government guidance on securing cloud and SaaS configurations (notably M365); a concrete, defender-oriented complement to the provider docs.

Books (Tier 1)

  • A reputable current cloud-security text (for example, Cloud Security and Privacy, O'Reilly). 🏗️📋 A vendor-broad treatment of the concepts this chapter introduces — shared responsibility, cloud IAM, data protection, and governance — at more length than a single chapter allows. Cloud books date quickly; favor a recent edition and verify it against current provider documentation for any specific feature.
  • Chapple, M., & Seidl, D., CompTIA Security+ Study Guide / (ISC)² CISSP Official Study Guide. 📜 Both cover cloud concepts (shared responsibility, IaaS/PaaS/SaaS, cloud IAM) at exam depth; read their cloud sections alongside this chapter if you are certifying. The CISSP guide situates cloud within Security Architecture & Engineering and Security Operations.
  • A provider-specific certification guide (AWS Certified Security – Specialty, Azure Security Engineer AZ-500, or Google Professional Cloud Security Engineer official study guides). 🏗️📜 If you work primarily in one cloud, the matching certification guide is the most efficient way to learn that provider's concrete controls — its IAM model, its logging services, its guardrail mechanisms — in depth. Pick the one for your primary provider.
  • Anderson, R., Security Engineering (3rd ed.), the chapters on access control and distributed systems. 🏗️ Not cloud-specific, but the access-control and trust foundations underneath cloud IAM are treated with unusual depth and honesty; returns value throughout your career.

Free online & references (Tier 1 / Tier 2)

  • MITRE ATT&CK for Cloud (attack.mitre.org). 🛡️ The cloud matrices map adversary techniques against cloud (IaaS, SaaS, identity) to the telemetry that detects them — read alongside §15.6 to turn CloudTrail events into named techniques (master ATT&CK itself in Chapter 22).
  • OWASP Cloud-Native / Serverless resources (owasp.org). 🏗️ Application-security guidance for cloud-native and serverless workloads; bridges this chapter's infrastructure focus to the appsec work of Chapters 12–13.
  • Provider security blogs and "well-architected" labs (AWS, Azure, GCP). 🏗️🛡️ Vendor security teams publish detailed, current guidance and hands-on labs; use them for the specific how-to of guardrails (Block Public Access, service control policies, IMDSv2) referenced in §15.4–15.5. (Tier 2 for any specific figure or feature detail — verify against current docs, as cloud features change.)
  • Reports on public-bucket exposure incidents (industry/press retrospectives). 📋🛡️ Well-sourced write-ups of real public-storage breaches illustrate, with sobering regularity, the exact pattern of Case Study 2. (Tier 2: read for the pattern; specifics vary by account — do not cite a precise figure without the primary source.)

Tools to explore (in your own lab / authorized accounts only)

  • A native CSPM dashboard — AWS Security Hub, Azure Defender for Cloud, or GCP Security Command Center. 🏗️📋 Connect it (read-only) to a lab account and read the first findings against the CIS Benchmark; this is §15.5 made tangible. Practice prioritizing, not just scanning.
  • An open-source cloud auditing tool (e.g., Prowler or ScoutSuite-style scanners). 🏗️🛡️ Run a read-only posture scan of your own authorized account to see public buckets, wildcard policies, and open security groups surfaced exactly as in Case Study 1. (Authorized accounts only — see the ethics note below.)
  • The provider's IAM access analyzer / policy simulator. 🏗️ Use it to right-size an over-broad policy by observing actually-used permissions — the §15.3 remediation technique, hands-on.

By learning path — where to start

  • 🏗️ Security Engineer: the CIS Benchmark for your provider → the Well-Architected security pillar → hands-on with a CSPM dashboard and the IAM access analyzer. Then the provider-specific certification guide for depth on your cloud's concrete controls.
  • 🛡️ SOC Analyst: MITRE ATT&CK for Cloud → your provider's logging documentation (CloudTrail / Activity Log / Cloud Audit Logs) → CISA's SCuBA guidance for SaaS detection. Focus on turning events into detections.
  • 📋 GRC: NIST SP 800-144 → SP 800-210 → SP 800-53 mappings, plus your provider's shared-responsibility page. You are building the control-ownership map and the evidence story for audits.
  • 📜 Certification Prep: the cloud sections of the Security+ / CISSP study guides → a provider-specific cert guide if you specialize. The key-takeaways.md crosswalk shows which exam domains each concept maps to.

⚖️ Authorization & Ethics reminder: Cloud auditing tools enumerate resources and permissions and can be turned outward to probe accounts you do not own. Run them only against cloud accounts you own or are explicitly authorized to assess. Enumerating someone else's buckets or account, even read-only, can be unlawful access. Keep every scan inside your own lab or under written authorization (Chapter 39).