Cloud security encompasses a comprehensive set of practices, tools, and services designed to protect data, applications, and infrastructure deployed in AWS and Azure environments. Understanding that security in the cloud operates under a shared responsibility model—where cloud providers secure the infrastructure while customers secure their data and applications—is fundamental to building a robust defense. Both AWS and Azure provide extensive native security services spanning identity management, encryption, network controls, threat detection, and compliance frameworks. The most critical insight: cloud security is not a one-time configuration but a continuous process of monitoring, detection, remediation, and policy enforcement that must evolve with emerging threats and workload changes.
What This Cheat Sheet Covers
This topic spans 11 focused tables and 113 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Identity and Access Management
| Service | Example | Description |
|---|---|---|
aws iam create-role --role-name MyRole--assume-role-policy-document file://trust.json | • Temporary credentials for AWS services or federated users • eliminates long-term access keys and enables cross-account access with defined trust policies | |
az role assignment create --assignee user@domain.com--role "Reader" --scope /subscriptions/{id} | Fine-grained role-based permissions assigned at subscription, resource group, or resource level using built-in or custom role definitions | |
{"Effect": "Allow", "Action": "s3:GetObject","Resource": "arn:aws:s3:::bucket/*"} | • JSON documents defining what actions are allowed or denied on which resources • supports identity-based, resource-based, and service control policy types | |
az ad user create --display-name "John Doe"--user-principal-name john | • Cloud-based identity and access management service (formerly Azure AD) with conditional access, MFA, and SSO • January–March 2026 updates added synced passkeys and risky user reports | |
Grant s3:GetObject only instead of s3:* | • Security practice of granting only minimum permissions necessary to perform a task • reduces blast radius of compromised credentials | |
{"Effect": "Deny", "Action": "*", "Resource": "*","Condition": {"StringNotEquals": {"aws:RequestedRegion": "us-east-1"}}} | • Account-level permission guardrails that set maximum boundaries across all users and roles in member accounts • now support the full IAM policy language | |
aws iam put-user-permissions-boundary--user-name DevUser --permissions-boundary arn:... | Maximum permissions cap that limits what identity-based policies can grant, used for delegating IAM administration safely |