Cloud security encompasses a comprehensive set of practices, tools, and services designed to protect data, applications, and infrastructure deployed in AWS and Azure environments. Understanding that security in the cloud operates under a shared responsibility model—where cloud providers secure the infrastructure while customers secure their data and applications—is fundamental to building a robust defense. Both AWS and Azure provide extensive native security services spanning identity management, encryption, network controls, threat detection, and compliance frameworks. The most critical insight: cloud security is not a one-time configuration but a continuous process of monitoring, detection, remediation, and policy enforcement that must evolve with emerging threats and workload changes.
What This Cheat Sheet Covers
This topic spans 11 focused tables and 113 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.
Table 1: Identity and Access Management
Identity is the new perimeter in the cloud — most breaches trace back to over-permissioned or stolen credentials rather than network exploits. These controls cover both sides of the house: AWS IAM roles, policies, SCPs, and permission boundaries alongside their Azure equivalents in Entra ID, RBAC, and management groups. The thread tying them together is least privilege paired with short-lived credentials — grant the minimum each identity needs, prefer temporary roles over long-lived keys, and lean on tools like Access Analyzer to claw back access nobody actually uses.
| Service | Example | Description |
|---|---|---|
aws iam create-role --role-name MyRole--assume-role-policy-document file://trust.json | • Temporary credentials for AWS services or federated users • eliminates long-term access keys and enables cross-account access with defined trust policies | |
az role assignment create --assignee user@domain.com--role "Reader" --scope /subscriptions/{id} | Fine-grained role-based permissions assigned at subscription, resource group, or resource level using built-in or custom role definitions | |
{"Effect": "Allow", "Action": "s3:GetObject","Resource": "arn:aws:s3:::bucket/*"} | • JSON documents defining what actions are allowed or denied on which resources • supports identity-based, resource-based, and service control policy types | |
az ad user create --display-name "John Doe"--user-principal-name john | • Cloud-based identity and access management service (formerly Azure AD) with conditional access, MFA, and SSO • January–March 2026 updates added synced passkeys and risky user reports | |
Grant s3:GetObject only instead of s3:* | • Security practice of granting only minimum permissions necessary to perform a task • reduces blast radius of compromised credentials | |
{"Effect": "Deny", "Action": "*", "Resource": "*","Condition": {"StringNotEquals": {"aws:RequestedRegion": "us-east-1"}}} | • Account-level permission guardrails that set maximum boundaries across all users and roles in member accounts • now support the full IAM policy language | |
aws iam put-user-permissions-boundary--user-name DevUser --permissions-boundary arn:... | Maximum permissions cap that limits what identity-based policies can grant, used for delegating IAM administration safely |