Back to Details

cloud-security-configuration

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Cloud Security Configuration

云安全配置

Overview

概述

Cloud security requires comprehensive strategies spanning identity management, encryption, network controls, compliance, and threat detection. Implement defense-in-depth with multiple layers of protection and continuous monitoring.
云安全需要涵盖身份管理、加密、网络控制、合规性和威胁检测的综合策略。通过多层保护和持续监控实现纵深防御。

When to Use

适用场景

  • Protecting sensitive data in cloud
  • Compliance with regulations (GDPR, HIPAA, PCI-DSS)
  • Implementing zero-trust security
  • Securing multi-cloud environments
  • Threat detection and response
  • Identity and access management
  • Network isolation and segmentation
  • Encryption and key management
  • 保护云中的敏感数据
  • 符合法规要求(GDPR、HIPAA、PCI-DSS)
  • 实施零信任安全
  • 保护多云环境
  • 威胁检测与响应
  • 身份与访问管理
  • 网络隔离与分段
  • 加密与密钥管理

Implementation Examples

实施示例

1. AWS Security Configuration

1. AWS安全配置

bash
undefined
bash
undefined

Enable GuardDuty (threat detection)

Enable GuardDuty (threat detection)

aws guardduty create-detector
--enable
--finding-publishing-frequency FIFTEEN_MINUTES
aws guardduty create-detector
--enable
--finding-publishing-frequency FIFTEEN_MINUTES

Enable CloudTrail (audit logging)

Enable CloudTrail (audit logging)

aws cloudtrail create-trail
--name organization-trail
--s3-bucket-name audit-bucket
--is-multi-region-trail
aws cloudtrail create-trail
--name organization-trail
--s3-bucket-name audit-bucket
--is-multi-region-trail

Enable S3 bucket encryption by default

Enable S3 bucket encryption by default

aws s3api put-bucket-encryption
--bucket my-bucket
--server-side-encryption-configuration '{ "Rules": [{ "ApplyServerSideEncryptionByDefault": { "SSEAlgorithm": "aws:kms", "KMSMasterKeyID": "arn:aws:kms:region:account:key/key-id" }, "BucketKeyEnabled": true }] }'
aws s3api put-bucket-encryption
--bucket my-bucket
--server-side-encryption-configuration '{ "Rules": [{ "ApplyServerSideEncryptionByDefault": { "SSEAlgorithm": "aws:kms", "KMSMasterKeyID": "arn:aws:kms:region:account:key/key-id" }, "BucketKeyEnabled": true }] }'

Enable VPC Flow Logs

Enable VPC Flow Logs

aws ec2 create-flow-logs
--resource-type VPC
--resource-ids vpc-12345
--traffic-type ALL
--log-destination-type cloud-watch-logs
--log-group-name /aws/vpc/flowlogs
aws ec2 create-flow-logs
--resource-type VPC
--resource-ids vpc-12345
--traffic-type ALL
--log-destination-type cloud-watch-logs
--log-group-name /aws/vpc/flowlogs

Configure Security Groups

Configure Security Groups

aws ec2 authorize-security-group-ingress
--group-id sg-12345
--protocol tcp
--port 443
--cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress
--group-id sg-12345
--protocol tcp
--port 443
--cidr 0.0.0.0/0

Enable MFA for root account

Enable MFA for root account

aws iam get-account-summary
aws iam get-account-summary

Create password policy

Create password policy

aws iam update-account-password-policy
--minimum-password-length 14
--require-symbols
--require-numbers
--require-uppercase-characters
--require-lowercase-characters
--allow-users-to-change-password
--expire-passwords
--max-password-age 90
undefined
aws iam update-account-password-policy
--minimum-password-length 14
--require-symbols
--require-numbers
--require-uppercase-characters
--require-lowercase-characters
--allow-users-to-change-password
--expire-passwords
--max-password-age 90
undefined

2. Terraform Security Configuration

2. Terraform安全配置

hcl
undefined
hcl
undefined

security.tf

security.tf

terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 5.0" } } }
provider "aws" { region = var.aws_region }
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 5.0" } } }
provider "aws" { region = var.aws_region }

KMS key for encryption

KMS key for encryption

resource "aws_kms_key" "main" { description = "Master encryption key" deletion_window_in_days = 10 enable_key_rotation = true
tags = { Name = "master-key" } }
resource "aws_kms_alias" "main" { name = "alias/master-key" target_key_id = aws_kms_key.main.key_id }
resource "aws_kms_key" "main" { description = "Master encryption key" deletion_window_in_days = 10 enable_key_rotation = true
tags = { Name = "master-key" } }
resource "aws_kms_alias" "main" { name = "alias/master-key" target_key_id = aws_kms_key.main.key_id }

Secrets Manager for sensitive data

Secrets Manager for sensitive data

resource "aws_secretsmanager_secret" "db_password" { name_prefix = "db/" recovery_window_in_days = 7 kms_key_id = aws_kms_key.main.id }
resource "aws_secretsmanager_secret_version" "db_password" { secret_id = aws_secretsmanager_secret.db_password.id secret_string = random_password.db.result }
resource "aws_secretsmanager_secret" "db_password" { name_prefix = "db/" recovery_window_in_days = 7 kms_key_id = aws_kms_key.main.id }
resource "aws_secretsmanager_secret_version" "db_password" { secret_id = aws_secretsmanager_secret.db_password.id secret_string = random_password.db.result }

IAM role with least privilege

IAM role with least privilege

resource "aws_iam_role" "app_role" { assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [{ Action = "sts:AssumeRole" Effect = "Allow" Principal = { Service = "ec2.amazonaws.com" } }] }) }
resource "aws_iam_role_policy" "app_policy" { role = aws_iam_role.app_role.id
policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Action = [ "s3:GetObject", "s3:ListBucket" ] Resource = [ aws_s3_bucket.data.arn, "${aws_s3_bucket.data.arn}/" ] }, { Effect = "Allow" Action = [ "kms:Decrypt", "kms:DescribeKey" ] Resource = aws_kms_key.main.arn }, { Effect = "Allow" Action = [ "secretsmanager:GetSecretValue" ] Resource = aws_secretsmanager_secret.db_password.arn }, { Effect = "Allow" Action = [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ] Resource = "arn:aws:logs:::" } ] }) }
resource "aws_iam_role" "app_role" { assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [{ Action = "sts:AssumeRole" Effect = "Allow" Principal = { Service = "ec2.amazonaws.com" } }] }) }
resource "aws_iam_role_policy" "app_policy" { role = aws_iam_role.app_role.id
policy = jsonencode({ Version = "2012-10-17" Statement = [ { Effect = "Allow" Action = [ "s3:GetObject", "s3:ListBucket" ] Resource = [ aws_s3_bucket.data.arn, "${aws_s3_bucket.data.arn}/" ] }, { Effect = "Allow" Action = [ "kms:Decrypt", "kms:DescribeKey" ] Resource = aws_kms_key.main.arn }, { Effect = "Allow" Action = [ "secretsmanager:GetSecretValue" ] Resource = aws_secretsmanager_secret.db_password.arn }, { Effect = "Allow" Action = [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ] Resource = "arn:aws:logs:::" } ] }) }

VPC with security

VPC with security

resource "aws_vpc" "main" { cidr_block = "10.0.0.0/16" enable_dns_hostnames = true enable_dns_support = true
tags = { Name = "main-vpc" } }
resource "aws_vpc" "main" { cidr_block = "10.0.0.0/16" enable_dns_hostnames = true enable_dns_support = true
tags = { Name = "main-vpc" } }

Public subnet

Public subnet

resource "aws_subnet" "public" { vpc_id = aws_vpc.main.id cidr_block = "10.0.1.0/24" availability_zone = data.aws_availability_zones.available.names[0] map_public_ip_on_launch = false
tags = { Name = "public-subnet" } }
resource "aws_subnet" "public" { vpc_id = aws_vpc.main.id cidr_block = "10.0.1.0/24" availability_zone = data.aws_availability_zones.available.names[0] map_public_ip_on_launch = false
tags = { Name = "public-subnet" } }

Private subnet

Private subnet

resource "aws_subnet" "private" { vpc_id = aws_vpc.main.id cidr_block = "10.0.10.0/24" availability_zone = data.aws_availability_zones.available.names[0]
tags = { Name = "private-subnet" } }
resource "aws_subnet" "private" { vpc_id = aws_vpc.main.id cidr_block = "10.0.10.0/24" availability_zone = data.aws_availability_zones.available.names[0]
tags = { Name = "private-subnet" } }

Network ACL for defense in depth

Network ACL for defense in depth

resource "aws_network_acl" "main" { vpc_id = aws_vpc.main.id
ingress { protocol = "tcp" rule_no = 100 action = "allow" cidr_block = "0.0.0.0/0" from_port = 443 to_port = 443 }
ingress { protocol = "tcp" rule_no = 110 action = "allow" cidr_block = "0.0.0.0/0" from_port = 80 to_port = 80 }
egress { protocol = "-1" rule_no = 100 action = "allow" cidr_block = "0.0.0.0/0" from_port = 0 to_port = 0 } }
resource "aws_network_acl" "main" { vpc_id = aws_vpc.main.id
ingress { protocol = "tcp" rule_no = 100 action = "allow" cidr_block = "0.0.0.0/0" from_port = 443 to_port = 443 }
ingress { protocol = "tcp" rule_no = 110 action = "allow" cidr_block = "0.0.0.0/0" from_port = 80 to_port = 80 }
egress { protocol = "-1" rule_no = 100 action = "allow" cidr_block = "0.0.0.0/0" from_port = 0 to_port = 0 } }

Security group

Security group

resource "aws_security_group" "app" { name_prefix = "app-" vpc_id = aws_vpc.main.id

Egress rule (deny by default)

egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } }
resource "aws_security_group" "app" { name_prefix = "app-" vpc_id = aws_vpc.main.id

Egress rule (deny by default)

egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } }

WAF Web ACL

WAF Web ACL

resource "aws_wafv2_web_acl" "main" { scope = "REGIONAL" name = "app-waf"
default_action { allow {} }
rule { name = "AWSManagedRulesCommonRuleSet" priority = 1
action {
  block {}
}

statement {
  managed_rule_group_statement {
    name        = "AWSManagedRulesCommonRuleSet"
    vendor_name = "AWS"
  }
}

visibility_config {
  cloudwatch_metrics_enabled = true
  metric_name                = "AWSManagedRulesCommonRuleSet"
  sampled_requests_enabled   = true
}
}
visibility_config { cloudwatch_metrics_enabled = true metric_name = "app-waf" sampled_requests_enabled = true } }
resource "aws_wafv2_web_acl" "main" { scope = "REGIONAL" name = "app-waf"
default_action { allow {} }
rule { name = "AWSManagedRulesCommonRuleSet" priority = 1
action {
  block {}
}

statement {
  managed_rule_group_statement {
    name        = "AWSManagedRulesCommonRuleSet"
    vendor_name = "AWS"
  }
}

visibility_config {
  cloudwatch_metrics_enabled = true
  metric_name                = "AWSManagedRulesCommonRuleSet"
  sampled_requests_enabled   = true
}
}
visibility_config { cloudwatch_metrics_enabled = true metric_name = "app-waf" sampled_requests_enabled = true } }

GuardDuty for threat detection

GuardDuty for threat detection

resource "aws_guardduty_detector" "main" { enable = true
datasources { flow_logs { enable = true } s3_logs { enable = true } kubernetes { audit_logs { enable = true } } } }
resource "aws_guardduty_detector" "main" { enable = true
datasources { flow_logs { enable = true } s3_logs { enable = true } kubernetes { audit_logs { enable = true } } } }

CloudTrail for audit logging

CloudTrail for audit logging

resource "aws_cloudtrail" "main" { name = "organization-trail" s3_bucket_name = aws_s3_bucket.audit_logs.id include_global_service_events = true is_multi_region_trail = true enable_log_file_validation = true depends_on = [aws_s3_bucket_policy.audit_logs]
event_selector { read_write_type = "All" include_management_events = true
data_resource {
  type   = "AWS::S3::Object"
  values = ["arn:aws:s3:::*/"]
}
} }
resource "aws_cloudtrail" "main" { name = "organization-trail" s3_bucket_name = aws_s3_bucket.audit_logs.id include_global_service_events = true is_multi_region_trail = true enable_log_file_validation = true depends_on = [aws_s3_bucket_policy.audit_logs]
event_selector { read_write_type = "All" include_management_events = true
data_resource {
  type   = "AWS::S3::Object"
  values = ["arn:aws:s3:::*/"]
}
} }

Audit logs bucket

Audit logs bucket

resource "aws_s3_bucket" "audit_logs" { bucket = "audit-logs-${data.aws_caller_identity.current.account_id}" }
resource "aws_s3_bucket_policy" "audit_logs" { bucket = aws_s3_bucket.audit_logs.id
policy = jsonencode({ Version = "2012-10-17" Statement = [ { Sid = "AllowCloudTrailAcl" Effect = "Allow" Principal = { Service = "cloudtrail.amazonaws.com" } Action = "s3:GetBucketAcl" Resource = aws_s3_bucket.audit_logs.arn }, { Sid = "AllowCloudTrailPutObject" Effect = "Allow" Principal = { Service = "cloudtrail.amazonaws.com" } Action = "s3:PutObject" Resource = "${aws_s3_bucket.audit_logs.arn}/*" Condition = { StringEquals = { "s3:x-amz-acl" = "bucket-owner-full-control" } } } ] }) }
resource "aws_s3_bucket" "audit_logs" { bucket = "audit-logs-${data.aws_caller_identity.current.account_id}" }
resource "aws_s3_bucket_policy" "audit_logs" { bucket = aws_s3_bucket.audit_logs.id
policy = jsonencode({ Version = "2012-10-17" Statement = [ { Sid = "AllowCloudTrailAcl" Effect = "Allow" Principal = { Service = "cloudtrail.amazonaws.com" } Action = "s3:GetBucketAcl" Resource = aws_s3_bucket.audit_logs.arn }, { Sid = "AllowCloudTrailPutObject" Effect = "Allow" Principal = { Service = "cloudtrail.amazonaws.com" } Action = "s3:PutObject" Resource = "${aws_s3_bucket.audit_logs.arn}/*" Condition = { StringEquals = { "s3:x-amz-acl" = "bucket-owner-full-control" } } } ] }) }

Config for compliance monitoring

Config for compliance monitoring

resource "aws_config_configuration_recorder" "main" { name = "main" role_arn = aws_iam_role.config.arn depends_on = [aws_iam_role_policy_attachment.config]
recording_group { all_supported = true include_global = true } }
resource "aws_config_configuration_recorder_status" "main" { name = aws_config_configuration_recorder.main.name depends_on = [aws_config_delivery_channel.main] is_enabled = true start_recording = true }
resource "aws_config_configuration_recorder" "main" { name = "main" role_arn = aws_iam_role.config.arn depends_on = [aws_iam_role_policy_attachment.config]
recording_group { all_supported = true include_global = true } }
resource "aws_config_configuration_recorder_status" "main" { name = aws_config_configuration_recorder.main.name depends_on = [aws_config_delivery_channel.main] is_enabled = true start_recording = true }

Config delivery channel

Config delivery channel

resource "aws_config_delivery_channel" "main" { name = "main" s3_bucket_name = aws_s3_bucket.config.id depends_on = [aws_config_configuration_recorder.main] }
resource "aws_config_delivery_channel" "main" { name = "main" s3_bucket_name = aws_s3_bucket.config.id depends_on = [aws_config_configuration_recorder.main] }

CloudWatch for security monitoring

CloudWatch for security monitoring

resource "aws_cloudwatch_metric_alarm" "unauthorized_actions" { alarm_name = "unauthorized-api-calls" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 metric_name = "UnauthorizedOperationCount" namespace = "CloudTrailMetrics" period = 300 statistic = "Sum" threshold = 5 alarm_description = "Alert on unauthorized API calls" }
resource "aws_cloudwatch_metric_alarm" "unauthorized_actions" { alarm_name = "unauthorized-api-calls" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = 1 metric_name = "UnauthorizedOperationCount" namespace = "CloudTrailMetrics" period = 300 statistic = "Sum" threshold = 5 alarm_description = "Alert on unauthorized API calls" }

Data source

Data source

data "aws_caller_identity" "current" {} data "aws_availability_zones" "available" { state = "available" }
data "aws_caller_identity" "current" {} data "aws_availability_zones" "available" { state = "available" }

Random password

Random password

resource "random_password" "db" { length = 16 special = true }
resource "random_password" "db" { length = 16 special = true }

IAM role for Config

IAM role for Config

resource "aws_iam_role" "config" { assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [{ Action = "sts:AssumeRole" Effect = "Allow" Principal = { Service = "config.amazonaws.com" } }] }) }
resource "aws_iam_role_policy_attachment" "config" { role = aws_iam_role.config.name policy_arn = "arn:aws:iam::aws:policy/service-role/ConfigRole" }
resource "aws_s3_bucket" "config" { bucket = "config-bucket-${data.aws_caller_identity.current.account_id}" }
undefined
resource "aws_iam_role" "config" { assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [{ Action = "sts:AssumeRole" Effect = "Allow" Principal = { Service = "config.amazonaws.com" } }] }) }
resource "aws_iam_role_policy_attachment" "config" { role = aws_iam_role.config.name policy_arn = "arn:aws:iam::aws:policy/service-role/ConfigRole" }
resource "aws_s3_bucket" "config" { bucket = "config-bucket-${data.aws_caller_identity.current.account_id}" }
undefined

3. Azure Security Configuration

3. Azure安全配置

bash
undefined
bash
undefined

Enable Azure Security Center

Enable Azure Security Center

az security auto-provisioning-setting update
--auto-provision on
az security auto-provisioning-setting update
--auto-provision on

Enable Azure Defender

Enable Azure Defender

az security atp storage update
--storage-account myaccount
--is-enabled true
az security atp storage update
--storage-account myaccount
--is-enabled true

Configure NSG rules

Configure NSG rules

az network nsg rule create
--resource-group mygroup
--nsg-name mynsg
--name AllowHTTPS
--priority 100
--direction Inbound
--access Allow
--protocol Tcp
--source-address-prefixes ''
--source-port-ranges ''
--destination-address-prefixes '*'
--destination-port-ranges 443
az network nsg rule create
--resource-group mygroup
--nsg-name mynsg
--name AllowHTTPS
--priority 100
--direction Inbound
--access Allow
--protocol Tcp
--source-address-prefixes ''
--source-port-ranges ''
--destination-address-prefixes '*'
--destination-port-ranges 443

Enable Azure Policy

Enable Azure Policy

az policy assignment create
--name EnforceHttps
--policy /subscriptions/{subscription}/providers/Microsoft.Authorization/policyDefinitions/{policyId}
az policy assignment create
--name EnforceHttps
--policy /subscriptions/{subscription}/providers/Microsoft.Authorization/policyDefinitions/{policyId}

Create Key Vault

Create Key Vault

az keyvault create
--resource-group mygroup
--name mykeyvault
--enable-rbac-authorization
undefined
az keyvault create
--resource-group mygroup
--name mykeyvault
--enable-rbac-authorization
undefined

4. GCP Security Configuration

4. GCP安全配置

bash
undefined
bash
undefined

Enable Cloud Armor

Enable Cloud Armor

gcloud compute security-policies create my-policy
--description "Security policy"
gcloud compute security-policies create my-policy
--description "Security policy"

Add rules

Add rules

gcloud compute security-policies rules create 100
--security-policy=my-policy
--action "deny-403"
--expression "origin.country_code == 'CN'"
gcloud compute security-policies rules create 100
--security-policy=my-policy
--action "deny-403"
--expression "origin.country_code == 'CN'"

Enable Cloud KMS

Enable Cloud KMS

gcloud kms keyrings create my-keyring --location us-east1
gcloud kms keys create my-key
--location us-east1
--keyring my-keyring
--purpose encryption
gcloud kms keyrings create my-keyring --location us-east1
gcloud kms keys create my-key
--location us-east1
--keyring my-keyring
--purpose encryption

Set IAM bindings

Set IAM bindings

gcloud projects add-iam-policy-binding MY_PROJECT
--member=serviceAccount:my-sa@MY_PROJECT.iam.gserviceaccount.com
--role=roles/container.developer
gcloud projects add-iam-policy-binding MY_PROJECT
--member=serviceAccount:my-sa@MY_PROJECT.iam.gserviceaccount.com
--role=roles/container.developer

Enable Binary Authorization

Enable Binary Authorization

gcloud container binauthz policy import policy.yaml
gcloud container binauthz policy import policy.yaml

VPC Service Controls

VPC Service Controls

gcloud access-context-manager perimeters create my-perimeter
--resources=projects/MY_PROJECT
undefined
gcloud access-context-manager perimeters create my-perimeter
--resources=projects/MY_PROJECT
undefined

Best Practices

最佳实践

✅ DO

✅ 应该做

  • Implement least privilege access
  • Enable MFA everywhere
  • Use service accounts for applications
  • Encrypt data at rest and in transit
  • Enable comprehensive logging
  • Implement network segmentation
  • Use secrets management
  • Enable threat detection
  • Regular security assessments
  • Keep systems patched
  • 实施最小权限访问
  • 全面启用MFA
  • 为应用使用服务账户
  • 加密静态和传输中的数据
  • 启用全面日志记录
  • 实施网络分段
  • 使用密钥管理
  • 启用威胁检测
  • 定期进行安全评估
  • 保持系统补丁更新

❌ DON'T

❌ 不应该做

  • Use root/default credentials
  • Store secrets in code
  • Over-permissive security groups
  • Disable encryption
  • Ignore logs and monitoring
  • Share credentials
  • Skip compliance requirements
  • Trust unverified data sources
  • 使用根账户/默认凭证
  • 在代码中存储密钥
  • 使用过度宽松的安全组
  • 禁用加密
  • 忽略日志和监控
  • 共享凭证
  • 跳过合规要求
  • 信任未经验证的数据源

Compliance Standards

合规标准

  • GDPR: Data protection
  • HIPAA: Healthcare data
  • PCI-DSS: Payment card data
  • SOC 2: Security controls
  • ISO 27001: Information security
  • CIS Benchmarks: Security hardening
  • GDPR:数据保护
  • HIPAA:医疗保健数据
  • PCI-DSS:支付卡数据
  • SOC 2:安全控制
  • ISO 27001:信息安全
  • CIS基准:安全加固

Security Layers

安全层级

  1. Identity & Access: IAM, MFA, SSO
  2. Network: VPCs, Security Groups, WAF
  3. Data: Encryption, Secrets, DLP
  4. Application: Input validation, patches
  5. Monitoring: Logging, Alerting, Threat Detection
  1. 身份与访问:IAM、MFA、SSO
  2. 网络:VPC、安全组、WAF
  3. 数据:加密、密钥、DLP
  4. 应用:输入验证、补丁
  5. 监控:日志记录、告警、威胁检测

Resources

资源链接