Section 07

Cloud-Native Security

Cloud-native architectures require security approaches designed for dynamic, distributed, and ephemeral infrastructure. Traditional security tools don't work in environments where resources are created and destroyed in seconds.

Container Security

Image Security

  • • Use minimal base images (distroless, Alpine)
  • • Scan images for vulnerabilities (Trivy, Snyk, Clair)
  • • Sign and verify images (Cosign, Notary)
  • • Use private registries with access controls
  • • Implement image admission policies

Runtime Security

  • • Run as non-root user
  • • Read-only root filesystem
  • • Drop all capabilities, add only needed
  • • Use seccomp and AppArmor profiles
  • • Runtime threat detection (Falco, Sysdig)

Kubernetes Security

  • • Enable RBAC with least privilege
  • • Use Pod Security Standards (restricted)
  • • Network Policies for pod isolation
  • • Secrets management (External Secrets, Vault)
  • • Audit logging enabled

Serverless Security

Security Benefits

  • ✓ No servers to patch
  • ✓ Ephemeral execution environments
  • ✓ Auto-scaling handles DDoS
  • ✓ Smaller attack surface per function

Security Challenges

  • ⚠ Function permissions often over-privileged
  • ⚠ Dependency vulnerabilities
  • ⚠ Event injection attacks
  • ⚠ Limited observability

Serverless Security Best Practices

  • ☐ Assign minimal IAM permissions per function
  • ☐ Validate and sanitize all event inputs
  • ☐ Use environment variables for non-sensitive config
  • ☐ Secrets from Secrets Manager, not env vars
  • ☐ Set memory and timeout limits
  • ☐ Enable X-Ray or distributed tracing
  • ☐ Use VPC for functions accessing internal resources

Service Mesh Security

A service mesh like Istio, Linkerd, or Consul Connect provides infrastructure-level security for service-to-service communication.

Mutual TLS (mTLS)

Automatic encryption and authentication between all services. No code changes required.

Authorization Policies

Define which services can communicate. Service A can call Service B, but not Service C.

Traffic Policies

Rate limiting, circuit breaking, and retry policies at the infrastructure level.

Observability

Automatic metrics, logs, and traces for all service-to-service calls.

Cloud Security Posture Management (CSPM)

CSPM tools continuously monitor cloud configurations to detect misconfigurations, compliance violations, and security risks.

Common Misconfigurations

  • • Public S3 buckets
  • • Security groups allowing 0.0.0.0/0
  • • Unencrypted databases
  • • Missing MFA on root accounts
  • • Overly permissive IAM policies

CSPM Tools

  • • AWS Security Hub + Config
  • • Azure Defender for Cloud
  • • GCP Security Command Center
  • • Prisma Cloud, Wiz, Orca
  • • Open source: Prowler, ScoutSuite

Infrastructure as Code Security

Shift Left

Scan IaC templates before deployment. Finding a misconfiguration in Terraform is better than finding it in production.

IaC Scanning Tools

Checkov tfsec KICS Terrascan Snyk IaC cfn-lint
← Previous: Zero Trust Architecture Next: API & Microservices →