Back to Articles
Cloud Security
Updated Sep 9, 2025

Cloud Security Scanning Guide (AWS, Azure, GCP)

Cloud grows fast and breaks quietly. This guide maps the basics of scanning cloud setups, containers, and IaC so you can spot risky defaults before they become incidents. In this article, we've covered the most popular cloud hosting platforms, being AWS (Amazon Web Services), Azure, and GCP (Google Cloud Platform).

Where cloud risks hide

  • Public S3 buckets or open storage (Azure/GCP equivalents)
  • Not having firewall rules, or rules that are open to the entire internet (such as 0.0.0.0/0 which means open for any IP) on sensitive ports like SSH (22) and RDP (3389). In AWS these rules live in Security Groups; in Azure they are NSGs (Network Security Groups)
  • Over‑privileged IAM (Identity and Access Management) roles and access sensitive keys without rotation
  • Unpatched images and exposed dashboards in container stacks
  • Misconfigured or unnecessarily exposed KMS (Key Management Service)/Key Vault/Cloud KMS

What to scan

  • Cloud configs guided by the CIS Benchmarks (Center for Internet Security)
  • IaC (Infrastructure as Code) templates (Terraform, ARM/Bicep, CloudFormation)
  • Container images and registries
  • Kubernetes manifests and runtime
  • Network such as open ports

Practical starting points

  • Turn on provider security centers: AWS Security Hub, Azure's Microsoft Defender, GCP SCC (Security Command Center). Review and act on security findings.
  • Add automated IaC scanning to any existing CI (Continuous Integration) pipelines for every pull request
  • Review internet‑facing endpoints, lock down security with proper authentication, validation, and rate limiting
  • Lock down access where this is possible and does not damage your team's flow, while ensuring multiple users have admin access (min 2)
  • Rotate secrets and keys on a schedule
  • Enforce MFA for all users

Identity and access hardening

  • Root/admin accounts: require MFA, never create root access keys, and use the root account only for break‑glass emergencies (and monitor usage)
  • Short‑lived credentials: prefer IAM (Identity and Access Management) Roles/Managed Identities/Service Accounts over static keys
  • Least privilege: avoid wildcard actions and scope by resource & condition keys
  • Organization guardrails: AWS SCPs, Azure Policies, GCP Organization Policy

Containers and Kubernetes

  • Scan base images
  • Limit privileges: drop capabilities, use read‑only file systems
  • Network policies to restrict traffic between Kubernetes pods
  • Keep the control plane and addons updated

Provider specifics (quick hits)

AWS:

  • S3: Block Public Access, bucket policies least‑privilege, mandatory encryption
  • Security Groups: avoid 0.0.0.0/0 on admin ports (SSH 22, RDP 3389), restrict access to VPN or trusted IP ranges, and place AWS WAF (Web Application Firewall) in front of public apps
  • IAM: short‑lived credentials via IAM Roles, avoid wildcard actions

Azure:

  • Storage Accounts: disable public blob access unless necessary, and time‑box any SAS tokens
  • NSGs: lock inbound, use Application Gateway/WAF (Web Application Firewall)
  • Use Managed Identities with Key Vault instead of embedding secrets in code

GCP:

  • Cloud Storage: use uniform bucket‑level access and avoid allUsers/allAuthenticatedUsers grants
  • Firewall: restrict ingress and front public apps with Cloud Armor
  • Service Accounts: use least‑privilege IAM bindings and rotate or remove keys

Logging and detection that matter

  • Enable and retain audit logs for important services: CloudTrail (AWS), Activity/Diagnostic Logs (Azure), Cloud Audit Logs (GCP)
  • Threat detection: Use the platform's own cloud scanning solution to detect security configuration issues: GuardDuty for AWS, Microsoft Defender for Cloud for Azure, or Security Command Center (SCC) for GCP
  • Centralize logs in a dedicated project or account, and enforce retention and immutability (write-once) by policy

CI integration for IaC

  • Add Terraform/CloudFormation/Bicep scanning as a required check
  • Fail pull requests for high‑severity misconfigurations and allow documented waivers with justification and an expiry date
  • Keep rule sets versioned and reviewed periodically

Run tfsec/checkov in CI (block merges on failures): These tools scan Terraform and other IaC for common misconfigurations. The commands below return a non-zero exit code when issues are found, which fails the pipeline and blocks the PR until the problems are fixed or a waiver is approved.

tfsec . || exit 1
checkov -d . --quiet || exit 1

Secrets and encryption

  • Do not store secrets in code, appsettings files, or environment variables checked into source control - instead use a managed secrets service such as AWS Secrets Manager, Azure Key Vault, or Google Secret Manager
  • Enable default encryption for storage and databases, and use customer‑managed keys for sensitive data
  • Constrain who and what can use/access KMS (Key Management Service)/Key Vault keys, and rotate annually or per policy

Network and egress controls

  • Prefer private endpoints, VPC/VNet peering, and service endpoints over public access
  • Restrict egress with NAT + egress allowlists; block metadata/IP ranges where not needed
  • Put WAF (Web Application Firewall) in front of internet facing apps and rate limit sensitive paths

S3/storage quick wins

  • Enforce Block Public Access, object ownership, and bucket policies that deny public ACLs (Access Control Lists)
  • Use lifecycle rules to expire old objects and logs; enable versioning for critical buckets

Terraform example to block public access (AWS):

resource "aws_s3_bucket_public_access_block" "this" {
  bucket                  = aws_s3_bucket.this.id
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

Drift detection and guardrails

  • Schedule periodic scans against production to catch drift from IaC (Infrastructure as Code)
  • Alert on critical changes: public storage, new 0.0.0.0/0 rules, disabled logging, deleted WAF rules
  • Require approval for security sensitive changes in CI pipelines (policy checks on PRs)

High value checklist

  • MFA (Multi‑Factor Authentication) is required on admin accounts, no root access keys, and least privilege is in place
  • Audit logs are enabled and retained, and threat detection is turned on
  • Storage is not public by default, and encryption is enabled with managed keys
  • Management ports (SSH 22, RDP 3389) are not exposed to 0.0.0.0/0, and WAF plus rate limits protect public apps
  • Secrets are stored in a managed vault, with no plaintext in code or images
  • IaC (Infrastructure as Code) scans run on every PR, and automated drift checks run regularly against production

Conclusion

Start with identity, storage, and network exposure. Add IaC scanning to the pipeline and watch for drift in production.

Explore cloud scanning and continuous checks in the Barrion dashboard, or run a quick external surface scan with our Network Security tool.

Related reading

Trusted by IT Professionals

Organizations rely on Barrion to strengthen their security and stay ahead of emerging cyber threats.
Assess your application security today - results in under a minute.

Barrion logo iconBarrion

Barrion delivers automated security scans and real-time monitoring to keep your applications secure.

Services

Quick Links

Company

Contact Us

Have questions or need assistance? Reach out to our team for support.

[email protected]
Send email icon

© 2025 Barrion - All Rights Reserved.