Cloud Security Specialist

What a Cloud Security Specialist does daily

• Cloud identity and access management (IAM) — designing and implementing the identity architecture that controls who (humans and machines) can access which cloud resources under what conditions; AWS IAM (users, groups, roles, policies — the foundational AWS security service; understanding the difference between identity-based and resource-based policies; IAM policy evaluation logic; SCP — Service Control Policies for AWS Organizations multi-account governance); Azure Active Directory (now Microsoft Entra ID — the identity platform for all Azure services; Conditional Access policies; Privileged Identity Management; Azure AD B2C for customer identity); the principle of least privilege (every identity should have only the minimum permissions required for its function) and zero standing privilege (privileged access should be temporary and just-in-time rather than permanent); IAM design is the most consistently underestimated and most frequently exploited cloud security domain
• Cloud network security architecture — designing the network security controls that protect cloud workloads; VPC/VNet design (subnets, route tables, NAT gateways, Internet gateways — the network topology that determines what traffic can flow where); Security Groups and Network ACLs (AWS) / Network Security Groups and Azure Firewall (Azure) for layer 3/4 traffic filtering; Web Application Firewall (WAF — protecting web applications against OWASP Top 10 attacks including SQL injection, XSS, and CSRF; AWS WAF; Azure Application Gateway WAF; Cloudflare WAF); DDoS protection (AWS Shield; Azure DDoS Protection); private connectivity (AWS Direct Connect; Azure ExpressRoute; VPN Gateway — replacing public internet connectivity with private circuits for regulated workloads); network segmentation (isolating production, development, and testing environments; isolating sensitive data workloads)
• Cloud security posture management (CSPM) — continuously monitoring cloud environments for misconfigurations and compliance violations; AWS Security Hub (aggregates security findings from AWS services and third-party tools; automated compliance checks against CIS Benchmarks and PCI DSS; the primary CSPM tool for AWS environments); Microsoft Defender for Cloud (CSPM and CWPP for Azure; Secure Score for prioritised remediation; regulatory compliance dashboard for ISO 27001, PCI DSS, NIST); Wiz (the leading third-party CSPM platform — used by large enterprises for multi-cloud visibility; free community tier); Prisma Cloud; the ability to evaluate a cloud environment's security posture, identify misconfigurations, prioritise remediation, and track improvement over time is the core operational skill of cloud security
• Data protection and encryption in cloud — ensuring that sensitive data is protected at rest and in transit; AWS KMS (Key Management Service — managing cryptographic keys for encrypting S3 objects, RDS databases, EBS volumes, and other AWS services; customer-managed keys vs AWS-managed keys; key rotation policy); Azure Key Vault (the equivalent Azure service; managing certificates, secrets, and encryption keys); TLS/SSL certificate management (AWS Certificate Manager; Azure App Service Managed Certificates); data classification (identifying which data requires which level of protection); S3 bucket policy auditing (ensuring no publicly accessible buckets; the source of a disproportionate number of high-profile data breaches); database encryption (RDS encryption; Azure SQL Transparent Data Encryption); the Sri Lanka Personal Data Protection Act 2022 (PDPA) creates specific data protection obligations for cloud-hosted personal data
• Threat detection and security monitoring — implementing the detective controls that identify security incidents; AWS CloudTrail (API activity logging — the foundational audit log for all AWS API calls; essential for forensic investigation and compliance); AWS GuardDuty (ML-powered threat detection — identifying unusual IAM behaviour, network anomalies, malware communication; one of the highest-value AWS security services; should be enabled in every AWS account); Azure Sentinel (Microsoft's SIEM — Security Information and Event Management; log collection from all Azure services and external sources; KQL queries for threat hunting; automated incident response playbooks); SIEM architecture (log aggregation; correlation rules; alert triage; incident response workflow); understanding attacker TTPs (Tactics, Techniques, and Procedures) in the MITRE ATT&CK for Cloud framework
• DevSecOps and cloud security automation — integrating security into the software development and deployment pipeline; infrastructure as code security scanning (Checkov — the most widely used open-source IaC security scanner; scans Terraform, CloudFormation, Kubernetes manifests for security misconfigurations; free); tfsec (Terraform-specific security scanning); SAST (Static Application Security Testing — scanning source code for vulnerabilities before deployment); container security (Docker image scanning — Trivy, Clair; ECR image scanning; container runtime security — Falco for Kubernetes); CI/CD pipeline security gates (blocking deployments that fail security checks); the shift of security left into the development process is the primary trend in cloud security in 2026, driven by the recognition that fixing security issues after deployment is 100x more expensive than catching them during development
• Cloud compliance and regulatory frameworks — mapping cloud security controls to regulatory requirements; ISO 27001 (the international information security standard — the most widely required compliance framework for Sri Lankan cloud deployments; AWS and Azure have ISO 27001 certifications for their infrastructure); PCI DSS (Payment Card Industry Data Security Standard — required for any cloud workload that processes payment card data; highly relevant for Sri Lankan banking and e-commerce; AWS and Azure have PCI DSS compliant environments); SOC 2 (Service Organisation Control 2 — required by many international B2B clients; relevant for Sri Lankan IT services companies delivering cloud services to USA and UK clients); CBSL Cyber Security Direction 2023 (the Central Bank of Sri Lanka's cloud and cybersecurity requirements for licensed banks — the most locally specific regulatory framework a Sri Lankan cloud security specialist will work with; covers cloud vendor risk assessment, data residency, incident reporting, and penetration testing requirements)
• Vulnerability management and penetration testing for cloud — identifying and remediating vulnerabilities in cloud-hosted systems; cloud-specific penetration testing (AWS penetration testing — AWS has a pre-authorised testing list; testing must stay within authorised scope); cloud attack simulation (identifying exposed S3 buckets; testing IAM privilege escalation paths; testing network egress controls); Nessus or Qualys for cloud vulnerability scanning; OWASP ZAP for web application security testing; understanding cloud attack techniques (credential stuffing against cloud consoles; IMDSv1 SSRF attacks; IAM enumeration) is necessary for both offensive testing and defensive architecture
• Incident response for cloud environments — responding to cloud security incidents; forensic data collection from cloud logs (CloudTrail; VPC Flow Logs; AWS Config; Azure Activity Log); account isolation procedures (revoking IAM credentials; isolating compromised EC2 instances; blocking malicious IP addresses at the WAF layer); cloud forensics (preserving EBS snapshots; capturing memory from EC2 instances; timeline reconstruction from CloudTrail logs); cloud-specific incident playbooks (responding to an exposed S3 bucket; responding to an IAM key compromise; responding to a cryptomining attack on EC2); the NIST Incident Response Framework applied to cloud environments
• Zero Trust architecture for cloud — implementing the Zero Trust security model in cloud environments; Zero Trust principles (never trust, always verify; assume breach; least privilege access); micro-segmentation (replacing broad network trust zones with fine-grained per-service access controls); BeyondCorp model (Google's Zero Trust implementation — the reference architecture for Zero Trust in cloud); Azure Zero Trust implementation (Conditional Access + Defender for Identity + Microsoft Intune + Azure AD); AWS Zero Trust (IAM + VPC Lattice + Verified Access); ZTNA (Zero Trust Network Access — replacing VPN with identity-aware network access controls); the transition from perimeter-based security to Zero Trust is the primary architectural shift in enterprise security in 2026 and drives significant demand for cloud security architects who can design and implement Zero Trust environments