Key Takeaways
- Cloud providers (AWS, Azure, GCP) secure the infrastructure. You secure your data, identities, access, configurations, and code.
- 90%+ of cloud data breaches are caused by customer misconfigurations, not cloud provider failures.
- The split varies by service type: IaaS (you secure more) vs PaaS (provider secures more) vs SaaS (provider secures most).
- Most common Indian cloud breaches: public S3 buckets, overprivileged IAM roles, exposed databases, hardcoded credentials, missing MFA on root account.
- An annual cloud security audit against CIS benchmarks plus the provider's well-architected framework catches 80%+ of misconfigurations before attackers do.
The Misconception: 'AWS Is Secure, So We're Secure'
When Indian businesses migrate to AWS, Azure or GCP, the marketing message they hear is 'enterprise-grade security.' This is technically true, cloud providers invest billions in security and have far more sophisticated controls than any individual customer could afford. But this creates a dangerous misconception: that moving to cloud automatically makes your applications and data secure.
The reality: cloud providers run a shared responsibility model. They secure the parts you can't touch (physical data centers, hypervisors, network infrastructure, core services). You secure the parts they can't touch (your data, your access controls, your configurations, your application code, your identity policies). When customers don't understand this split, they leave critical responsibilities unaddressed.
Data backs this up. According to multiple cloud security reports including the 2025 IBM Cost of a Data Breach Report, over 90% of cloud security incidents are attributed to customer misconfigurations, not cloud provider failures. The provider's infrastructure works fine; the customer didn't configure their resources securely.
What AWS, Azure and GCP Secure (Provider Responsibility)
Cloud providers are responsible for 'security of the cloud', the infrastructure that delivers cloud services. This is consistent across AWS, Azure and GCP with minor variations:
- Physical security: Data centers, biometric access controls, perimeter security, environmental controls. SOC 2, ISO 27001, FedRAMP-certified facilities.
- Hardware: Servers, storage devices, networking equipment, supply chain integrity, firmware security.
- Network infrastructure: Backbone networks, edge locations, DDoS protection at infrastructure level, BGP routing security.
- Virtualization layer: Hypervisor, host operating system, guest isolation, container runtime security.
- Managed service infrastructure: The underlying compute, storage, and network powering services like S3, RDS, EKS, App Service, Cloud SQL.
- Patch management of infrastructure: Hypervisor patches, host OS patches, infrastructure-level security updates.
- Compliance certifications: Maintaining ISO 27001, SOC 2 Type 2, PCI DSS, HIPAA, FedRAMP, etc., for the infrastructure layer.
Need an Independent Cloud Security Audit?
Codesecure runs CIS-aligned cloud security audits on AWS, Azure, and GCP with named cloud-certified consultants. ISO 27001:2022 certified delivery. Fixed INR pricing, read-only auditor access, free retest of critical findings.
Get Cloud Audit Quote →What YOU Secure (Customer Responsibility)
Your responsibility is 'security in the cloud', everything you put on the cloud and how you configure it. This is where Indian businesses consistently underinvest.
Identity and Access Management (IAM)
Who has access to your cloud account? With what privileges? With MFA? Reviewed how often? Most Indian breaches we investigate trace to IAM failures: overprivileged service accounts, missing MFA, stale users from former employees, hardcoded access keys in source code, missing least-privilege policies. Cloud IAM audit is the highest-ROI security investment for cloud environments.
Network Security Configuration
Cloud providers give you the network primitives (VPCs, security groups, NACLs, NSGs, firewall rules). You decide what's exposed publicly. The default is generally restrictive, but customers expand access and forget to lock it back down. Common findings: databases (RDS, MySQL, MongoDB) exposed to public internet, SSH/RDP open to 0.0.0.0/0, internal load balancers exposed publicly, Lambda/Function execution roles with broader VPC access than needed.
Data Encryption
Cloud providers offer encryption (KMS, Key Vault, Cloud KMS) but rarely enforce it. You must explicitly enable encryption at rest on S3 buckets, RDS instances, EBS volumes, blob storage. You must enforce TLS in transit. You must manage encryption keys, rotate them, and protect customer-managed keys (CMKs).
Application Security
Your application code, dependencies, container images, build pipelines, and runtime configurations are all customer responsibility. The cloud doesn't protect you from OWASP Top 10 vulnerabilities. SAST, DAST, dependency scanning, container image scanning, and secure coding practices are all on you.
Operating System (in IaaS Mode)
When you run EC2, Azure VMs, or GCE compute instances, the operating system inside the VM is your responsibility. Patching, hardening, antivirus, host-based IDS, log forwarding, all on you. This catches Indian businesses off guard who assume 'cloud means managed.'
Backup, Recovery, Business Continuity
Cloud providers won't backup your data unless you explicitly configure it. If you delete production data accidentally (or it's deleted maliciously), the cloud provider has no backup to restore from. Backup configuration, retention, encryption, and recovery testing are 100% customer responsibility.
How the Split Varies: IaaS vs PaaS vs SaaS
The shared responsibility split isn't fixed, it depends on the service type you consume:
IaaS (e.g., EC2, Azure VM, GCE), You secure the most
Your responsibility includes everything from the OS upward: OS patching, OS hardening, antivirus, host firewall, runtime configuration, application code, application security, data, identity. The provider only secures the hypervisor and below.
PaaS (e.g., RDS, App Service, Cloud SQL), Split is more balanced
Provider manages the OS, database engine patches, and underlying service. You manage: data, identity and access to the service, network exposure, encryption configuration, application code that interacts with the service. Better balance, but still substantial customer responsibility.
SaaS (e.g., Microsoft 365, Salesforce, Google Workspace), Provider secures the most
Provider secures most layers. Customer is responsible for: identity and access management, data classification and DLP, sharing permissions, third-party integrations, end-user training. Common SaaS breaches: oversharing in OneDrive/SharePoint/Drive, weak MFA enforcement, malicious third-party app integrations, phished credentials.
Top 10 Cloud Misconfigurations We Find in Indian Businesses
From our Codesecure cloud security audits across Indian customers:
- Public S3 buckets / public blob storage: Sensitive data accessible to anyone with a URL. Often caused by 'temporary' public access that was never revoked.
- Overprivileged IAM roles: Service accounts with AdministratorAccess when they only need to read one bucket. AWS sees this pattern constantly.
- Missing MFA on root/global admin: The single account with full control of your cloud has no second factor. One phished password = entire cloud account compromised.
- Exposed databases: RDS, Aurora, MongoDB, Redis, Elasticsearch with security groups allowing 0.0.0.0/0, sometimes with default passwords.
- Hardcoded credentials in code: AWS access keys, API tokens, database passwords in GitHub repos, public Docker images, public JavaScript files.
- Unencrypted data at rest: EBS volumes, S3 buckets, RDS instances without encryption enabled (cheap and easy to enable, but often forgotten).
- Missing logging and monitoring: CloudTrail / Activity Log / Audit Logs disabled or not centralized. No alerting on suspicious activity.
- Stale users and access keys: Former employees still in IAM, unused access keys still active, sessions that never expire.
- Default credentials on managed services: RDS instances spun up with default master passwords, MongoDB Atlas free tier with public-by-default settings.
- Untracked Shadow IT: Developer-spun-up cloud resources that never went through change management. Often missing all security controls.
Worried About Specific Cloud Misconfigurations?
Book a 30-minute call with a Codesecure cloud security lead. We'll review your top 3 concerns, give you a structured priority list, and tell you whether you need an audit or just quick fixes.
Book Free Cloud Review →How to Audit Your Cloud Security
Annual cloud security audit catches most customer-responsibility misconfigurations before attackers find them. The audit should map your environment against:
- CIS Benchmarks for your cloud provider (CIS AWS Foundations, CIS Azure Foundations, CIS GCP Foundations), the industry standard configuration baseline.
- Cloud provider's Well-Architected Framework Security Pillar (AWS Well-Architected, Azure Cloud Adoption Framework, Google Cloud Architecture Framework).
- Your compliance frameworks (ISO 27001, DPDP Act, PCI DSS, SOC 2, RBI guidelines).
- OWASP Cloud Native Application Security Top 10 for container/Kubernetes/serverless workloads.
- The provider's native security tools: AWS Security Hub, Azure Defender for Cloud, GCP Security Command Center, plus their CIS benchmark scans.
Frequently Asked Questions
Is my cloud provider responsible if my data gets breached?
Almost certainly not. Read your cloud provider's terms of service carefully, they explicitly disclaim liability for customer-managed data, configurations, and access. If your S3 bucket was public and got scraped, AWS is not liable. If your IAM credentials were stolen and used to delete data, AWS is not liable. The contract is clear: provider secures the cloud infrastructure, customer secures everything they put on it.
Do I need a cloud security audit even for small workloads?
Yes, especially for small workloads. Small workloads often have less mature security practices and are exactly where misconfigurations cluster. A starter cloud security audit for a small AWS or Azure environment is typically INR 1.5-3 lakh and identifies 10-20 actionable issues. For Indian businesses just migrating to cloud, the post-migration audit is the highest-ROI security investment available.
What's the difference between cloud security audit and cloud penetration test?
Cloud security audit reviews configurations, IAM policies, network setup, encryption settings, logging, and compliance posture using read-only access. It's the equivalent of a 'security review', finds misconfigurations and policy gaps. Cloud penetration test attempts to actively exploit identified weaknesses to demonstrate impact. Both are valuable; audit usually comes first to fix the obvious issues, then pentest validates the remediations.
Should I use AWS Security Hub / Azure Defender / GCP Security Command Center?
Yes, the cloud-native security tools are excellent baselines and we recommend them for every customer. They identify configuration drift, common misconfigurations, and provide CIS Benchmark scanning. However, they're not a complete substitute for periodic independent audit because: (1) they don't audit your IAM policies for risk, only for compliance; (2) they miss application-layer issues; (3) they're not designed to look at the full picture of your environment; (4) auditors and customers want third-party validation.
How long does a cloud security audit take?
A small-to-mid AWS, Azure, or GCP estate audit typically takes 5-10 business days of active work plus 3-5 days of reporting. Larger enterprises with multiple cloud accounts, complex IAM structures, and multi-region architectures take 15-25 days. Multi-cloud audits (AWS + Azure or AWS + GCP) attract a 20-30% premium because of methodology and tooling differences. Annual reaudits typically take 60% of first-time audit duration.
Can I do cloud security audit myself with native tools?
You can do significant baseline cloud security audit with native tools (Security Hub, Defender for Cloud, Security Command Center). The CIS Benchmark scans these tools provide cover 60-70% of common misconfigurations. However, an independent expert review catches: contextual issues that native tools can't (overprivileged roles in your specific business context), chained risks across multiple controls, IAM policy logic flaws, business logic in cloud functions, third-party SaaS integrations that bypass your security perimeter. Most Indian SMEs do annual native tool review themselves and bring in Codesecure annually for the comprehensive audit.
Which cloud is most secure: AWS, Azure, or GCP?
All three offer fundamentally equivalent baseline security at the infrastructure level. Differences emerge in: (1) default-secure posture, Azure historically had more 'open by default' settings; GCP has improved most; AWS is in the middle. (2) Customer-friendliness of security tooling, Azure Defender is most user-friendly, AWS Security Hub is most comprehensive, GCP Security Command Center is most cost-effective. (3) Compliance breadth, AWS has the widest range of certifications. The real determining factor is your team's familiarity. The cloud you know is the cloud you can secure.
Get Your Cloud Security Audit Done with ISO 27001 Certified Experts
Codesecure has audited 100+ Indian AWS, Azure and GCP environments. AWS Security Specialty, Azure Security Engineer, and Google Professional Cloud Security Engineer certified consultants. ISO/IEC 27001:2022 certified delivery. Fixed INR pricing.
