AWS, Azure, and Google Cloud Security ~ 2nd Sight Lab
Category AWS Azure GCP
Shared Responsibility Model AWS Shared Responsiblity Model Azure Shared Responsilbiites GCP Customer Responsibility Matrix
Governance AWS Organizations
AWS Landing Zone
Resource Groups
Automating Governance on AWS
Azure Scaffold
Azure Management Groups
Resource Groups
Azure Blueprints
Azure Governance
Organizational Policy Service
Resource Groups
Governance and visiblity
IAM Roles
AWS Cloud Directory
AWS Directory Service
Permission Boundaries
S3 Bucket Policy
VPC Endpoint Policy
Roles vs. Resource-based Policies
Azure Active Directory
Azure AD Domain Services
Azure Active Directory B2C
Azure Storage Account Policies
Service Endpoint Policies
Just In Time Access
Privileged Identity Managment
Azure Policy
Google Cloud IAM
CloudIdentity-Aware Proxy
Firebase Authentication
Azure MFA Pricing
Security Keys
Secrets Management AWS Systems Manager Parameter Store Key Vault - Secrets Google Cloud Vault
SSO AWS SSO Azure SSO SSO on Google Cloud
DLP Macie Azure Information Protection Google Cloud DLP
SSL, TLS, & Certificates AWS Certificate Manager
Private Certificate Authority
Azure Key Vault - Certificates Google Cloud SSL Certificates
HSM AWS CloudHSM (Safenet) Azure Key Vault (Thales) Google CloudHSM (LiquidSecurity)
Encryption Key Management ** AWS KMS Azure Key Vault - Encryption Keys Google Cloud Key Management
Data Protection in Use Confidential Comupting (TEE)
Network Security* AWS VPC
AWS Subnets
Subnet NACL
AWS Security Group
AWS VPC Endpoints
VPN CloudHub
VPN Peering
Route Table
Internet Gateway
Elastic IP
Bring Your Own IP
Network Interface
AWS NAT Gateway
Global Transit Network
Direct Connect
AWS Mapping Service
Virtual Network
Security Groups
Azure Routing
VPN Gateway
Service endpoint
Container Networking
Kubernetes Network Policy
Public IP Network Address Prefix
VPN Gateway
Transit Network
Azure Express Route
VPC Peering
IP Addresses
Advanced VPC
Firewall Rules
Shared VPC
Alias IP Ranges
Network Interfaces
DNS Route 53
Private Hosted Zones
Azure DNS
Private zones
Internal DNS
Load Balancer Elastic Load Balancer (Layer 4)
Application Load Balancer (layer 7) AWS Autoscaling
Azure Load Balancer
Azure Autoscale
Google Load Balancing (Layer 4 + 7) and Autoscaling
CDN AWS CloudFront Azure CDN Google CDN
API Gateway API Gateway API Gateway API Management (APIGEE)
IOT Device Authentication & Security AWS IOT Device Authentication Azure IOT and TPM IOT Device Security
Configuration Management CloudFormation
AWS CloudForamtion Resources
AWS Config
Azure Automation
Azure Automation State Configuration
Google Cloud Deployment Manager
Configuration Management
AWS Firewall Manager
Azure WAF Thid party tools
DOS AWS Sheild DDoS Protection Cloud Armor
Vulnerability Assessment & Endpoint Protection Amazon Inspector Azure Security Center - Vulnerability Assessment
File Integrity Monitoring
Google Cloud Security Scanner
Binary Authorization
Shielded VM
Logging and Monitoring** AWS CloudTrail
VPC Flow Logs
AWS Service Health Dashboard
Azure Monitor (Log Analytics)
Azure Security Center
Azure Advisor Network Watcher
Virtual Network Tap
Packet Capture
Azure Service Health
Google StackDriver
Data Access Logs
Firewall Rules Logging
Google Cloud Status Dashboard
Hypervisor Nitro
Original: Customized Xen
AWS VM Import/Export
VMWare on AWS
Azure Hypervisor
Nested Virtualization
VMWare to Azure
Nested Virtualization
Google and VMWare
Disk Image Capture EBS Snapshots Azure Virtual Hard Drive Snapshot Creating Persistent Disk Snapshots
Disk Encryption EBS Encryption
AWS Encrypted Boot Volumes
Encrypted Volumes - Customer Keys
Azure IAAS Disk Encryption Data Encryption Options
Encrypting Disks - Customer Keys
Tags AWS Tags Azure Tags Google Labels
Billing AWS Billing
Monitoring cost
Azure Cost Management Google Billing
Cloud Services** AWS Security Products
All AWS Services
Azure Security Products
All Azure Services
Google Security Products
All Google Cloud Services
Pen Testing Penetration Testing on AWS
Requires Authorization
See TOS and AUP
Azure Penetration Testing Rules of Engagement
Requires Authorization
See TOS and AUP
Google Pen Testing
No Authorization Required
See TOS and AUP
Vendor Security Products AWS Security Marketplace Azure Security Marketplace Google Security Partners
Best Practices Security By Design
Well-Architected Framework
IAM Best Practices
Best Practices and Patterns
Network Security Best Practices
Azure Security Best Practices
Best Practices for Enterprise Organizations
Best Practices for Securing Databases
CIS Benchmarks AWS Account CIS Benchmarks
AWS OS CIS Benchmarks
CIS Benchmark Quickstart
Azure Account CIS Benchmarks
CIS Hardened Images in Marketplace
CIS Benchmark for GCP
CIS Hardened Images
Compliance AWS Compliance
AWS Artifact (Certifications)
Azure Certifications Google Compliance
Security Bulletins AWS Security Bulletins Sample - Mixed with Blog Posts
Microsoft Secruity Bulletins
Google Cloud Security Bulletins
Legal AWS Legal
Azure Legal
Azure SLAs
Google Cloud Terms
Google SLAs
Security Blogs AWS Security Blog Azure Security Blog Google Security Blog
White Papers AWS White Papers Azure Security White Papers Google Security White Papers
New Products & Features AWS Updates Azure Updates Google Cloud Platform Updates
* Customer has access to OSI layer 4 and up. See responsibility models, white papers, and contracts for layer 1-3.
** See each individual service for additional logs and capture host, container, and application logs. Also see each service for encryption options and service-specific security controls.

To request a cloud security assessment, penetration test, or training, please reach out to Teri Radichel on LinkedIn.

Cloud Security ~ Services
Cloud Security Assessments
Cloud Security Consulting
Cloud Penetration Testing
Cloud Security Training
Public Speaking on Cloud Security Topics

206.909.8374 . @teriradichel . LinkedIn . Work . Certifications
© 2018 2nd Sight Lab, LLC | Seattle, Washington