# Infrastructure and Cloud Security ![Infrastructure and Cloud Security](/files/n0m1pi8pzhBwIPtsHF0R) ## Infrastructure and Cloud Security > **Section focus:** Infrastructure and Cloud Security.\ > **Best use:** start with the section map below, then move into the deeper pages that match your role or stack.\ > **Design note:** this index was refreshed to act as a cleaner GitBook landing page instead of a plain directory listing. ### Start with these pages | Page | Why open it first | | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | | [AWS IAM and Role Design](/cloud-kubernetes-and-infrastructure-security/index/aws-iam-and-role-design.md) | High-value page inside **Infrastructure and Cloud Security**. | | [AWS IAM Snippet Pack](/cloud-kubernetes-and-infrastructure-security/index/aws-iam-snippet-pack.md) | High-value page inside **Infrastructure and Cloud Security**. | | [☁️ Cloud Security Across AWS, Azure, and GCP](/cloud-kubernetes-and-infrastructure-security/index/cloud-security-across-aws-azure-and-gcp.md) | High-value page inside **Infrastructure and Cloud Security**. | | [🟧 AWS Security Baseline and Top Misconfigurations](/cloud-kubernetes-and-infrastructure-security/index/aws-security-baseline-and-top-misconfigurations.md) | High-value page inside **Infrastructure and Cloud Security**. | | [🟦 Azure Security Baseline and Top Misconfigurations](/cloud-kubernetes-and-infrastructure-security/index/azure-security-baseline-and-top-misconfigurations.md) | High-value page inside **Infrastructure and Cloud Security**. | | [🟨 GCP Security Baseline and Top Misconfigurations](/cloud-kubernetes-and-infrastructure-security/index/gcp-security-baseline-and-top-misconfigurations.md) | High-value page inside **Infrastructure and Cloud Security**. | | [🧱 Terraform Security Scanning and Checkov](/cloud-kubernetes-and-infrastructure-security/index/terraform-security-scanning-and-checkov.md) | High-value page inside **Infrastructure and Cloud Security**. | | [🛡️ Security as Policy for Terraform and Infrastructure as Code](/cloud-kubernetes-and-infrastructure-security/index/security-as-policy-for-iac.md) | High-value page inside **Infrastructure and Cloud Security**. | | [🔐 Mozilla SOPS: age, KMS, and GitOps-Friendly Secret Workflows](/cloud-kubernetes-and-infrastructure-security/index/mozilla-sops-age-kms-and-gitops-secrets.md) | High-value page inside **Infrastructure and Cloud Security**. | | [🛡️ AWS WAF — Practical Baseline for Managed Rules, Rate Limits, and Logging](/cloud-kubernetes-and-infrastructure-security/index/aws-waf-practical-baseline-managed-rules-rate-limits-and-logging.md) | High-value page inside **Infrastructure and Cloud Security**. | | [🔐 Internal PKI for Microservices — mTLS, Certificate Automation, and Trust Distribution](/cloud-kubernetes-and-infrastructure-security/index/internal-pki-for-microservices-mtls-and-certificate-automation.md) | High-value page inside **Infrastructure and Cloud Security**. | | [🔑 AWS and Azure KMS / HSM Key Management Patterns](/cloud-kubernetes-and-infrastructure-security/index/aws-and-azure-kms-hsm-key-management-patterns.md) | Practical patterns for key hierarchy, envelope encryption, rotation, usage separation, and KMS/HSM operations. | | [☁️ Cloud Environment Security — IAM, Network, Storage, Service Configurations, Visibility, Posture, and Blast Radius](/cloud-kubernetes-and-infrastructure-security/index/cloud-environment-security-iam-network-storage-service-config-visibility-posture-and-blast-radius.md) | High-value page inside **Infrastructure and Cloud Security**. | | [🧱 Apache, NGINX, Kafka, Redis, MySQL, MariaDB, and RabbitMQ Hardening](/cloud-kubernetes-and-infrastructure-security/index/apache-nginx-kafka-redis-mysql-mariadb-rabbitmq-hardening-and-privileged-user-control.md) | Practical hardening map across web, messaging, cache, and database layers, including privileged-user oversight. | | [🗄️ Database Activity Monitoring, Immutable Logging, and Privileged Session Management](/cloud-kubernetes-and-infrastructure-security/index/database-activity-monitoring-immutable-logging-and-privileged-session-management.md) | Practical control model for database evidence, WORM storage, and admin-session oversight. | ### Related sections * [CI/CD and Software Supply Chain Security](/devsecops-cicd-and-supply-chain/index-1.md) * [Container and Kubernetes Security](/cloud-kubernetes-and-infrastructure-security/index-1.md) *** > **Intro:** This section ties identity, infrastructure as code, cloud posture, Linux, and secret management into one operator-friendly track. The goal is to keep the narrative anchored in repeatable controls and repeatable failure modes. > > **What this page includes** > > * IAM and cloud posture across AWS, Azure, and GCP > * Terraform scanning and policy-as-code > * Linux and automation baselines > * cross-links into new architecture, identity, and detection sections ### ☁️ Core pages in this section * [AWS IAM and Role Design](/cloud-kubernetes-and-infrastructure-security/index/aws-iam-and-role-design.md) * [AWS IAM Snippet Pack](/cloud-kubernetes-and-infrastructure-security/index/aws-iam-snippet-pack.md) * [☁️ Cloud Security Across AWS, Azure, and GCP](/cloud-kubernetes-and-infrastructure-security/index/cloud-security-across-aws-azure-and-gcp.md) * [🟧 AWS Security Baseline and Top Misconfigurations](/cloud-kubernetes-and-infrastructure-security/index/aws-security-baseline-and-top-misconfigurations.md) * [🛡️ AWS WAF — Practical Baseline for Managed Rules, Rate Limits, and Logging](/cloud-kubernetes-and-infrastructure-security/index/aws-waf-practical-baseline-managed-rules-rate-limits-and-logging.md) * [🔐 Internal PKI for Microservices — mTLS, Certificate Automation, and Trust Distribution](/cloud-kubernetes-and-infrastructure-security/index/internal-pki-for-microservices-mtls-and-certificate-automation.md) * [🔑 AWS and Azure KMS / HSM Key Management Patterns](/cloud-kubernetes-and-infrastructure-security/index/aws-and-azure-kms-hsm-key-management-patterns.md) * [☁️ Cloud Environment Security — IAM, Network, Storage, Service Configurations, Visibility, Posture, and Blast Radius](/cloud-kubernetes-and-infrastructure-security/index/cloud-environment-security-iam-network-storage-service-config-visibility-posture-and-blast-radius.md) * [🧱 Apache, NGINX, Kafka, Redis, MySQL, MariaDB, and RabbitMQ Hardening](/cloud-kubernetes-and-infrastructure-security/index/apache-nginx-kafka-redis-mysql-mariadb-rabbitmq-hardening-and-privileged-user-control.md) * [🗄️ Database Activity Monitoring, Immutable Logging, and Privileged Session Management](/cloud-kubernetes-and-infrastructure-security/index/database-activity-monitoring-immutable-logging-and-privileged-session-management.md) * [🟦 Azure Security Baseline and Top Misconfigurations](/cloud-kubernetes-and-infrastructure-security/index/azure-security-baseline-and-top-misconfigurations.md) * [🟨 GCP Security Baseline and Top Misconfigurations](/cloud-kubernetes-and-infrastructure-security/index/gcp-security-baseline-and-top-misconfigurations.md) * [🔗 Attack Paths and Misconfigurations](/attack-paths-testing-detection-and-hardening/index-1.md) * [🧱 Terraform Security Scanning and Checkov](/cloud-kubernetes-and-infrastructure-security/index/terraform-security-scanning-and-checkov.md) * [🛡️ Security as Policy for Terraform and Infrastructure as Code](/cloud-kubernetes-and-infrastructure-security/index/security-as-policy-for-iac.md) * [🧱 Infrastructure as Code Maturity and Test Strategy](/cloud-kubernetes-and-infrastructure-security/index/infrastructure-as-code-maturity-and-test-strategy.md) * [Terraform Snippet Pack](/cloud-kubernetes-and-infrastructure-security/index/terraform-snippet-pack.md) * [🧱 Terraform Top 10 Misconfigurations](/cloud-kubernetes-and-infrastructure-security/index/terraform-top-10-misconfigurations.md) * [🐧 Linux Base Image and Host Security Baseline](/cloud-kubernetes-and-infrastructure-security/index/linux-base-image-and-host-security-baseline.md) * [🤖 Ansible Security Baseline and Top 10 Misconfigurations](/cloud-kubernetes-and-infrastructure-security/index/ansible-security-baseline-and-misconfigurations.md) * [🤖 Ansible for EC2 Host Security: 7 High-Value Tasks That Actually Matter](/cloud-kubernetes-and-infrastructure-security/index/ansible-for-ec2-host-security-7-high-value-tasks.md) * [🐧 Linux Host Security: Top 10 Misconfigurations and a Fast Audit Playbook](/cloud-kubernetes-and-infrastructure-security/index/linux-express-audit-and-top-misconfigurations.md) * [🔐 Secret Management on HashiCorp Vault](/cloud-kubernetes-and-infrastructure-security/index/vault-secret-management-on-hashicorp-vault.md) * [🔐 Mozilla SOPS: age, KMS, and GitOps-Friendly Secret Workflows](/cloud-kubernetes-and-infrastructure-security/index/mozilla-sops-age-kms-and-gitops-secrets.md) * [Vault Installation, HA, and Automation Pack](/cloud-kubernetes-and-infrastructure-security/index/vault-installation-ha-and-automation-pack.md) * [🛰️ Cloud Auditing by API and Configuration State](/cloud-kubernetes-and-infrastructure-security/index/cloud-auditing-by-api-and-configuration-state.md) * [🛰️ Cloud Audit Cookbook by Provider](/cloud-kubernetes-and-infrastructure-security/index/cloud-audit-cookbook-by-provider.md) * [🔎 Semgrep for Cloud Security and Infrastructure as Code](/cloud-kubernetes-and-infrastructure-security/index/semgrep-for-cloud-security-and-iac.md) ### Cross-links * [CI/CD and Software Supply Chain Security](/devsecops-cicd-and-supply-chain/index-1.md) * [Container and Kubernetes Security](/cloud-kubernetes-and-infrastructure-security/index-1.md) * [🪪 Identity and Platform Access](/architecture-api-crypto-and-identity/index-2.md) * [🏗️ Secure Architecture Patterns](/architecture-api-crypto-and-identity/index-1.md) *** *Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.product-security.expert/cloud-kubernetes-and-infrastructure-security/index.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.