Securing Your Cloud Infrastructure: Best Practices
The exact security checklist we follow on every project: encryption, IAM, network policies, and continuous vulnerability scanning.
Security Is Not a Feature. It's a Baseline.
Every project we ship at ELEVEN goes through the same security baseline, whether it's a startup MVP or an enterprise platform handling millions in transactions. This is not because we're paranoid -- it's because we've seen the cost of getting it wrong. A single data breach costs an average of $4.45 million (IBM, 2023), and for a startup, it can be fatal.
This article is the exact checklist our team follows. No theory, no vendor pitches -- just the practical steps we implement on every cloud deployment.
Reality check
68% of breaches involve a human element -- misconfigured S3 buckets, overly permissive IAM roles, or hardcoded secrets. These are preventable with process, not expensive tools.
1. Identity and Access Management (IAM)
IAM is the single most important security control in any cloud environment. Get this wrong and nothing else matters.
Principle of least privilege: every service, user, and automation gets the minimum permissions needed. No wildcards, no admin roles for applications.
Separate environments completely: dev, staging, and production use different AWS accounts (or GCP projects). A compromised dev credential cannot touch production data.
Service accounts over user credentials: applications authenticate with service accounts and short-lived tokens, never with long-lived API keys.
MFA everywhere: every human account with cloud console access requires hardware or TOTP multi-factor authentication. No exceptions.
Regular access reviews: quarterly audits of who has access to what. Offboarded employees are removed within 1 hour, not 1 week.
2. Encryption: In Transit and At Rest
Every byte of data our applications handle is encrypted in transit and at rest. TLS 1.3 is enforced on all endpoints -- no TLS 1.0/1.1, no plaintext HTTP, no self-signed certificates in production. We use AWS Certificate Manager or Let's Encrypt for automated certificate rotation.
For data at rest, all databases use AES-256 encryption with provider-managed keys at minimum, and customer-managed keys (CMK) for sensitive workloads. S3 buckets enforce server-side encryption, and we block public access at the account level. Application-level encryption is added for PII fields -- names, emails, phone numbers -- so even a database dump is useless without the decryption keys.
3. Network Security
Our network architecture follows zero-trust principles. Databases and internal services are never exposed to the public internet. They live in private subnets accessible only through application services or bastion hosts with session logging. Security groups act as per-instance firewalls with explicit allow rules -- no “allow all inbound” rules, ever.
Web Application Firewalls (WAF) sit in front of every public-facing service, configured with OWASP Top 10 rules plus custom rules for each application's specific attack surface. Rate limiting is applied at the CDN/load balancer level to prevent DDoS and brute-force attacks. We also implement VPC flow logging to detect unusual network patterns and trigger automated alerts.
Our network stack
CloudFlare or AWS CloudFront for CDN and DDoS protection, AWS WAF with managed and custom rule groups, VPC with public/private subnet separation, NAT gateways for outbound-only internet access from private subnets.
4. Secrets Management
No secrets in code. No secrets in environment files committed to git. No secrets shared in Slack messages. We use AWS Secrets Manager or HashiCorp Vault for all credentials, API keys, and certificates. Applications retrieve secrets at runtime through IAM-authenticated API calls, and secrets are rotated automatically on a schedule.
Our CI/CD pipelines use OIDC federation to authenticate with cloud providers -- no stored AWS access keys in GitHub Actions or any other CI platform. We run automated scans with tools like gitleaks and truffleHog on every commit to catch accidental secret exposure before it reaches any branch.
5. Continuous Vulnerability Scanning
Security is not a one-time audit. We run three layers of continuous scanning. Dependency scanning through Dependabot and Snyk runs on every pull request, flagging known vulnerabilities in third-party packages before they merge. Container image scanning checks every Docker image for OS-level CVEs before deployment. And infrastructure scanning tools like AWS Inspector and Prowler run weekly to detect misconfigurations.
Critical vulnerabilities (CVSS 9.0+) trigger automated alerts and must be patched within 24 hours. High severity (7.0-8.9) within one week. We track these SLAs and report them to clients in our monthly security summaries.
6. Incident Response
Every project ships with a documented incident response plan. This includes an on-call rotation with defined escalation paths, runbooks for common failure scenarios (database failover, service degradation, suspected breach), automated alerting through PagerDuty or Opsgenie with severity-based routing, and post-incident review process for every P1/P2 incident within 48 hours.
We also run tabletop exercises with clients annually to test the response plan with realistic scenarios. The goal is that when something goes wrong -- and eventually something will -- the response is fast, coordinated, and minimizes impact.
The Checklist
Here's the condensed version of what gets implemented on every ELEVEN project:
| Category | Controls |
|---|---|
| IAM | Least privilege, MFA, service accounts, quarterly access reviews |
| Encryption | TLS 1.3, AES-256 at rest, field-level encryption for PII |
| Network | Private subnets, WAF, rate limiting, VPC flow logs |
| Secrets | Vault/Secrets Manager, no hardcoded keys, OIDC CI/CD auth |
| Scanning | Dependency, container, and infrastructure scanning on every deploy |
| Incident response | On-call rotation, runbooks, automated alerts, post-mortems |
Need a security review of your infrastructure?
We offer free 30-minute security assessments. We'll review your current setup and identify the highest-priority improvements.
BOOK A FREE CALL