Module 04 · Multi-Cloud Security Curriculum
Cloud Data Security & Encryption
Master data classification, encryption at rest and in transit, secrets management, tokenization, key management, DLP, and ransomware-resilient backup strategies.
20
Interview Q&As
25
MCQ Questions
4
Simulations
8
Hours Content
Topics Covered
| Topic | Key Services |
|---|---|
| Data Classification & Sensitivity | AWS Macie, Azure Purview, GCP DLP API |
| Encryption at Rest | SSE-S3, SSE-KMS, SSE-C, Azure SSE, GCP CMEK |
| Encryption in Transit | TLS 1.2/1.3, HTTPS enforcement |
| Secrets Management | AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault |
| Tokenization & Masking | PCI-DSS, static vs dynamic masking |
| Key Management | AWS KMS, Azure Key Vault, GCP Cloud KMS, HSM |
| Backup & DR | S3 Object Lock, Azure immutable blobs, 3-2-1-1-0 rule |
| Ransomware Protection | Versioning, MFA delete, air-gapped backups |
💡 Interview Focus: Know the difference between SSE-S3 / SSE-KMS / SSE-C cold. Understand when to use tokenization vs encryption. Be able to design a ransomware-resilient backup strategy. Secrets management anti-patterns (hardcoded credentials) come up in every cloud security interview.
Core Concepts · ~20 min reading
Data Security Fundamentals
Data Classification
| Level | Description | Examples | Controls |
|---|---|---|---|
| Public | Freely shareable | Press releases, product docs | Minimal |
| Internal | Internal use only | Internal wikis, meeting notes | Access controls |
| Confidential | Sensitive business data | Salary data, financial forecasts | Encryption + strict access |
| Restricted | Highly sensitive, regulated | PII, PHI, credit cards (PAN) | Encryption + DLP + audit + MFA |
Cloud tagging: Apply classification labels as resource tags (AWS) or labels (Azure/GCP) to enforce policies automatically via CSPM tools.
AWS Encryption at Rest (S3)
| Method | Key Owner | Audit Trail | Use Case |
|---|---|---|---|
| SSE-S3 | AWS manages key | No per-key CloudTrail | Basic compliance, low overhead |
| SSE-KMS | AWS KMS (customer controls) | Yes — full CloudTrail audit | PHI, PCI, regulatory data |
| SSE-C | Customer provides key per request | No KMS logging | Customer controls key material |
| Client-Side | Customer encrypts before upload | Your own logs | Zero trust of cloud provider |
Secrets Management — Do vs Don't
❌ Anti-patterns: Hardcoded credentials in source code, secrets in environment variables checked into git, API keys in plain text config files, long-lived access keys never rotated, shared credentials across teams.
| Platform | Service | Key Features |
|---|---|---|
| AWS | Secrets Manager | Auto rotation, RDS integration, CloudTrail audit, cross-account access |
| AWS | Systems Manager Parameter Store | Hierarchical storage, SecureString (KMS encrypted), lower cost |
| Azure | Key Vault | Keys + secrets + certificates, RBAC or access policies, HSM-backed Premium tier |
| GCP | Secret Manager | Versioning, IAM access, automatic rotation, audit via Cloud Audit Logs |
| Multi-cloud | HashiCorp Vault | Dynamic secrets (ephemeral, no long-lived creds), multi-cloud, plugin-based |
Tokenization vs Encryption
| Feature | Encryption | Tokenization |
|---|---|---|
| Reversible? | Yes (with key) | Yes (via token vault) or No (vaultless) |
| Original data stored? | Encrypted form stored | Original replaced; token in vault |
| Mathematical relationship | Yes (key + algorithm) | No (random mapping) |
| PCI-DSS scope reduction | Partial | Significant (tokens are not PAN) |
| Use case | Data in transit, storage | Credit card numbers, SSNs |
Ransomware-Resilient Backup Strategy
- 3-2-1-1-0 Rule: 3 copies, 2 different media types, 1 offsite, 1 offline/air-gapped, 0 errors verified by restore testing
- S3 Object Lock (WORM): Compliance or Governance mode — objects cannot be deleted or overwritten for a set retention period
- MFA Delete (S3): Requires MFA to permanently delete object versions or disable versioning
- Azure Immutable Blob Storage: Time-based retention or legal hold — even storage account owner cannot delete
- Cross-account backups: Store backups in a separate AWS account with restricted access — compromised account can't delete backups
- Air-gapped: Backups with no network connectivity to production — physically isolated
Interview Q&A · 20 Questions
Interview Questions & Model Answers
1What is data classification and how is it implemented in cloud?Easy▼
Data classification is the process of organizing data by sensitivity level to apply appropriate security controls.
Common levels: Public → Internal → Confidential → Restricted
Cloud implementation:
Common levels: Public → Internal → Confidential → Restricted
Cloud implementation:
- Resource tagging (AWS tags, Azure labels, GCP labels) — e.g.,
Classification: Restricted - Automated discovery: AWS Macie (S3 PII/PHI detection), Azure Purview, GCP DLP API
- CSPM tools enforce policies based on tags (block public access on Restricted buckets)
- IAM policies tied to classification tags (only HR can access HR-tagged data)
💡 Without classification, you can't apply proportional controls — a public document gets the same protection as credit card data, wasting resources or leaving sensitive data exposed.
2What is the difference between SSE-S3, SSE-KMS, and SSE-C in AWS?Medium▼
| Method | Key Owner | CloudTrail Audit | Control Level |
|---|---|---|---|
| SSE-S3 | AWS fully manages key | No per-object key events | Low (AWS decides) |
| SSE-KMS | Customer-controlled KMS key | Yes — every decrypt logged | High (set policy, rotate, audit) |
| SSE-C | Customer provides key with each request | No KMS logging | Maximum (AWS never stores key) |
💡 SSE-KMS is the most commonly used for regulated workloads. The CloudTrail audit of every decryption event is essential for compliance (HIPAA, PCI-DSS). SSE-C requires the customer to securely manage and transmit keys with each API call.
3What is a Customer-Managed Key (CMK) and when would you use it?Medium▼
A CMK (now called a KMS key in AWS) is an encryption key created, owned, and managed by the customer in AWS KMS, Azure Key Vault, or GCP Cloud KMS — rather than an AWS/provider-managed key.
When to use CMK:
When to use CMK:
- Regulatory requirement to control key lifecycle (GDPR, HIPAA, PCI-DSS)
- Need to audit all access to encrypted data via CloudTrail
- Need to revoke access instantly (disable/delete the key — all encrypted data becomes inaccessible)
- Multi-tenant SaaS where each tenant needs their own key
- Need cross-account or cross-service encryption
💡 CMK "right to be forgotten": Under GDPR, you can cryptographically erase data by deleting the CMK — all data encrypted with it becomes permanently unreadable, no need to find and delete every file.
4What is the difference between encryption at rest and encryption in transit?Easy▼
- Encryption at rest: Protects data while stored on disk, database, or object storage. Ensures data is unreadable if storage media is stolen or accessed without authorization. Examples: AES-256 for S3 objects, RDS encryption, disk encryption (BitLocker, dm-crypt).
- Encryption in transit: Protects data moving over networks from interception. Prevents man-in-the-middle attacks. Examples: TLS 1.2/1.3 for HTTPS, mTLS for microservices, VPN for network traffic.
💡 FIPS 140-2: US government standard for cryptographic modules. Cloud HSMs that meet FIPS 140-2 Level 3 are required for many government and financial workloads.
5What is AWS Secrets Manager and how does it differ from Parameter Store?Medium▼
| Feature | Secrets Manager | Parameter Store |
|---|---|---|
| Cost | $0.40/secret/month | Free (standard), $0.05/advanced |
| Automatic rotation | Yes (native Lambda rotation) | No (manual or custom) |
| RDS integration | Native auto-rotation for RDS passwords | No |
| Secret size | Up to 64KB | Up to 8KB (advanced: 8KB) |
| Cross-account | Yes (resource-based policy) | Limited |
| Best for | Database passwords, API keys (need rotation) | Config values, feature flags, non-sensitive params |
💡 Use Secrets Manager for credentials that must rotate. Use Parameter Store for configuration values and non-secret parameters. Both integrate with IAM and KMS.
6What is Azure Key Vault and what types of objects does it store?Easy▼
Azure Key Vault is a cloud service for safeguarding cryptographic keys, secrets, and certificates.
Object types:
Object types:
- Keys: RSA or EC keys used for encryption/signing. Can be software-protected or HSM-protected (Premium tier). Operations: encrypt, decrypt, sign, verify, wrapKey, unwrapKey.
- Secrets: Any string value (passwords, connection strings, API keys). Versioned, with expiry policies.
- Certificates: X.509 certificates with integrated renewal (Let's Encrypt, DigiCert integration).
💡 Key Vault Premium uses FIPS 140-2 Level 2 HSMs. Managed HSM (dedicated) uses FIPS 140-2 Level 3 — required for highest compliance workloads.
7What is tokenization and how does it differ from encryption?Medium▼
Tokenization replaces sensitive data (e.g., a credit card number) with a non-sensitive placeholder token that has no mathematical relationship to the original data.
Key differences:
Key differences:
- Encryption: Original data transformed using algorithm + key; decryptable with key; ciphertext still mathematically related to plaintext
- Tokenization: Original data replaced with random token stored in a vault; no algorithm to reverse without the vault; token by itself is useless to attacker
💡 Example: A credit card 4111-1111-1111-1111 → token 7829-4521-9834-3301. The token maps to the real card only in the secure token vault. If the token is stolen, it's worthless.
8What is data masking and when is it used?Easy▼
Data masking replaces sensitive data with realistic but fictitious data, preserving format while removing actual values.
Types:
Types:
- Static masking: Creates a masked copy of the database (for dev/test environments). Original data permanently replaced in the copy.
- Dynamic masking: Masks data on-the-fly as it's returned to unauthorized users. The original data stays in the database unchanged — only the response is masked based on the user's role.
- Providing production-like data to developers without exposing PII
- Non-production environments (staging, QA, analytics)
- Call center agents seeing masked card numbers (last 4 digits only)
💡 Azure SQL Dynamic Data Masking and Oracle Data Masking are common implementations. AWS Glue DataBrew supports data masking for ETL pipelines.
9What is key rotation and why is it important?Medium▼
Key rotation is the process of replacing an old cryptographic key with a new one on a scheduled basis.
Why important:
Why important:
- Limits the window of exposure if a key is compromised
- Regulatory requirements (PCI-DSS requires annual rotation of cryptographic keys)
- Reduces the amount of data encrypted with any single key (limits blast radius)
- AWS KMS: automatic annual rotation (enable with one click); key material changes but key ID stays the same — no re-encryption of data needed
- Azure Key Vault: rotation policy with notification and auto-rotation
- Secrets Manager: automatic rotation for database passwords via Lambda
💡 In AWS KMS automatic rotation, the old key material is retained for decrypting old data. New encryptions use the new material. The key ARN stays the same — no application changes needed.
10What is FIPS 140-2 and why does it matter?Hard▼
FIPS 140-2 (Federal Information Processing Standard) is a US government standard that specifies security requirements for cryptographic modules (hardware or software).
Levels:
Levels:
- Level 1: Basic algorithm correctness
- Level 2: Tamper-evidence (seals); most cloud HSM services
- Level 3: Tamper-resistance (attempts to destroy keys on tampering); required for highest assurance
- Level 4: Full envelope protection against physical attacks
💡 AWS CloudHSM provides dedicated FIPS 140-2 Level 3 hardware — for when you need to "bring your own key" material and the cloud provider must never have access to it.
11What is S3 Object Lock and how does it protect against ransomware?Medium▼
S3 Object Lock implements WORM (Write Once Read Many) storage — objects cannot be deleted or overwritten for a set retention period, even by the root account.
Modes:
Modes:
- Governance mode: Users with special IAM permission can override/delete
- Compliance mode: No one (including root) can delete during retention period — immutable
💡 Combined with versioning + MFA delete + cross-account replication = a highly ransomware-resilient backup strategy. This is the AWS-recommended approach for backup protection.
12What is AWS Macie?Easy▼
AWS Macie is a data security service that uses machine learning to automatically discover, classify, and protect sensitive data in Amazon S3.
What it does:
What it does:
- Discovers PII (names, addresses, SSNs, phone numbers), PHI, financial data (credit card numbers, bank accounts), credentials (API keys, private keys in files)
- Alerts on public S3 buckets, unencrypted buckets, and buckets shared with external accounts
- Provides sensitive data findings with severity levels
- Integrates with Security Hub and EventBridge for automated response
💡 Macie is essential for GDPR compliance — it helps locate all personal data, a requirement for data subject rights (right to erasure). Equivalent: Azure Purview, GCP DLP API.
13How would you prevent a data breach from a misconfigured cloud storage bucket?Hard▼
Defense in depth approach:
- Prevention: Enable S3 Block Public Access at account level (overrides all bucket policies); use SCPs to deny public bucket creation org-wide; use Azure Policy to deny public blob access
- Detection: AWS Macie scans for sensitive data in public buckets; AWS Config rule
s3-bucket-public-read-prohibited; Security Hub findings for public buckets; CSPM tools (Wiz, Prisma Cloud) with real-time drift detection - Response: EventBridge rule triggers Lambda to auto-remediate (set bucket to private); alert SOC via SNS; revoke any public access
- Access control: Enforce bucket policies requiring aws:SecureTransport (HTTPS only); require encryption via bucket policy
💡 In 2022, Samsung exposed 190GB of source code via a misconfigured GitLab. In 2019, Capital One breach involved SSRF + S3 read access. Misconfigurations are the #1 cloud breach cause.
14What is the difference between static and dynamic data masking?Medium▼
| Feature | Static Masking | Dynamic Masking |
|---|---|---|
| When | At data extraction time | At query time (real-time) |
| Original data | Replaced in the copy | Unchanged in database |
| Use case | Dev/test/analytics environments | Production — role-based views |
| Example | Masked database for QA team | Support agent sees ***-1234 for cards |
| Risk | Masked copy must also be secured | Original data still at risk if bypassed |
15What is an HSM (Hardware Security Module)?Medium▼
An HSM is a dedicated physical computing device that safeguards and manages cryptographic keys, performing encryption/decryption operations inside a tamper-resistant hardware boundary. Keys are never exposed outside the HSM.
Cloud HSMs:
Cloud HSMs:
- AWS CloudHSM: dedicated single-tenant HSM, FIPS 140-2 Level 3, customer fully controls the HSM (AWS cannot access keys)
- Azure Dedicated HSM / Managed HSM
- GCP Cloud HSM (backing for Cloud KMS)
💡 AWS KMS uses HSMs internally but is multi-tenant and AWS has access. CloudHSM is single-tenant — you manage the HSM user/credentials and AWS has zero access to keys.
16How does GCP CMEK (Customer-Managed Encryption Key) work?Medium▼
GCP CMEK allows customers to use their own encryption keys (stored in Google Cloud KMS or an external KMS) to encrypt Google Cloud resources instead of Google-managed keys.
How it works:
How it works:
- Customer creates a key in Cloud KMS
- Customer grants the GCP service's service account
cloudkms.cryptoKeyEncrypterDecrypterpermission on the key - When GCP stores data, it calls KMS to encrypt; when reading, calls KMS to decrypt
- Customer can revoke the key grant — GCP service loses access to all data encrypted with it (cryptographic erasure)
💡 CMEK applies to BigQuery, Cloud Storage, Pub/Sub, Spanner, Compute Engine disks, and more. Key rotation and audit via Cloud Audit Logs are supported.
17What is a data lifecycle policy and how is it used?Easy▼
A data lifecycle policy automates the movement and deletion of data across storage tiers based on age or access patterns, reducing cost and enforcing data retention compliance.
Examples:
Examples:
- S3 Lifecycle: Move objects to S3 Standard-IA after 30 days → Glacier after 90 days → delete after 365 days
- Azure Blob Lifecycle Management: Move to Cool tier after 30 days, Archive after 90 days, delete after 7 years
- GCP Object Lifecycle: Delete objects older than 365 days, transition to Nearline/Coldline/Archive storage
💡 Lifecycle policies work with classification tags. Restricted data (PHI, PII) may have a 7-year legal hold; internal data may expire after 1 year.
18What are immutable backups and why are they critical for ransomware defense?Medium▼
Immutable backups are backups that cannot be modified, overwritten, or deleted for a set retention period — even by administrators, backup software, or attackers with stolen credentials.
Why critical for ransomware:
Why critical for ransomware:
- Ransomware operators increasingly target and delete backups before encrypting production data
- If backups are in the same account/environment, compromised credentials can wipe them
- Immutable backups guarantee a clean copy exists regardless of attacker access level
- S3 Object Lock (Compliance mode) — even root cannot delete
- Azure Immutable Blob Storage (time-based or legal hold)
- Cross-account backups in a separate AWS organization with SCP blocking deletion
💡 Test your backups! The "0" in 3-2-1-1-0 means zero errors on restore test. Organizations frequently discover their backups are corrupt only when they need them.
19What is cross-region replication and when is it needed?Easy▼
Cross-region replication (CRR) automatically copies objects/data from a source region to a destination region in real time or near real time.
When needed:
When needed:
- Disaster recovery: If primary region becomes unavailable, data available in DR region
- Compliance: Data sovereignty requires copies in specific countries/regions
- Latency: Serving data to users closer to a different region
- Backup: Geographic separation of backup from production
💡 CRR does NOT protect against accidental deletion if delete replication is enabled (deletions replicate too). Use Object Lock + CRR for full ransomware protection.
20How would you implement DLP in a multi-cloud environment?Hard▼
A layered approach:
- Discovery: AWS Macie (S3), GCP DLP API (GCS, BigQuery), Azure Purview (Storage, SQL) — scan for PII/PHI/PCI across all clouds
- Classification tagging: Auto-tag resources with discovered sensitivity levels
- Prevention policies:
- Block sharing sensitive data externally (S3 bucket policies, Azure Policy)
- Email DLP (Microsoft Purview, Google Workspace DLP) to prevent sensitive data leaving via email
- Endpoint DLP for data leaving devices
- CASB: For SaaS apps — Microsoft Defender for Cloud Apps or Netskope inspect SaaS traffic for sensitive data
- Centralized monitoring: Aggregate DLP alerts in SIEM for cross-cloud visibility
💡 DLP is most effective when classification is accurate. Garbage-in-garbage-out: if data isn't properly classified, DLP policies can't protect it or generate too many false positives.
MCQ Quiz · 25 Questions
Multiple Choice Questions
Progress:
0 / 25
Simulation 1
Encryption Method Selector
Choose the best encryption approach for each scenario.
Simulation 2
Secrets Management Anti-Pattern Detector
Identify whether each approach is Secure or Insecure.
Simulation 3
Data Classification Exercise
Classify each data item into the correct sensitivity level.
Simulation 4
Backup Strategy Evaluator
Rate each backup configuration for ransomware resilience.
🎉